| Control number | Control name | Assessment methods | Notes and guidance documents | SP 800-53A guidance |
| SI-1 | System and information integrity policy and procedures | Review the organizational and system documentation to ensure that all system integrity policies and procedures are properly identified and documented. Discuss with System Owner and Security Officer. | SP 800-12, SP 800-100 | Examine: System and information integrity policy and procedures; other relevant documents or records. Interview: Organizational personnel with system and information integrity responsibilities; organizational personnel with information security responsibilities. |
| SI-2 | Flaw remediation | Review documentation to determine the flaw remediation actions, activities and efforts of the organization to meet requirements operationally for system. Determine extent of software update processes and procedures follow defined and documented methods and techniques. Ensure all software patching conforms to organizational frequency and methodology needs. Discuss with Security Officer, System Owner, operational staff, and security staff. | SP 800-40, SP 800-128 | Examine: System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; list of flaws and vulnerabilities potentially affecting the information system; list of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws); test results from the installation of software and firmware updates to correct information system flaws; installation/change control records for security-relevant software and firmware updates; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation; organizational personnel with configuration management responsibility. Test: Organizational processes for identifying, reporting, and correcting information system flaws; organizational process for installing software and firmware updates; automated mechanisms supporting and/or implementing reporting, and correcting information system flaws; automated mechanisms supporting and/or implementing testing software and firmware updates. |
| SI-2(1) | Flaw remediation: Central management | Review documentation to determine the implementation of centralized flaw management actions, such as planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls. Review central management system and reporting to ensure that the system is active and operational. Discuss with System Owner, security staff, and Security Officer. | SP 800-40, SP 800-128 | Examine: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation. Test: Organizational processes for central management of the flaw remediation process; automated mechanisms supporting and/or implementing central management of the flaw remediation process. |
| SI-2(2) | Flaw remediation: Automated flaw remediation status | Review documentation to ensure that the organization is performing automated reviews for flaw remediation-patching efforts on system. Review reports and outputs from automated system to verify remediation. Test system sample to ensure that remediation has been performed correctly and completely. Discuss with security staff, System Owner, and Security Officer. | SP 800-40, SP 800-128 | Examine: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation. Test: Automated mechanisms used to determine the state of information system components with regard to flaw remediation. |
| SI-2(3) | Flaw remediation: Time to remediate flaws/benchmarks for correction actions | Review documentation to determine the organizational requirement for time between issuance of patch and actual loading of patch onto the system. This establishes the benchmark for corrective action. Review output and system logs to determine if the organization is meeting benchmark requirements. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-40, SP 800-128 | Examine: System and information integrity policy; procedures addressing flaw remediation; information system design documentation; information system configuration settings and associated documentation; list of benchmarks for taking corrective action on flaws identified; records providing time stamps of flaw identification and subsequent flaw remediation activities; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation. Test: Organizational processes for identifying, reporting, and correcting information system flaws; automated mechanisms used to measure the time between flaw identification and flaw remediation. |
| SI-2(4) | Flaw remediation: Automated patch management tools | Withdrawn: Incorporated into SI-2 | ||
| SI-2(5) | Flaw remediation: Automatic software/firmware updates | Review documentation on automated updates for system to ensure that operational, configuration management, and security needs are balanced with each other in applying updates and patches to the system in a timely manner. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-40, SP 800-128 | Examine: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation and automatic software/firmware updates; information system design documentation; information system configuration settings and associated documentation; records of recent security-relevant software and firmware updates automatically installed to information system components; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation. Test: Automated mechanisms implementing automatic software/firmware updates. |
| SI-2(6) | Flaw remediation: Removal of previous versions of software/firmware | Review documentation to ensure that the previous versions of software are appropriately removed from system upon new software being applied. Discuss with security staff, System Administrators, Security Officer, and System Owner. | SP 800-40, SP 800-128 | Examine: System and information integrity policy; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; information system design documentation; information system configuration settings and associated documentation; records of software and firmware component removals after updated versions are installed; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for flaw remediation. Test: Automated mechanisms supporting and/or implementing removal of previous versions of software/firmware. |
| SI-3 | Malicious code protection | Review documentation for malicious code control and protection mechanisms installed and applied to system. Various techniques can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and/or actions in response to detection of maliciousness, when attempting to open or execute files. Test various methods of code integrity errors to ensure system responds correctly. Discuss with System Owner, security staff, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; information system design documentation; information system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection; organizational personnel with configuration management responsibility. Test: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; automated mechanisms supporting and/or implementing employing, updating, and configuring malicious code protection mechanisms; automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions. |
