Chapter 9
Assessment Techniques for Each Kind of Control
Abstract
The specific security controls are reviewed with testing methods for each of the NIST SP 800-53, revision 4 controls presented as tested through experience of working with the controls and conducting actual reviews. All SP 800-53 controls are documented, along with the ISO 27002 controls and the additional US DHS EBK controls.
Keywords
testing
NIST
assessment
SCA
AC
AU
AT
CA
CP
CM
IA
IR
MA
MP
SA
SC
SI
RA
PS
PE
PL
PM
privacy
Once we determine, which controls are to be assessed and our proposed methods and techniques for evaluation, we begin development of the security assessment plan (SAP) as per SP 800-37, rev. 1 defined requirements. In both SP 800-53A and SP 800-115, there are defined areas for test considerations to be included in various sections of the SAP. The SAP is the current version of what had been previously known as the ST&E plan. The security test and evaluation (ST&E) plan was the primary document that the validator, the assessor, and the certifying agent used to guide the actual performance of the review throughout the course of the activity. The SAP defines methods and procedures for testing, evaluating, and assessing the various security controls in the system. Included in the SAP developmental process is an additional document, the rules of engagement (ROE) document, which is designed for oversight and approval for assessment and internal and external testing, including penetration testing and network scanning.
Security assessment plan developmental process
1. Develop security assessment policy: Organizations should develop an information security assessment policy to provide direction and guidance for their security assessments. This policy should identify security assessment requirements and hold accountable those individuals, who are responsible for ensuring that assessments comply with the requirements. The approved policy should be disseminated to the appropriate staff, as well as third parties, who are to conduct assessments for the organization. The policy should be reviewed at least annually and whenever there are new assessment-related requirements.
2. Prioritize and schedule assessment: Organizations should decide which systems should undergo assessments and how often these assessments should be done. This prioritization is based on system categorization, expected benefits, scheduling requirements, applicable regulations where assessment is a requirement, and resource availability. Technical considerations can also help determine assessment frequency, such as waiting until known weaknesses are corrected or a planned upgrade to the system is performed before conducting testing.
3. Select and customize testing techniques: There are many factors for organizations to consider when determining, which techniques should be used for a particular assessment. Factors include the assessment objectives, the classes of techniques that can obtain information to support those objectives, and the appropriate techniques within each class. Some techniques also require the organization to determine the assessors’ viewpoint (e.g., internal versus external) so that the corresponding techniques can be selected.
4. Determine logistics of assessment: This includes identifying all required resources, including the assessment team; selecting environments and locations from where to perform the assessment; and acquiring and configuring all necessary technical tools.
5. Develop the assessment plan: The assessment plan documents the activities planned for an assessment and other related information. A plan should be developed for every assessment to provide the rules and boundaries to which assessors must adhere. The plan should identify the systems and networks to be assessed, the type and level of testing permitted, logistical details of the assessment, data handling requirements, and guidance for incident handling.
6. Address legal considerations: Organizations should evaluate potential legal concerns before commencing an assessment, particularly, if the assessment involves intrusive tests (e.g., penetration testing) or if the assessment is to be performed by an external entity. Legal departments may review the assessment plan, address privacy concerns, and perform other functions in support of assessment planning.
Security assessment actions
Now that we have defined the plan for the assessment, along with the objectives, testing methods, and expected actions, let us discuss the actual and specific control assessment process and mechanisms. I have retrieved data from the federal standards (FIPS-200) and the testing guide from NIST (SP 800-53A) to compile this list as well as my own experience testing and evaluating controls for each area and family of controls that is referenced as follows:
1. NIST SP 800-53, rev. 4 controls
There are 205 base controls in 18 families. The base XX1-1 control for each family is the policy control used to ensure that there is a core organizational policy for this family of security controls. So, AC-1 is the policy control for access control and IR-1 is the policy control for incident response and so on, through each of the 18 families of controls.
Additionally, most of the rest of the security controls in each family has enhancements of the control designated by the number of the enhancement inside a parenthesis. So AC-2 control has XX enhancements designated as AC-2 (1) (2) and so on. “The security control enhancements section provides statements of security capability to:
(i) Add functionality/specificity to a control; and/or
(ii) Increase the strength of a control. In both cases, control enhancements are used in the information systems and environments of operation, which require greater protection than provided by the base control due to the potential adverse organizational impacts, or when organizations seek additions to the base control functionality/specificity based on organizational assessments of risk.
Security control enhancements are numbered sequentially within each control so that the enhancements can be easily identified, when selected to supplement the base control. Each security control enhancement has a short subtitle to indicate the intended security capability provided by the control enhancement. The numerical designation of a control enhancement is used only to identify the particular enhancement within the control. The designation is not indicative of either the strength of the control enhancement or any hierarchical relationship among the enhancements. Control enhancements are not intended to be selected independently (i.e., if a control enhancement is selected, then the corresponding base security control must also be selected).”2
Controls are defined in many ways throughout the various catalogs of security controls (SP 800-53, ISO 27002, DHS EBK, etc.), but mostly all the security controls are found to be within certain types, based upon their use and make-up. Typically, I find the following definitions for the types of security controls used:
• Preventive: This control set is the primary control set needed for any system. The preventive control is designed to stop some negative event from happening, inhibit attempts to violate security policies, or provide the ability to stop potentially an adverse incident from occurring.
• Detective: This class of controls is designed to indicate that some adverse activity or condition is currently happening. These controls are intended to identify and characterize an incident in progress or an incident that is considered active.
• Corrective: The corrective control set is designed to limit the extent of any adverse event and usually, it is used and deployed in conjunction with detective controls. These controls are intended to limit the extent of any damage caused by an incident.
• Directive: This control set mandates the behavior of an entity by specifying what actions are, or are not, permitted. These controls are primarily security policies and regulatory guidance.
• Deterrent: Deterrent controls are intended to discourage individuals from intentionally violating information security policies or procedures. These controls are placed into effect to “keep the good people good.” These usually take the form of constraints that make it difficult or undesirable to perform unauthorized activities and mention the consequences of these activities in order to influence a potential intruder not to violate the security.
• Supplemental: The special use or specialized focus of various types of security controls as needed or required by some special event, incident, or activity from an internal or external source is the control set known as supplemental controls.
• Recovery: This control set provides the capability to restore lost computing resources or capabilities and help recover monetary losses caused by a security incident. Recovery controls are neither preventive nor detective, but often are included as disaster recovery or contingency plans.
Security controls by family
The breakouts for testing of each individual control follow this area. I have included the NIST SP800-53A, rev. 4 guidance for each control in the testing sections.
A. Access control (AC) family
FIPS-200 provides the following criteria for this family of controls: “Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.”