| SI-3(1) | Malicious code protection: Central management | Review documentation to ensure that the organization controls malicious code protection from central system. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls. Ensure central management through testing code load and detection actions. Discuss with System Owner, security staff, System Administrators, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; automated mechanisms supporting centralized management of malicious code protection mechanisms; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Organizational processes for central management of malicious code protection mechanisms; automated mechanisms supporting and/or implementing central management of malicious code protection mechanisms. |
| SI-3(2) | Malicious code protection: Automatic updates | Review documentation for malicious code detection and control to ensure that automated signature processes are enacted and active. Review recent updates to the system to verify process is functioning and active. Discuss with System Owner and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; automated mechanisms supporting centralized management of malicious code protection mechanisms; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Automated mechanisms supporting and/or implementing automatic updates to malicious code protection capability. |
| SI-3(3) | Malicious code protection: Nonprivileged users | Withdrawn: Incorporated into AC-6(10) | ||
| SI-3(4) | Malicious code protection: Updates only by privileged users | Review documentation for malicious code updates to ensure that only elevated privilege users are allowed to perform updates. Verify via operating system or LDAP account management processes. Test via account management review and test code load processes. Discuss with System Owner, security staff, System Administrators, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Automated mechanisms supporting and/or implementing malicious code protection capability. |
| SI-3(5) | Malicious code protection: Portable storage devices | Withdrawn: Incorporated into MP-7 | ||
| SI-3(6) | Malicious code protection: Testing/verification | Review documentation to ensure that the organizational testing of malicious code detection is performed. Test malicious code detection with test code to verify detection process. Discuss with System Owner and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; information system configuration settings and associated documentation; test cases; records providing evidence of test cases executed on malicious code protection mechanisms; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Automated mechanisms supporting and/or implementing testing and verification of malicious code protection capability. |
| SI-3(7) | Malicious code protection: Nonsignature-based detection | Review documentation to determine the system and organizational utilization of heuristics or other code and to provide safeguards against malicious code for which signatures do not exist yet. Test system with sample malicious code to verify system. Discuss with System Owner, operational staff, security staff, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; records of malicious code protection updates; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Automated mechanisms supporting and/or implementing nonsignature-based malicious code protection capability. |
| SI-3(8) | Malicious code protection: Detect unauthorized commands | Review documentation to ensure that the system provides detection of unauthorized commands or requests to kernel, virtualized system, or other protected component of system and its operating system. Discuss with System Owner, security staff, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; warning messages sent upon detection of unauthorized operating system command execution; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Automated mechanisms supporting and/or implementing malicious code protection capability; automated mechanisms supporting and/or implementing detection of unauthorized operating system commands through the kernel application programming interface. |
| SI-3(9) | Malicious code protection: Authenticate remote commands | Review documentation to ensure that the system protects against unauthorized commands and replay of authorized commands. Test with malicious code sample to verify system reaction to code command. Discuss with System Owner, security staff, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; information system design documentation; malicious code protection mechanisms; warning messages sent upon detection of unauthorized operating system command execution; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection. Test: Automated mechanisms supporting and/or implementing malicious code protection capability; automated mechanisms implementing authentication of remote commands; automated mechanisms supporting and/or implementing security safeguards to authenticate remote commands. |
| SI-3(10) | Malicious code protection: Malicious code analysis | Review documentation to determine the organization’s implementation of reverse engineering and other code analysis techniques for review and evaluation of malicious code and code events. Discuss with security Staff, System Owner, and Security Officer. | SP 800-83 | Examine: System and information integrity policy; procedures addressing malicious code protection; procedures addressing incident response; procedures addressing flaw remediation; information system design documentation; malicious code protection mechanisms, tools, and techniques; information system configuration settings and associated documentation; results from malicious code analyses; records of flaw remediation events resulting from malicious code analyses; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for malicious code protection; organizational personnel responsible for flaw remediation; organizational personnel responsible for incident response/management. Test: Organizational process for incident response; organizational process for flaw remediation; automated mechanisms supporting and/or implementing malicious code protection capability; tools and techniques for analysis of malicious code characteristics and behavior. |
| SI-4 | Information system monitoring | Review documentation to determine the organizational monitoring of system and operational status. Review techniques and procedures for monitoring, which could include intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software, and other components and methods. Discuss with security staff, operations staff, System Owner, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: Continuous monitoring strategy; system and information integrity policy; procedures addressing information system monitoring tools and techniques; facility diagram/layout; information system design documentation; information system monitoring tools and techniques documentation; locations within information system where monitoring devices are deployed; information system configuration settings and associated documentation; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility monitoring the information system. Test: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing information system monitoring capability. |
| SI-4(1) | Information system monitoring: System-wide intrusion detection system | Review documentation for the system and organizational implementation of IDS and its sensors for the system under review. Ensure that the monitoring of the IDS is active and alarms and alerts are identified and responded to through reviews and observations. Test response times of system IDS with test code and snippets. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection capability. |
| SI-4(2) | Information system monitoring: Automated tools for real-time analysis | Review documentation to ensure that the system is utilizing automated mechanisms for monitoring and evaluation. Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by the organizational information systems. Review outputs from tools to verify actual use and value of monitoring actions and events. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for incident response/management. Test: Organizational processes for near real-time analysis of events; organizational processes for information system monitoring; automated mechanisms supporting and/or implementing information system monitoring; automated mechanisms/tools supporting and/or implementing analysis of events. |
| SI-4(3) | Information system monitoring: Automated tool integration | Review documentation to determine full integration of automatic monitoring tools with intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. Verify output from the tools that show rapid response efforts and actions. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; access control policy and procedures; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms/tools supporting and/or implementing access/flow control capability; automated mechanisms/tools supporting and/or implementing integration of intrusion detection tools into access/flow control mechanisms. |
| SI-4(4) | Information system monitoring: Inbound and outbound communications traffic | Review documentation for monitoring of internal traffic that indicates the presence of malicious code within the organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection capability/information system monitoring; automated mechanisms supporting and/or implementing monitoring of inbound/outbound communications traffic. |
| SI-4(5) | Information system monitoring: System-generated alerts | Review documentation to ensure that monitoring component provides alarms and alerts, when events are identified or discovered. Verify alert mechanism when triggered through testing with test code. Discuss with System Owner, Security Officer, and security staff. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; alerts/notifications generated based on compromise indicators; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing alerts for compromise indicators. |
| SI-4(6) | Information system monitoring: Restrict nonprivileged users | Withdrawn: Incorporated into AC-6(10) | ||
| SI-4(7) | Information system monitoring: Automated response to suspicious events | Review documentation for monitoring tool to identify and verify automated response mechanisms, which are less disruptive. Least-disruptive actions may include, for example, initiating requests for human responses. Verify system provides this notification process. Discuss with System Owner and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; alerts/notifications generated based on detected suspicious events; records of actions taken to terminate suspicious events; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing notifications to incident response personnel; automated mechanisms supporting and/or implementing actions to terminate suspicious events. |
| SI-4(8) | Information system monitoring: Protection of monitoring information | Withdrawn: Incorporated into SI-4 | ||
| SI-4(9) | Information system monitoring: Testing of monitoring tools | Review documentation for intrusion monitoring tools. Verify tools through testing each tool, its operation and outputs. Discuss with Security Officer and System Owner. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing testing of information system monitoring tools and techniques; documentation providing evidence of testing intrusion-monitoring tools; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing testing of intrusion monitoring tools. |
| SI-4(10) | Information system monitoring: Visibility of encrypted communications | Review documentation for monitoring of the encrypted communications within the system. Ensure documentation defines the organizational balance, the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective that are required for system. Discuss with System Owner, security staff, operations staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing visibility of encrypted communications traffic to monitoring tools. |
| SI-4(11) | Information system monitoring: Analyze communications traffic anomalies | Review documentation for system and traffic anomalies such as large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. Verify with testing the notification process with test code. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; network diagram; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing analysis of communications traffic. |
| SI-4(12) | Information system monitoring: Automated alerts | Review documentation for monitoring the system to verify system reports alarms and alerts from external sources, as well as internal to system sources. Discuss with System Owner and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of inappropriate or unusual activities (with security implications) that trigger alerts; alerts/notifications provided to security personnel; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing automated alerts to security personnel. |