The primary assessment areas for these controls include:
a. Audit system components that enable the limitation of information system access to authorized users
b. Review security elements in a system so that they limit access to processes acting on behalf of authorized users
c. Assess controls on a system that facilitate the limitation of information system access to the devices (including other information systems)
d. Inspect system controls that govern the types of transactions and functions that authorized users are permitted to exercise
| Control number | Control name | Assessment methods | Notes and guidance | SP 800-53A Guidance |
| AC-1 | Access control policy and procedures | Review the organizational access control policy. Interview about and discuss policy implementation with Security Officer and System Owner. | SP 800-12, SP 800-100 | Examine: Access control policy and procedures; other relevant documents or records. Interview: Organizational personnel with access control responsibilities; organizational personnel with information security responsibilities. |
| AC-2 | Account management | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. | Examine: Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; information system monitoring records; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Organizational processes account management on the information system; automated mechanisms for implementing account management. | |
| AC-2(1) | Account management: Automated system account management | Review the organizational access control policy and procedures. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing account management functions. | |
| AC-2(2) | Account management: Removal of temporary/emergency accounts | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of temporary accounts removed and/or disabled; information system-generated list of emergency accounts removed and/or disabled; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing account management functions. | |
| AC-2(3) | Account management: Disable inactive accounts | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of temporary accounts removed and/or disabled; information system-generated list of emergency accounts removed and/or disabled; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing account management functions. | |
| AC-2(4) | Account management: Automated audit actions | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; notifications/alerts of account creation, modification, enabling, disabling, and removal actions; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing account management functions. | |
| AC-2(5) | Account management: Inactivity logout | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; security violation reports; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; users that must comply with inactivity logout policy. | |
| AC-2(6) | Account management: Dynamic privilege management | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; system-generated list of dynamic privilege management capabilities; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Information system implementing dynamic privilege management capabilities. | |
| AC-2(7) | Account management: Role-based schemes | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system-generated list of privileged user accounts and associated role; records of actions taken when privileged role assignments are no longer appropriate; information system audit records; audit tracking and monitoring reports; information system monitoring records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing account management functions; automated mechanisms monitoring privileged role assignments. | |
| AC-2(8) | Account management: Dynamic account creation | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; system-generated list of information system accounts; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing account management functions. | |
| AC-2(9) | Account management: Restrictions on use of shared/group accounts | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; system-generated list of shared/group accounts and associated role; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing management of shared/group accounts. | |
| AC-2(10) | Account management: Shared/group account credential termination | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; account access termination records; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing account management functions. | |
| AC-2(11) | Account management: Usage conditions | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; system-generated list of information system accounts and associated assignments of usage circumstances and/or usage conditions; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing account management functions. | |
| AC-2(12) | Account management: Account monitoring/A typical usage | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system monitoring records; information system audit records; audit tracking and monitoring reports; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing account management functions. | |
| AC-2(13) | Account management: Disable accounts for high-risk individuals | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; system-generated list of disabled accounts; list of user activities posing significant organizational risk; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing account management functions. | |
| AC-3 | Access enforcement | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy. | |
| AC-3(1) | Access enforcement: Restricted access to privileged functions | Withdrawn: Incorporated into AC-6 | ||
| AC-3(2) | Access enforcement: Dual authorization | Review access control documentation to ensure organization implements dual authorization control for specified actions and activities. Test system with scripts or automated mechanisms for dual control requirements. Discuss with System Owner, Operations staff, and Security Officer. | Examine: Access control policy; procedures addressing access enforcement and dual authorization; security plan; information system design documentation; information system configuration settings and associated documentation; list of privileged commands requiring dual authorization; list of actions requiring dual authorization; list of approved authorizations (user privileges); other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Dual authorization mechanisms implementing access control policy. | |
| AC-3(3) | Access enforcement: Mandatory access control | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; mandatory access control policies; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing mandatory access control. | |
| AC-3(4) | Access enforcement: Discretionary access control | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; discretionary access control policies; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing discretionary access control policy. | |
| AC-3(5) | Access enforcement: Security-relevant information | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing access enforcement; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms preventing access to security-relevant information within the information system. | |
| AC-3(6) | Access enforcement: Protection of user and system information | Withdrawn: Incorporated into MP-4 and SC-28 | ||
| AC-3(7) | Access enforcement: Role-based access control | If assessing a Microsoft deployment, review active directory roles and groups. Check to ensure that group policy objects (GPOs) are implemented and active. | Examine: Access control policy; role-based access control policies; procedures addressing access enforcement; security plan, information system design documentation; information system configuration settings and associated documentation; list of roles, users, and associated privileges required to control information system access; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing role-based access control policy. | |
| AC-3(8) | Access enforcement: Revocation of access authorizations | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; rules governing revocation of access authorizations, information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access enforcement functions. | |
| AC-3(9) | Access enforcement: Controlled release | Review the organizational access control procedures for external release of information and access. Review account management documents to ensure that appropriate access requirements are documented for any informational release outside system boundaries. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; list of security safeguards provided by receiving information system or system components; list of security safeguards validating appropriateness of information designated for release; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access enforcement functions. | |
| AC-3(10) | Access enforcement: Audited override of access control mechanisms | Review the organizational access control procedures. Review account management documents and request forms. Interview about and discuss procedural actions and implementation efforts with Security Officer and System Owner. Test the access control system via scanners and compliance checkers. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; conditions for employing audited override of automated access control mechanisms; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing access enforcement functions. | |
| AC-4 | Information flow enforcement | Review documentation for system to ensure that information flow control is installed and active. Flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Ensure all automated mechanisms for information flow are active and functioning correctly by testing flow control components with test data and scripts. Discuss with System Owner, Security Officer, and operations staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system baseline configuration; list of information flow authorizations; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(1) | Information flow enforcement: Object security attributes | Review access control documentation to ensure that security-labeling attributes are utilized for proper information flow enforcement. This process compares security attributes associated with information (data content and data structure) and source/destination objects, and respond appropriately (e.g., block, quarantine, alert administrator), when flows are not explicitly allowed by policies. Test with scripted test data to ensure that labeling efforts are applied and functioning correctly. Discuss with Security Officer, System Owner, and security staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security attributes and associated information, source, and destination objects enforcing information flow control policies; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(2) | Information flow enforcement: Processing domains | Review system documentation to ensure processing domains are implemented successfully. The protected processing domains are processing spaces that have controlled interactions with other processing spaces, thus enabling control of information flows between these spaces and to/from data/information objects. Evaluate the implementation of processing domain structures to ensure that