| SI-4(13) | Information system monitoring: Analyze traffic/event patterns | Review documentation to determine, what level of traffic analysis on patterns is utilized to define the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives. Discuss with security staff, System Owner, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of profiles representing common traffic patterns and/or events; information system protocols documentation; list of acceptable thresholds for false positives and false negatives; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing analysis of communications traffic/event patterns. |
| SI-4(14) | Information system monitoring: Wireless intrusion detection | Review documentation to determine extent the wireless network deployments within the system are monitored with wireless-based IDS (WIDS) components. WIDS scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems. Test WIDS through injecting a rogue WAP and evaluating the resultant scans and reports. Discuss with System Owner and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection; automated mechanisms supporting and/or implementing wireless intrusion detection capability. |
| SI-4(15) | Information system monitoring: Wireless to wireline communications | Review documentation to determine the monitoring of wireless activity as it travels the wireless to wired connections within the system. Discuss with security staff, Security Officer, and System Owner. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system protocols documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing wireless intrusion detection capability. |
| SI-4(16) | Information system monitoring: Correlate monitoring information | Review documentation to determine, if organization provides methods to correlate various monitoring efforts to provide an organizational-wide monitoring capability. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; event correlation logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/information system monitoring capability; automated mechanisms supporting and/or implementing correlation of information from monitoring tools. |
| SI-4(17) | Information system monitoring: Integrated situational awareness | Review documentation to determine, if the organization provides methods to correlate various monitoring efforts, both inclusive to organization as well as external to organization, to provide a larger organizational-wide monitoring capability and situational awareness. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; event correlation logs or records resulting from physical, cyber, and supply chain activities; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/system monitoring capability; automated mechanisms supporting and/or implementing correlation of information from monitoring tools. |
| SI-4(18) | Information system monitoring: Analyze traffic/covert exfiltration | Review documentation to determine, if the organization has covert exfiltration detection methods and techniques available and deployed within system or organization. Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography. Discuss with security staff, System Owner, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; network diagram; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system; organizational personnel with responsibility for the intrusion detection system. Test: Organizational processes for intrusion detection/information system monitoring; automated mechanisms supporting and/or implementing intrusion detection/system monitoring capability; automated mechanisms supporting and/or implementing analysis of outbound communications traffic. |
| SI-4(19) | Information system monitoring: Individuals posing greater risk | Review documentation to determine, if the organization provides monitoring of at-risk or suspect individuals with access to system. Ensure all monitoring is under supervision of appropriate organizational management oversight to include legal staff, management, personnel department, and operations. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards. Discuss with System Owner and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring; information system design documentation; list of individuals who have been identified as posing an increased level of risk; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system. Test: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing system monitoring capability. |
| SI-4(20) | Information system monitoring: Privileged users | Review documentation for monitoring efforts on elevated privilege users and their activities. Ensure all monitoring is under supervision of appropriate organizational management oversight to include legal staff, management, personnel department, and operations. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within the organizations conducting such monitoring and complies with federal legislation, executive orders, policies, directives, regulations, and standards. Discuss with System Owner and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; list of privileged users; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system. Test: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing system monitoring capability. |
| SI-4(21) | Information system monitoring: Probationary periods | Review documentation for monitoring efforts on users during the organizationally define probationary period. Ensure all monitoring is under supervision of appropriate organizational management oversight to include legal staff, management, personnel department, and operations. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards. Discuss with System Owner and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system. Test: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing system monitoring capability. |
| SI-4(22) | Information system monitoring: Unauthorized network services | Review documentation to determine, how system and organization validate and verify outside or unauthorized network services to ensure their use and lack of malicious components or software. Test system with test code to verify control. Discuss with System Owner, security staff, and Security Officer. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; documented authorization/approval of network services; notifications or alerts of unauthorized network services; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring the information system. Test: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing system monitoring capability; automated mechanisms for auditing network services; automated mechanisms for providing alerts. |