full and complete structures are installed correctly. Discuss with security architect, security engineer, Security Officer, System Owner, and development staff | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system security architecture and associated documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(3) | Information flow enforcement: Dynamic information flow control | Review flow control documentation to ensure dynamic conditions and events will trigger changes in the information flow enforcement processes. Test with scripted test data to simulate changing conditions and review results with Security Officer, System Owner, and security staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system security architecture and associated documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(4) | Information flow enforcement: Content check encrypted information | Review flow control documentation to ensure that all encrypted information and traffic is reviewed via decryption or isolated due to inability to decrypt for security purposes. Discuss with System Owner, Security Officer, and security staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(5) | Information flow enforcement: Embedded data types | Review documentation to ensure embedded data types, such as inserting executable files as objects within word processing files, inserting references or descriptive information into a media file, and compressed or archived data types that may include multiple embedded data types are reviewed and limited to organizationally defined levels. Test levels with samples of embedded data types to ensure tools decipher data correctly. Discuss with System Owner, Security Officer, and security staff. | Examine: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of limitations to be enforced on embedding data types within other data types; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(6) | Information flow enforcement: Metadata | Review documentation for metadata, data about the data, attached and associated with the information on the system. Review integrity, accuracy, and binding of metadata to data system components. Review sample metadata components for completeness, accuracy, and trustworthiness of metadata. Discuss with System Owner, data owner(s), Security Officer, and security staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; types of metadata used to enforce information flow control decisions; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(7) | Information flow enforcement: One-way flow mechanisms | Review system documentation for implementation of one-way hardware-based flow control mechanisms. Discuss with Security Officer, System Owner, and security staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system hardware mechanisms and associated configurations; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Hardware mechanisms implementing information flow enforcement policy. | |
| AC-4(8) | Information flow enforcement: Security policy filters | Review system-level documentation to determine the implementation of security policy filters for the flow control of information. Review documentation for filter settings and criteria to ensure assignment and applicability of flow control filtering activities. Discuss with Security Officer, security staff, and operations staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filters regulating flow control decisions; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(9) | Information flow enforcement: Human reviews | Review documentation to ensure that the organization employs human filtering processes and procedures, when automated filtering mechanisms cannot be fully accomplished. Discuss methods and procedures with System Owner, Security Officer, and security staff. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; records of human reviews regarding information flows; list of conditions requiring human reviews for information flows; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with information flow enforcement responsibilities; system developers. Test: Automated mechanisms enforcing the use of human reviews. | |
| AC-4(10) | Information flow enforcement: Enable/disable security policy filters | Review access control documentation to determine organizational criteria for enabling or disabling of security policy filters. Ensure only authorized administrators can enable security policy filters to accommodate approved data types. Discuss with System Owner, Information Owner(s), security staff, and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filters enabled/disabled by privileged administrators; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for enabling/disabling security policy filters; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(11) | Information flow enforcement: Configuration of security policy filters | Review access control documentation to determine the level of control allowed system administrators to configure security policy filters. Ensure the processes for configuration, such as administrators changing the list of “dirty words” that security policy mechanisms check in accordance with the definitions provided by organization is monitored and controlled. Discuss with operations staff, System Owner, Information Owner(s), security staff, and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filters; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for configuring security policy filters; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(12) | Information flow enforcement: Data type identifiers | Review access control documentation to determine, if organization has defined the various allowed data type identifiers for filtering, such as filenames, file types, file signatures/tokens, and multiple internal file signatures/tokens. Ensure enforcement mechanisms are active and functional through testing of data types. Discuss with System Owner, security staff, operations staff, Information Owner(s) and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of data type identifiers; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(13) | Information flow enforcement: Decomposition into policy-relevant subcomponents | Review access control documentation to determine the level of decomposition and filtering employed by system by filtering, inspection, and/or sanitization rules being enforced. Discuss with security staff, operations staff, information owner(s), System Owner and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(14) | Information flow enforcement: Security policy filter constraints | Review access control documentation to determine the level of filter constraints utilized, such as data structure and content restrictions, which reduce the range of potential malicious and/or unsanctioned content in cross-domain transactions. Test with scripts and sample data inputs to verify that filtering is active and functioning correctly. Discuss with System Owner, information(s), operations staff, security staff, and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filters; list of data content policy filters; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(15) | Information flow enforcement: Detection of unsanctioned information | Review access control documentation to ensure that the detection of unacceptable information is not allowed within system. Detection of unsanctioned information includes, for example, checking all information to be transferred for malicious code and dirty words. Verify these detection actions with sample input of test data. Discuss with Information Owner(s), System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of unsanctioned information types and associated information; information system audit records; other relevant documents or records. Interview: Organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(16) | Information flow enforcement: Information transfers on interconnected systems | Withdrawn: Incorporated into AC-4 | ||
| AC-4(17) | Information flow enforcement: Domain authentication | Review documentation for system to ensure that domain authentication is performed for all transactions on the system. This authentication requires information system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information to provide proper security levels by maintaining the confidentiality and integrity of the information. Test via sample inputs of false data and verification of system responses. Discuss with System Owner, operations staff, security staff, Information Owner(s) and Security Officer. | Examine: Access control policy; information flow control policies; procedures addressing information flow enforcement; procedures addressing source and destination domain identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement policy. | |
| AC-4(18) | Information flow enforcement: Security attribute binding | Review access control documentation to determine the level of security label binding to all information flowing within system. Discuss with System Owner, Information Owner(s), security staff, and Security Officer. | Examine: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of binding techniques to bind security attributes to information; information system audit records; other relevant documents or records. Interview: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement functions. | |
| AC-4(19) | Information flow enforcement: Validation of metadata | Review access control documentation to ensure that the system validates metadata along with the actual data, when enforcing all security filtering and flow controls. Discuss with System Owner, Information Owner(s), security staff, and Security Officer. | Examine: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of security policy filtering criteria applied to metadata and data payloads; information system audit records; other relevant documents or records. Interview: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement functions. | |
| AC-4(20) | Information flow enforcement: Approved solutions | Review documentation to ensure that organization provides approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries for system when required. Review CDS documentation to ensure that overlay for CDS is applied appropriately. Discuss with FSO, security staff, System Owner, Information Owner(s) and Security Officer. | Unified cross domain management office (UCDMO) documentation, CNSSI 1253, Appendix F for CDS systems | Examine: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of solutions in approved configurations; approved configuration baselines; information system audit records; other relevant documents or records. Interview: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing information flow enforcement functions. |
| AC-4(21) | Information flow enforcement: Physical/logical separation of information flows | Review documentation to determine the separation for information flows within system meet data classification requirements, such as inbound and outbound communications traffic, service requests and responses, and information of differing security categories. Test separation with test data inputs and resultant reporting outputs showing maintenance of separation. Discuss with security staff, Information Owner(s), System Owner, operations staff, and Security Officer. | Examine: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; list of required separation of information flows by information types; list of mechanisms and/or techniques used to logically or physically separate information flows; information system audit records; other relevant documents or records. Interview: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing information flow enforcement functions. | |