| SI-4(23) | Information system monitoring: host-based devices | Review documentation to ensure that host-based monitoring devices are installed and operating correctly. Evaluate with test code to ensure monitoring is functioning and operational. Discuss with Security Officer, security staff, and System Owner. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring tools and techniques; information system design documentation; host-based monitoring mechanisms; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; list of information system components requiring host-based monitoring; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring information system hosts. Test: Organizational processes for information system monitoring; automated mechanisms supporting and/or implementing host-based monitoring capability. |
| SI-4(24) | Information system monitoring: Indicators of compromise | Review documentation for use, if indicators of compromise (IOC) in monitoring efforts. IOC are forensic artifacts from intrusions and are often retrieved via forensics methods after an intrusion to be used to help other systems and organizational components, identify potential compromise events. Discuss with Security Officer and System Owner. | SP 800-61, rev.2, SP 800-83,SP 800-92, SP 800-94, SP 800-137 | Examine: System and information integrity policy; procedures addressing information system monitoring; information system design documentation; information system monitoring tools and techniques documentation; information system configuration settings and associated documentation; information system monitoring logs or records; information system audit records; other relevant documents or records. Interview: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the information system; organizational personnel with responsibility for monitoring information system hosts. Test: Organizational processes for information system monitoring; organizational processes for discovery, collection, distribution, and use of indicators of compromise; automated mechanisms supporting and/or implementing system monitoring capability; automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise. |
| SI-5 | Security alerts, advisories, and directives | Review documentation to determine receipt and use of external security alerts and advisories from governmental and nongovernmental entities. Discuss with System Owner, security staff, and Security Officer. | SP 800-137, SP 800-94, SP 800-40 | Examine: System and information integrity policy; procedures addressing security alerts, advisories, and directives; records of security alerts and advisories; other relevant documents or records. Interview: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, and using the information system; organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated; system/network administrators; organizational personnel with information security responsibilities. Test: Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives; automated mechanisms supporting and/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives; automated mechanisms supporting and/or implementing security directives. |
| SI-5(1) | Security alerts, advisories, and directives: Automated alerts and advisories | Review documentation to determine receipt and use of external security alerts and advisories from governmental and nongovernmental entities. Ensure automated mechanisms are used to disseminate these alerts and advisories. Discuss with System Owner, security staff, and Security Officer. | SP 800-137, SP 800-94, SP 800-40 | Examine: System and information integrity policy; procedures addressing security alerts, advisories, and directives; information system design documentation; information system configuration settings and associated documentation; automated mechanisms supporting the distribution of security alert and advisory information; records of security alerts and advisories; information system audit records; other relevant documents or records. Interview: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, and using the information system; organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated; system/network administrators; organizational personnel with information security responsibilities. Test: Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories; automated mechanisms supporting and/or implementing dissemination of security alerts and advisories. |
| SI-6 | Security function verification | Review documentation to ensure that the system security functions, such as system startup, restart, shutdown, and abort provide notification to appropriate operational and security staff in a timely manner. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights. Discuss with operations staff, security staff, Security Officer, and System Owner. | Examine: System and information integrity policy; procedures addressing security function verification; information system design documentation; information system configuration settings and associated documentation; alerts/notifications of failed security verification tests; list of system transition states requiring security functionality verification; information system audit records; other relevant documents or records. Interview: Organizational personnel with security function verification responsibilities; organizational personnel implementing, operating, and maintaining the information system; system/network administrators; organizational personnel with information security responsibilities; system developer. Test: Organizational processes for security function verification; automated mechanisms supporting and/or implementing security function verification capability. | |
| SI-6(1) | Security function verification: Notification of failed security tests | Withdrawn: Incorporated into SI-6 | ||
| SI-6(2) | Security function verification: Automation support for distributed testing | Review documentation to determine the automated mechanisms in place for distributed security testing of system components and functions. Discuss with Security Officer, security staff, and System Owner. | Examine: System and information integrity policy; procedures addressing security function verification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with security function verification responsibilities; organizational personnel implementing, operating, and maintaining the information system; system/network administrators; organizational personnel with information security responsibilities. Test: Organizational processes for security function verification; automated mechanisms supporting and/or implementing the management of distributed security testing. | |