| AC-4(22) | Information flow enforcement: Access only | Review documentation for use and employment of access only devices, such as KVM switches, to maintain separation between different information types. Such devices provide a desktop for users to access each connected security domain without providing any mechanisms to allow transfer of information between the different security domains. Observe use and operation of these devices to maintain separation. Discuss with System Owner, operations staff, security staff, Information Owner(s), FSO, and Security Officer. | Examine: information flow enforcement policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing information flow enforcement functions. | |
| AC-5 | Separation of duties | Review documentation of separation of duties within system to provide fraud and collusion protection. Test roles and responsibilities implementation of access control system to evaluate separation criteria and privilege use for administrative tasks and events. Discuss with Security Officer, security staff, FSO, System Owner, operations staff, and Information Owner(s). | Examine: Access control policy; procedures addressing divisions of responsibility and separation of duties; information system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; information system access authorizations; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms implementing separation of duties policy. | |
| AC-6 | Least privilege | Review documentation for system to determine the implementation of the principle of least privilege is employed, where only authorized accesses for users (or processes acting on behalf of users), which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. Review all roles and responsibilities for users to ensure least privilege is applied. Discuss with System Owner, Information Owner(s), security staff, operations staff, and Security Officer | Examine: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms implementing least privilege functions. | |
| AC-6(1) | Least privilege: Authorize access to security functions | Review documentation to determine the least privilege requirements apply to establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, during normal system functioning and operations. Evaluate application to obtain proof of least privilege is applied and active. Discuss with security staff, operations staff, System Owner, Information Owner(s), and Security Officer. | Examine: Access control policy; procedures addressing least privilege; list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms implementing least privilege functions. | |
| AC-6(2) | Least privilege: Nonprivileged access for nonsecurity functions | Review documentation to ensure that organization employs nonprivileged access controls when performing nonadministrative functions and activities, such as normal email actions and simple user activities. Discuss with System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; list of system- generated security functions or security-relevant information assigned to information system accounts or roles; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms implementing least privilege functions. | |
| AC-6(3) | Least privilege: Network access to privileged commands | Review documentation to ensure domain access privileges and network privilege access events are monitored and controlled at same level as local administrative access privileges. Review roles and responsibilities within system to ensure compliance. Discuss with System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; security plan; information system configuration settings and associated documentation; information system audit records; list of operational needs for authorizing network access to privileged commands; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing least privilege functions. | |
| AC-6(4) | Least privilege: Separate processing domains | Review documentation for system to ensure finer-grained allocation of user privileges is provided, when processing privileged-based actions in multiple domain environments, such as in virtualization computing and cross-domain system. Discuss with System Owner, Information Owner(s), security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing least privilege functions. | |
| AC-6(5) | Least privilege: Privileged accounts | Review documentation for system to ensure that privilege account status is explicitly assigned and actions are tracked and logged for all administrative actions. Review logs to ensure actions are logged and evaluated by management. Discuss with System Owner, Information Owner(s), security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; list of system- generated privileged accounts; list of system administration personnel; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms implementing least privilege functions. | |
| AC-6(6) | Least privilege: Privileged access by nonorganizational users | Review documentation to ensure that the organization prohibits privileged access to the system by nonorganizational users. Review logs to ensure compliance. Discuss with Information Owner(s), System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; list of system-generated privileged accounts; list of nonorganizational users; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms prohibiting privileged access to the information system. | |
| AC-6(7) | Least privilege: Review of user privileges | Review access control documentation to ensure that organization conducts periodic review of assigned user privileges to determine if the rationale for assigning such privileges remains valid for mission/business functions. Review logs to ensure compliance and reviews are conducted and approved. Discuss with System Owner, Information Owner(s), security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; list of system-generated roles or classes of users and assigned privileges; information system design documentation; information system configuration settings and associated documentation; validation reviews of privileges assigned to roles or classes or users; records of privilege removals or reassignments for roles or classes of users; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators. Test: Automated mechanisms implementing review of user privileges. | |
| AC-6(8) | Least privilege: Privilege levels for code execution | Review access control documentation for system to ensure that software applications/programs need to execute with elevated privileges to perform required functions is only implemented for elevated privilege account holders and administrators. Review logs to ensure actions are maintained and operated correctly. Discuss with operations staff, Information Owner(s), System Owner, security staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; list of software that should not execute at higher privilege levels than users executing software; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators; system developers. Test: Automated mechanisms implementing least privilege functions for software execution. | |
| AC-6(9) | Least privilege: Auditing use of privileged functions | Review documentation of system to ensure that only privilege account holders have proper permissions to perform elevated privilege actions. Review logs and audit reports to ensure organization monitors and tracks all elevated privilege account usage. Discuss with audit staff, operations staff, Information Owner(s), System, Owner, security staff, and Security Officer. | Examine: Access control policy; procedures addressing least privilege; information system design documentation; information system configuration settings and associated documentation; list of privileged functions to be audited; list of audited events; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators; system developers. Test: Automated mechanisms auditing the execution of least privilege functions. | |
| AC-6(10) | Least privilege: Prohibit nonprivileged users from executing privileged functions | Review access control documentation to ensure that system only implements elevated privilege actions to be performed only by approved account holders and restricts nonprivilege users from performing privilege actions. Review logs and access control methodologies to ensure restricts are consistent and fully functional. Discuss with operations staff, security staff, Security Officer and System Owner. | Examine: Access control policy; procedures addressing least privilege; information system design documentation; information system configuration settings and associated documentation; list of privileged functions and associated user account assignments; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing least privilege functions for nonprivileged users. | |
| AC-7 | Unsuccessful login attempts | Review documentation to determine the organizational criteria for unsuccessful login attempts and actions to be taken when threshold is reached. The organizational criteria are selectable based on security requirements for system. Test using both unsuccessful login actions and observe the results and successful login attempts and results. Discuss with System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing unsuccessful logon attempts; security plan; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with information security responsibilities; system developers; system/network administrators. Test: Automated mechanisms implementing access control policy for unsuccessful logon attempts. | |
| AC-7(1) | Unsuccessful logon attempts: Automatic account lock | Withdrawn: Incorporated into AC-7 | ||
| AC-7(2) | Unsuccessful logon attempts: Purge/wipe mobile device | Review documentation to determine organizational implementation for unsuccessful login attempts on mobile devices and resultant actions. Organizations define information to be purged/wiped carefully in order to avoid over purging/wiping, which may result in devices becoming unusable in accordance to organizational and agency requirements. Discuss with System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing unsuccessful login attempts on mobile devices; information system design documentation; information system configuration settings and associated documentation; list of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts; list of purging/wiping requirements or techniques for mobile devices; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing access control policy for unsuccessful device logon attempts. | |
| AC-8 | System use notification | Review documentation to ensure that system implements login banners and displays as necessary for human-based logins onto system. System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems are to be reviewed and evaluated for compliance to legal and operational requirements. Discuss with System Owner, legal staff, operations staff, and Security Officer. | Examine: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system audit records; user acknowledgements of notification message or banner; information system design documentation; information system configuration settings and associated documentation; information system use notification messages; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibility for providing legal advice; system developers. Test: Automated mechanisms implementing system use notification. | |
| AC-9 | Previous logon (access) notification | Review documentation for system to determine the implementation of the notification of the user, upon successful logon (access) to the system, of the date, and time of the last logon (access) onto system. Review output for access to confirm implementation utilizing test login actions. Discuss with System Owner, security staff, operations staff and Security Officer. | Examine: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system notification messages; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for previous logon notification. | |
| AC-9(1) | Previous logon notification: Unsuccessful logons | Review documentation for system to ensure that it notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts, since the last successful logon/access. Review logs to ensure compliance for notifications. Discuss with System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for previous logon notification. | |
| AC-9(2) | Previous logon notification: Successful/unsuccessful logons | Review documentation for system to ensure that it notifies the user of the number of successful and unsuccessful login attempts during the organizational defined time period. Review logs to ensure compliance for notifications. Discuss with System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for previous logon notification. | |
| AC-9(3) | Previous logon notification: Notification of account changes | Review documentation for system to ensure that it notifies the user of account changes during the organizational defined time period. Review logs to ensure compliance for notifications. Discuss with System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for previous logon notification. | |
| AC-9(4) | Previous logon notification: Additional logon information | Review documentation for system to determine what additional information and notification criteria are displayed, when users log into system. This is used to track locations for previous logins and potential areas of concern. Review notification outputs to verify outputs. Discuss with security staff, Security Officer, and System Owner. | Examine: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for previous logon notification. | |
| AC-10 | Concurrent session control | Review documentation for system to determine implementation of concurrent session allowances by user type. Review output logs to ensure maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, nonprivileged user, domain, specific application), by account, or a combination is defined and implemented. Discuss with operations staff, security staff, System Owner, and Security Officer. | Examine: Access control policy; procedures addressing concurrent session control; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for concurrent session control. | |
| AC-11 | Session lock | Review documentation for system to determine implementation of session lock on system. Review implementation documents to verify session lock efforts, which are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences; usually implemented with time criteria defined by the organization. Discuss with System Owner, security staff, operations staff, and Security Officer. | OMB M06-16 | Examine: Access control policy; procedures addressing session lock; procedures addressing identification and authentication; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access control policy for session lock. |
| AC-11(1) | Session lock: Pattern-hiding displays | Review documentation for system to determine what type of publically viewable images, such as static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information, are implemented when session lock is invoked on system. Verify by observing displays of images when session lock is triggered. Discuss with System Owner, operations staff, security staff, and Security Officer. | OMB M06-16 | Examine: Access control policy; procedures addressing session lock; display screen with session lock activated; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Information system session lock mechanisms. |
| AC-12 | Session termination | Review documentation to ensure that system performs termination of user-initiated logical sessions within organizational defined criteria, such as organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. Verify termination events through testing of input criteria defined by organization and resultant system actions. Discuss with operations staff, security staff, System Owner, and Security Officer. | SC-10 | Examine: Access control policy; procedures addressing session termination; information system design documentation; information system configuration settings and associated documentation; list of conditions or trigger events requiring session disconnect; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing user session termination. |
| AC-12(1) | Session termination: User-initiated logouts/message displays | Review documentation for system to determine the methods and criteria for display messages when logout events occur on the system, such as sending logout messages as final messages prior to terminating sessions. Verify output when invoked via logout of user sessions. Discuss with System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing session termination; user logout messages; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Information system session lock mechanisms. | |
| AC-13 | Supervision and review – access control | Withdrawn: Incorporated into AC-2 and AU-6 | ||
| AC-14 | Permitted actions without identification or authentication | Review documentation for organization to determine techniques and criteria for when users are permitted onto system without identification or authentication. Review criteria to ensure that proper restrictions are in place and active on these types of logins and access. Discuss with System Owner, security staff, operations staff, and Security Owner. | Examine: Access control policy; procedures addressing permitted actions without identification or authentication; information system configuration settings and associated documentation; security plan; list of user actions that can be performed without identification or authentication; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. | |
| AC-14(1) | Permitted actions without identification or authentication: Necessary uses | Withdrawn: Incorporated into AC-14 | ||
| AC-15 | Automated marking | Withdrawn: Incorporated into MP-3 | ||
| AC-16 | Security attributes | Review documentation for system and organization to ensure implementation of security labeling of information and its components to institute mandatory access controls (MAC) on system. Verify implementation through review of all labeling efforts and outputs for each type of user on system. Discuss with Information Owner(s), System Owner, security staff, FSO, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing the association of security attributes to information in storage, in process, and in transmission; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Organizational capability supporting and maintaining the association of security attributes to information in storage, in process, and in transmission. | |
| AC-16(1) | Security attributes: Dynamic attribute association | Review documentation for system to determine the extent to which system allows dynamic attribute variables into system due to information aggregation issues (i.e., the security characteristics of individual information elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), and changes in the security category of information. Perform detailed testing of variables of changing MAC levels to ensure full security is maintained. Discuss with Information Owner(s), System Owner, security staff, operations staff, FSO, and Security Officer. | Examine: Access control policy; procedures addressing dynamic association of security attributes to information; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing dynamic association of security attributes to information. | |
| AC-16(2) | Security attributes: Attribute value changes by authorized individuals | Review Access Control documentation to ensure that only authorized privilege account holders can change any security attributes. Review change control documentation to ensure criteria is met. Discuss with System Owner, Information Owner(s), security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing the change of security attribute values; information system design documentation; information system configuration settings and associated documentation; list of individuals authorized to change security attributes; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for changing values of security attributes; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms permitting changes to values of security attributes. | |
| AC-16(3) | Security attributes: Maintenance of attribute associations by information system | Review documentation for system to ensure that system automated policy processes are maintained to enforce security attributes. Discuss with System Owner, operations staff, security staff, Information Owner(s), and Security Officer. | Examine: Access control policy; procedures addressing the association of security attributes to information; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records. Interview: Organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms maintaining association and integrity of security attributes to information. | |
| AC-16(4) | Security attributes: Association of attributes by authorized individuals | Review documentation to ensure that individual privilege account holders are required to maintain associations of security attributes with subjects and objects. Discuss with System Owner, Information Owner(s), operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing the association of security attributes to information; information system design documentation; information system configuration settings and associated documentation; list of users authorized to associate security attributes to information; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for associating security attributes to information; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms supporting user associations of security attributes to information. | |
| AC-16(5) | Security attributes: Attribute displays for output devices | Review documentation to ensure that system provides outputs with security attributes displayed appropriately for information being displayed, printed, and labeled. Discuss with System Owner, security staff, information(s), operations staff and Security Officer. | Examine: Access control policy; procedures addressing display of security attributes in human-readable form; special dissemination, handling, or distribution instructions; types of human-readable, standard naming conventions; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with information security responsibilities; system developers. Test: System output devices displaying security attributes in human-readable form on each object. | |