| SI-6(3) | Security function verification: Report verification results | Review documentation to ensure that appropriate interested security personnel receive results from security function testing and evaluations. Discuss with security staff, Security Officer, and System Owner. | Examine: System and information integrity policy; procedures addressing security function verification; information system design documentation; information system configuration settings and associated documentation; records of security function verification results; information system audit records; other relevant documents or records. Interview: Organizational personnel with security function verification responsibilities; organizational personnel with information security responsibilities. Test: Organizational processes for reporting security function verification results; automated mechanisms supporting and/or implementing the reporting of security function verification results. | |
| SI-7 | Software, firmware, and information integrity | Review documentation to determine the level and extent of software and firmware integrity checks employed by system. Test with sample code to ensure accuracy of checks and results reporting of integrity tools employed. Discuss with security staff, Security Officer, and System Owner. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators. Test: Software, firmware, and information integrity verification tools. |
| SI-7(1) | Software, firmware, and information integrity: Integrity checks | Review documentation to ensure that integrity check actions are used for all installations of SW and FW at critical points during process. Verify using test code during a test installation. Discuss with security staff, Security Officer, and System Owner. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; other relevant documents or records Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools. |
| SI-7(2) | Software, firmware, and information integrity: Automated notifications of integrity violations | Review documentation to ensure that integrity check tools provide automated reporting of integrity violations and notification of appropriate organizational personnel in a timely matter. Review reports and tool results to ensure reporting is provided. Discuss with operations staff, security staff, System Owner, and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; automated tools supporting alerts and notifications for integrity discrepancies; alerts/notifications provided upon discovering discrepancies during integrity verifications; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities. Test: Software, firmware, and information integrity verification tools; automated mechanisms providing integrity discrepancy notifications. |
| SI-7(3) | Software, firmware, and information integrity: Centrally-managed integrity tools | Review documentation to determine the organizational use of centrally managed integrity check tools and techniques. Discuss with operations staff, security staff, Security Officer, and System Owner. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; other relevant documents or records. Interview: Organizational personnel with responsibility for central management of integrity verification tools; organizational personnel with information security responsibilities. Test: Automated mechanisms supporting and/or implementing central management of integrity verification tools. |
| SI-7(4) | Security function verification: Tamper-evident packaging | Withdrawn: Incorporated into SA-12 | ||
| SI-7(5) | Software, firmware, and information integrity: Automated response to integrity violations | Review documentation to determine the organizational or system use of automatic response mechanisms to integrity violations. Such responses can include reversing the changes, halting the information system, or triggering audit alerts, when unauthorized modifications to critical security files occur. Verify response mechanisms with test code. Discuss with security staff, operations staff, Security Officer, and System Owner. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; records of integrity checks and responses to integrity violations; information audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools; automated mechanisms providing an automated response to integrity violations; automated mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered. |
| SI-7(6) | Software, firmware, and information integrity: Cryptographic protection | Review documentation to determine use of various cryptographic mechanisms used to protect files and code. Discuss with System Owner, Security Officer, and security staff. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated documentation; records of detected unauthorized changes to software, firmware, and information; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools; cryptographic mechanisms implementing software, firmware, and information integrity. |
| SI-7(7) | Software, firmware, and information integrity: Integration of detection and response | Review documentation to ensure that detected events are tracked, monitored, corrected, and available for historical purposes by the organization or the system. Review reports and event logs to validate retention. Discuss with System Owner, Security Officer, and security staff. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; procedures addressing incident response; information system design documentation; information system configuration settings and associated documentation; incident response records; information audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities. Test: Organizational processes for incorporating detection of unauthorized security relevant changes into the incident response capability; software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability. |
| SI-7(8) | Software, firmware, and information integrity: Auditing capability for significant events | Review documentation to determine the extent to which the organization reviews results of significant events for evaluation, auditing, and response efforts. Discuss with System Owner and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; incident response records, list of security-relevant changes to the information system; automated tools supporting alerts and notifications if unauthorized security changes are detected; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing the capability to audit potential integrity violations; automated mechanisms supporting and/or implementing alerts about potential integrity violations. |
| SI-7(9) | Software, firmware, and information integrity: Verify boot process | Review documentation to determine how the organization or system only allows trusted code to be executed during boot processes. Discuss with System Owner, security staff, and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; documentation; records of integrity verification scans; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system developer. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing integrity verification of the boot process. |