| AC-16(6) | Security attributes: Maintenance of attribute association by organization | Review documentation to ensure that the system is required to maintain associations of security attributes with subjects and objects. Discuss with System Owner, Information Owner(s), operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing association of security attributes with subjects and objects; other relevant documents or records. Interview: Organizational personnel with responsibilities for associating and maintaining association of security attributes with subjects and objects; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms supporting associations of security attributes to subjects and objects. | |
| AC-16(7) | Security attributes: Consistent attribute interpretation | Review documentation to determine when system is in distributed environment, the consistent interpretation of security attributes that are used in access enforcement and flow enforcement decisions are being successfully made and applied. Review log reports and active labeling to ensure attributes are correctly applied. Discuss with operations staff, security staff, System Owner, Information Owner(s), and Security Officer. | Examine: Access control policy; procedures addressing consistent interpretation of security attributes transmitted between distributed information system components; procedures addressing access enforcement; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for providing consistent interpretation of security attributes used in access enforcement and information flow enforcement actions; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access enforcement and information flow enforcement functions. | |
| AC-16(8) | Security attributes: Association techniques/technologies | Review documentation to determine the employed technologies for binding of security attributes to the information, such as cryptographically bind security attributes to information using digital signatures with the supporting cryptographic keys protected by hardware devices. Test automated binding with test data inputs and review of resultant outputs. Discuss with Information Owner(s), System Owner, operations staff, security staff, and Security Officer. | Examine: Access control policy; procedures addressing association of security attributes to information; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for associating security attributes to information; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing techniques or technologies associating security attributes to information. | |
| AC-16(9) | Security attributes: Attribute reassignment | Review documentation to determine level and actions implemented for the reassignment of security attributes for information. This is required to give validated re-grading mechanisms to achieve the requisite levels of assurance for security attribute reassignment activities, which is verified by testing reassignment functions with test data and review of resultant outputs. Discuss with System Owner, Information Owner(s), security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing reassignment of security attributes to information; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for reassigning association of security attributes to information; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing techniques or procedures for reassigning association of security attributes to information. | |
| AC-16(10) | Security attributes: Attribute configuration by authorized individuals | Review documentation to determine the limited field of authorized personnel who can assign and configure the security attribute mechanisms in system. Review list with System Owner, Information Owner(s), security staff, and Security Officer. | Examine: Access control policy; procedures addressing configuration of security attributes by authorized individuals; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining or changing security attributes associated with information; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing capability for defining or changing security attributes. | |
| AC-17 | Remote access | Review documentation to determine remote access criteria for system and authorization prior to allowing remote access without specifying the formats for such authorization necessary for remote access. Test remote access methods through test access events of various types, based upon differing methods allowed in system. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121 | Examine: Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; security plan; information system configuration settings and associated documentation; remote access authorizations; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for managing remote access connections; system/network administrators; organizational personnel with information security responsibilities. Test: Remote access management capability for the information system. |
| AC-17(1) | Remote access: Automated monitoring/control | Review documentation to ensure automated methods for monitoring remote access are employed within system. Automated monitoring and control of remote access sessions allows organizations to detect cyber-attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components, therefore testing of each method used is employed and validated. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121 | Examine: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; information system audit records; information system monitoring records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms monitoring and controlling remote access methods. |
| AC-17(2) | Remote access: Protection of confidentiality/integrity using encryption | Review documentation to ensure that encryption strength of remote access mechanism is employed based on the security categorization of the information on the system being accessed. Test to ensure encryption is active and functioning correctly. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121 | Examine: Access control policy; procedures addressing remote access to the information system; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions. |
| AC-17(3) | Remote access: Managed access control points | Review documentation to determine the limitation of the number of access control points allowed for remote access since this reduces the attack surface for organizations and systems. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121, TIC (Trusted Internet Connections) Initiative | Examine: Access control policy; procedures addressing remote access to the information system; information system design documentation; list of all managed network access control points; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms routing all remote accesses through managed network access control points. |
| AC-17(4) | Remote access: Privileged commands/access | Review documentation to ensure that the organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for specified pre-defined functions and events on the system. Review logs to determine compliance and validate processes. Discuss with operations staff, security staff, System Owner, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121 | Examine: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; security plan; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing remote access management. |
| AC-17(5) | Remote access: Monitoring for unauthorized connections | Withdrawn: Incorporated into SI-4 | ||
| AC-17(6) | Remote access: Protection of information | Review documentation to ensure that users are advised to protect information about remote access mechanisms from unauthorized use and disclosure. Review documentation signed by users with remote access to determine compliance and use. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121 | Examine: Access control policy; procedures addressing remote access to the information system; other relevant documents or records. Interview: Organizational personnel with responsibilities for implementing or monitoring remote access to the information system; information system users with knowledge of information about remote access mechanisms; organizational personnel with information security responsibilities. |
| AC-17(7) | Remote access: Additional protection for security function access | Withdrawn: Incorporated into AC-3 (10) | ||
| AC-17(8) | Remote access: Disable nonsecure network protocols | Withdrawn: Incorporated into CM-7 | ||
| AC-17(9) | Remote access: Disconnect/disable access | Review documentation to ensure that organization has provided for rapid disconnection of remote access and remote sessions on system. Test remote access rapid disconnect process with test session and review results with System Owner, operations staff, security staff, and Security Officer. | SP 800-46, SP 800-77, SP 800-113, SP 800-114, SP 800-121 | Examine: Access control policy; procedures addressing disconnecting or disabling remote access to the information system; information system design documentation; information system configuration settings and associated documentation; security plan, information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing capability to disconnect or disable remote access to information system. |
| AC-18 | Wireless access | Review documentation to ensure that organization provides for establishment of wireless usage restrictions, configuration/connection requirements, and implementation guidance for wireless access including authorization of wireless access prior to allowing such access. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-48, SP 800-94, SP 800-97, SP 800-120, SP 800-153 | Examine: Access control policy; procedures addressing wireless access implementation and usage (including restrictions); configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; wireless access authorizations; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for managing wireless access connections; organizational personnel with information security responsibilities. Test: Wireless access management capability for the information system. |
| AC-18(1) | Wireless access: Authentication and encryption | Review documentation to ensure that organization requires encryption and authentication for wireless access of devices and by users. Test using wireless device to ensure actual process is functional and correctly operating. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-48, SP 800-94, SP 800-97, SP 800-120, SP 800-153 | Examine: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing wireless access protections to the information system. |
| AC-18(2) | Wireless access: Monitoring unauthorized connections | Withdrawn: Incorporated into SI-4 | ||
| AC-18(3) | Wireless access: Disable wireless networking | Review documentation for the organization to ensure that the system disables, when not intended for use, wireless-networking capabilities internally embedded within the system components prior to issuance and deployment of wireless components of system. Test disablement with wireless device onto a disabled component and discuss results with System Owner, operations staff, security staff, and Security Officer. | SP 800-48, SP 800-94, SP 800-97, SP 800-120, SP 800-153 | Examine: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms managing the disabling of wireless networking capabilities internally embedded within information system components. |
| AC-18(4) | Wireless access: Restrict configurations by users | Review documentation to determine, which users are allowed to configure wireless components of system and change wireless configurations of system. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-48, SP 800-94, SP 800-97, SP 800-120, SP 800-153 | Examine: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms authorizing independent user configuration of wireless networking capabilities. |
| AC-18(5) | Wireless access: Antennas/transmission power levels | Review documentation to ensure the organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries in support of emanation security. Test emanations with wireless test equipment to ensure compliance to pre-determined power levels. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-48, SP 800-94, SP 800-97, SP 800-120, SP 800-153, PE-19 | Examine: Access control policy; procedures addressing wireless implementation and usage (including restrictions); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries. |
| AC-19 | Access control for mobile devices | Review documentation for organization to determine the requirements to establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices that are authorized to access the system under review. Ensure organization defines all mobile access and authentication requirements for mobile usage for system. Discuss with System Owner, security staff, operations staff, and Security Officer. | OMB M06-16, SP 800-114, SP 800-124, SP 800-164 | Examine: Access control policy; procedures addressing access control for mobile device usage (including restrictions); configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; authorizations for mobile device connections to organizational information systems; information system audit records; other relevant documents or records. Interview: Organizational personnel using mobile devices to access organizational information systems; system/network administrators; organizational personnel with information security responsibilities. Test: Access control capability authorizing mobile device connections to organizational information systems. |
| AC-19(1) | Access control for mobile devices: Use of writable/portable storage devices | Withdrawn: Incorporated into MP-7 | ||
| AC-19(2) | Access control for mobile devices: Use of personally owned portable storage devices | Withdrawn: Incorporated into MP-7 | ||
| AC-19(3) | Access control for mobile devices: Use of portable storage devices with no identifiable owner | Withdrawn: Incorporated into MP-7 | ||
| AC-19(4) | Access control for mobile devices: Restrictions for classified information | Review documentation to ensure that unclassified mobile devices are not allowed access to classified system and reverse (classified devices on unclassified system). All appropriate classified data handled is performed in accordance with FSO and organizational requirements. Discuss with FSO, System Owner, Information Owner(s), security staff, operations staff, and Security Officer. | OMB M06-16, SP 800-114, SP 800-124, SP 800-164 | Examine: Access control policy; incident handling policy; procedures addressing access control for mobile devices; information system design documentation; information system configuration settings and associated documentation; evidentiary documentation for random inspections and reviews of mobile devices; information system audit records; other relevant documents or records. Interview: Organizational personnel responsible for random reviews/inspections of mobile devices; organizational personnel using mobile devices in facilities containing information systems processing, storing, or transmitting classified information; organizational personnel with incident response responsibilities; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices. |
| AC-19(5) | Access control for mobile devices: Full device/container-based encryption | Review documentation to determine the level of mobile device container-based encryption, such as encrypting selected data structures such as files, records, or fields is employed on system. Evaluate mobile device by testing container controls on device and discuss results with System Owner, FSO, security staff, operations staff, Information Owner(s), and Security Officer. | OMB M06-16, SP 800-114, SP 800-124, SP 800-164 | Examine: Access control policy; procedures addressing access control for mobile devices; information system design documentation; information system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with access control responsibilities for mobile devices; system/network administrators; organizational personnel with information security responsibilities. Test: Encryption mechanisms protecting confidentiality and integrity of information on mobile devices. |
| AC-20 | Use of external information systems | Review documentation to determine the organizational criteria for access to, process, store, or transmit organization-controlled information using external information systems. Ensure all interconnection documentation is developed and approved for interfaces and interconnects to/from system. Discuss with FSO, System Owner, security staff, operations staff, risk management staff, and Security Officer. | FIPS-199, SP 800-47 | Examine: Access control policy; procedures addressing the use of external information systems; external information systems terms and conditions; list of types of applications accessible from external information systems; maximum security categorization for information processed, stored, or transmitted on external information systems; information system configuration settings and associated documentation; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing terms and conditions on use of external information systems. |
| AC-20(1) | Use of external information systems: Limits on authorized use | Review documentation for temporary access to system by individuals using external information systems (e.g., contractors, coalition partners) needing to access system under review. Ensure external system meets security requirements through various methods, such as third-party reviews, attestations, and independent reviews. Discuss results with System Owner, security staff, operations staff, and Security Officer. | FIPS-199, SP 800-47 | Examine: Access control policy; procedures addressing the use of external information systems; security plan; information system connection or processing agreements; account management documents; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing limits on use of external information systems. |
| AC-20(2) | Use of external information systems: Portable storage devices | Review documentation to determine the organizational restrictions on use of organization-controlled portable storage devices in external information systems. Discuss with System Owner, security staff, operations staff, and Security Officer. | FIPS-199, SP 800-47 | Examine: Access control policy; procedures addressing the use of external information systems; security plan; information system configuration settings and associated documentation; information system connection or processing agreements; account management documents; other relevant documents or records. Interview: Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing restrictions on use of portable storage devices. |
| AC-20(3) | Use of external information systems: Nonorganizationally owned systems/components/devices | Review documentation on organizational use of nonowned devices and components connected to system, such as other organizational equipment of personally owned devices (BYOD) or components. Discuss with System Owner, operations staff, security staff, legal staff, and Security Officer. | FIPS-199, SP 800-47 | Examine: Access control policy; procedures addressing the use of external information systems; security plan; information system design documentation; information system configuration settings and associated documentation; information system connection or processing agreements; account management documents; information system audit records, other relevant documents or records. Interview: Organizational personnel with responsibilities for restricting or prohibiting use of nonorganizationally owned information systems, system components, or devices; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing restrictions on the use of nonorganizationally owned systems/components/devices. |
| AC-20(4) | Use of external information systems: Network accessible storage devices | Review documentation for organization to determine use of external network storage mechanisms, such as online storage devices in public, hybrid, or community cloud-based systems. Review controls and legal requirements with legal staff, operations staff, security staff, System Owner, and Security Officer. | FIPS-199, SP 800-47 | Examine: Access control policy; procedures addressing use of network accessible storage devices in external information systems; security plan, information system design documentation; information system configuration settings and associated documentation; information system connection or processing agreements; list of network accessible storage devices prohibited from use in external information systems; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for prohibiting use of network accessible storage devices in external information systems; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms prohibiting the use of network accessible storage devices in external information systems. |
| AC-21 | Information sharing | Review documentation for information sharing requirements and restrictions, such as content, type, security category, or special access program/compartmentation on information retained within system. Review standards and organizational guidelines with legal staff, FSO, operations staff, security staff, System Owner, Information Owner(s), and Security Officer. | Examine: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; list of users authorized to make information sharing/collaboration decisions; list of information sharing circumstances requiring user discretion; other relevant documents or records. Interview: Organizational personnel responsible for making information sharing/collaboration decisions; system/network administrators; organizational personnel with information security responsibilities. Test: Automated mechanisms or manual process implementing access authorizations supporting information sharing/user collaboration decisions. | |
| AC-21(1) | Information sharing: Automated decision support | Review documentation to ensure that organization enforces information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on the information to be shared. Discuss criteria with legal staff, FSO, operations staff, security staff, System Owner, Information Owner(s), and Security Officer | Examine: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; system-generated list of users authorized to make information sharing/collaboration decisions; system-generated list of sharing partners and access authorizations; system-generated list of access restrictions regarding information to be shared; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access authorizations supporting information sharing/user collaboration decisions. | |
| AC-21(2) | Information sharing: Information search and retrieval | Review documentation to ensure the system implements information search and retrieval services that enforce organizational access and sharing standards. Discuss criteria with legal staff, FSO, operations staff, security staff, System Owner, Information Owner(s), and Security Officer. | Examine: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); information system design documentation; information system configuration settings and associated documentation; system-generated list of access restrictions regarding information to be shared; information search and retrieval records; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities for information system search and retrieval services; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Information system search and retrieval services enforcing information sharing restrictions. | |
| AC-22 | Publicly accessible content | Review documentation to determine, if system under review is considered a publicly accessible system, therefore has limited or no identification or authentication requirements. Review results of analysis with System Owner, operations staff, security staff, legal staff, and Security Officer. | Examine: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational information systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs; security awareness training records; other relevant documents or records. Interview: Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing management of publicly accessible content. | |
| AC-23 | Data mining protection | Review documentation to determine level of protection the system implements to protect organizational information from data mining, while such information resides in organizational data stores. Test protection methods with test queries and selection code. Review results with System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing data mining techniques; procedures addressing protection of data storage objects against data mining; information system design documentation; information system configuration settings and associated documentation; information system audit logs; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing data mining prevention and detection. | |
| AC-24 | Access control decisions | Review documentation to ensure organization defined and enforces access control decisions (also known as authorization decisions), which occur when authorization information is applied to specific accesses, rather than enforcement. Discuss with System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing access control decisions; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the information system; organizational personnel with information security responsibilities. Test: Automated mechanisms applying established access control decisions and procedures. | |
| AC-24(1) | Access control decisions: Transmit access authorization information | Review documentation to ensure that systems in distributed environments transmit access authorization information correctly and completely to other systems and components. Review logs to determine full transmissions are correctly formatted and sent appropriately and discuss with System Owner, security staff, operations staff, and Security Officer. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access enforcement functions. | |
| AC-24(2) | Access control decisions: No user or process identity | Review documentation to determine if system requires special privacy protection with respect to access control, decisions can be made without information regarding the identity of the users issuing the requests. Discuss with security staff, legal staff, operations staff, System Owner, and Security Officer. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access enforcement functions. | |
| AC-25 | Reference monitor | Review documentation to ensure that system utilizes the reference monitor construct, which is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. Discuss with security staff, operations staff, System Owner, and Security Officer. | Examine: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers. Test: Automated mechanisms implementing access enforcement functions. |
B. Awareness and training (AT) family
FIPS-200 provides the following criteria for this family of controls: “Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.”
The primary assessment areas for these controls include:
a. Review training elements so that managers and users of organizational information systems are made aware of the security risks associated with their activities.
b. Assess training elements that promote managers and users awareness of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems.
c. Inspect training elements that validate organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
| Control number | Control name | Assessment methods | Notes and guidance | SP 800-53A guidance |
| AT-1 | Security awareness and training policy and procedures | Review organizational IT and security policies for training coverage for users, administrators, executives, and security personnel. Discuss training with System Owner and Security Officer to ensure policy is being adhered to by the organization. | SP 800-12, SP 800-16, SP 800-50, SP 800-100 | Examine: Security awareness and training policy and procedures; other relevant documents or records. Interview: Organizational personnel with security awareness and training responsibilities; organizational personnel with information security responsibilities. |
| AT-2 | Security awareness training | Review training as delivered to users for appropriateness and applicability. Check and review training records of the users and staff to ensure training has occurred and is valid. Review the training topics delivered to ensure validity and relevance. | SP 800-16, SP 800-50, E.O 13587, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security awareness training implementation; appropriate codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; training records; other relevant documents or records. Interview: Organizational personnel with responsibilities for security awareness training; organizational personnel with information security responsibilities; organizational personnel comprising the general information system user community. Test: Automated mechanisms managing security awareness training. |
| AT-2(1) | Security awareness training: Practical exercise | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, E.O 13587, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; security plan; other relevant documents or records. Interview: Organizational personnel that participate in security awareness training; organizational personnel with responsibilities for security awareness training; organizational personnel with information security responsibilities. Test: Automated mechanisms implementing cyber-attack simulations in practical exercises. |
| AT-2(2) | Security awareness training: Insider threat | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, E.O 13587, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; security plan; other relevant documents or records. Interview: Organizational personnel that participate in security awareness training; organizational personnel with responsibilities for basic security awareness training; organizational personnel with information security responsibilities. |
| AT-3 | Role-based security training | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records. Interview: Organizational personnel with responsibilities for role-based security training; organizational personnel with assigned information system security roles and responsibilities. Test: Automated mechanisms managing role-based security training. |
| AT-3(1) | Role-based security training: Environmental controls | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security training implementation; security training curriculum; security training materials; security plan; training records; other relevant documents or records. Interview: Organizational personnel with responsibilities for role-based security training; organizational personnel with responsibilities for employing and operating environmental controls. |
| AT-3(2) | Role-based security training: Physical security controls | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security training implementation; security training curriculum; security training materials; security plan; training records; other relevant documents or records. Interview: Organizational personnel with responsibilities for role-based security training; organizational personnel with responsibilities for employing and operating physical security controls. |
| AT-3(3) | Role-based security training: Practical exercises | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; security plan; other relevant documents or records. Interview: Organizational personnel with responsibilities for role-based security training; organizational personnel that participate in security awareness training. |
| AT-3(4) | Role-based security training: Suspicious communications and anomalous system behavior | Verify training topics delivered for validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50, 5 CFR 930.301 | Examine: Security awareness and training policy; procedures addressing security training implementation; security training curriculum; security training materials; security plan; training records; other relevant documents or records. Interview: Organizational personnel with responsibilities for role-based security training; organizational personnel that participate in security awareness training. |
| AT-4 | Security training records | Check and review training records of the users and staff to ensure that training has occurred and is valid. Review the training topics delivered to ensure validity and relevance. Interview System Owner and Security Officer to gain knowledge of delivery and timing activities. | SP 800-16, SP 800-50 | Examine: Security awareness and training policy; procedures addressing security training records; security awareness and training records; security plan; other relevant documents or records. Interview: Organizational personnel with security training record retention responsibilities. Test: Automated mechanisms supporting management of security training records. |
| AT-5 | Contacts with security groups and associations | Withdrawn: Incorporated into PM-15 |
C. Audit and accountability (AU) family
FIPS-200 provides the following criteria for this family of controls: “Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users, so they can be held accountable for their actions.”
The primary assessment areas for these controls include:
a. Review controls in a system that facilitate the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, and investigation of the system.
b. Inspect security elements in a system to enable the reporting of unlawful, unauthorized, or inappropriate information system activity.
c. Audit controls in a system to facilitate that the actions of individual information system users can be uniquely traced to those users, so that they can be held accountable for their actions.