| SI-7(10) | Software, firmware, and information integrity: Protection of boot software | Review documentation to determine the organizational efforts to ensure that only allowable boot firmware is executed during startup of system. Unauthorized modifications to boot firmware may be indicative of a sophisticated, targeted cyber-attack. Review organizational implementation of specialized review processes found in SP 800-155. Discuss with System Owner, security staff, and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity verification scans; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing protection of the integrity of boot firmware; safeguards implementing protection of the integrity of boot firmware. |
| SI-7(11) | Software, firmware, and information integrity: Confined environments with limited privileges | Review documentation to determine the extent that the organization limits user installation of suspect software. Ensure user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed. Discuss with operations staff, security staff, System Owner, and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing execution of software in a confined environment (physical and/or virtual); automated mechanisms supporting and/or implementing limited privileges in the confined environment. |
| SI-7(12) | Software, firmware, and information integrity: Integrity verification | Review documentation to determine the organizational process for user installed software to verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or code that contains errors from unauthorized modifications. Discuss with security staff, System Owner, and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; integrity verification records; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing verification of the integrity of user-installed software prior to execution. |
| SI-7(13) | Software, firmware, and information integrity: Code execution in protected environments | Review documentation of system control for all code execution action to ensure that all sources of binary or machine-executable code including, for example, commercial software/firmware and open source software are controlled and verified. Discuss with Security Officer, security staff, and System Owner. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; approval records for execution of binary and machine-executable code; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing approvals for execution of binary or machine executable code. |
| SI-7(14) | Software, firmware, and information integrity: Binary or machine executable code | Review documentation to determine how the organization limits the use and execution of software and code with limited or no external verification testing results. Discuss with Security Officer and System Owner. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; approval records for execution of binary and machine-executable code; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; authorizing official; system/network administrators; system developer. Test: Automated mechanisms supporting and/or implementing prohibition of the execution of binary or machine-executable code. |
| SI-7(15) | Software, firmware, and information integrity: Code authentication | Review documentation to ensure that the organization uses only proper authenticated software and code on system. Code signing and cryptographic authentication are proper techniques for this process. Discuss with security staff, operations staff, System Owner, and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software, firmware, and information integrity; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Cryptographic mechanisms authenticating software/firmware prior to installation. |
| SI-7(16) | Software, firmware, and information integrity: Time limit on process execution without supervision | Review documentation to determine the organizational process for which normal execution periods can be determined and situations, in which organizations exceed such periods. Discuss with System Owner and Security Officer. | SP 800-147, SP 800-155 | Examine: System and information integrity policy; procedures addressing software and information integrity; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing time limits on process execution without supervision. |
| SI-8 | Spam protection | Review documentation to determine the spam protection mechanisms employed by the system on the entry and exit points, which could include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook/laptop computers. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-45 | Examine: System and information integrity policy; configuration management policy and procedures (CM-1); procedures addressing spam protection; spam protection mechanisms; records of spam protection updates; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for spam protection; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for implementing spam protection; automated mechanisms supporting and/or implementing spam protection. |
| SI-8(1) | Spam protection: Central management | Review documentation to determine the level of organizational oversight and central management of all spam protection processes and mechanisms employed. Discuss with System Owner, operations staff, security staff, and Security Officer. | SP 800-45 | Examine: System and information integrity policy; procedures addressing spam protection; spam protection mechanisms; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for spam protection; organizational personnel with information security responsibilities; system/network administrators. Test: Organizational processes for central management of spam protection; automated mechanisms supporting and/or implementing central management of spam protection. |
| SI-8(2) | Spam protection: Automatic updates | Review documentation to ensure that all spam protection components employ automatic update features. Discuss with Security officer and System Owner. | SP 800-45 | Examine: System and information integrity policy; procedures addressing spam protection; spam protection mechanisms; records of spam protection updates; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for spam protection; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for spam protection; automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms. |
| SI-8(3) | Spam protection: Continuous learning capability | Review documentation to determine the extent, the spam protection process employs various continuous learning techniques, such as Bayesian filters that respond to user inputs, which identifies specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic. Discuss with security staff, Security Officer, Security Engineer, and System Owner. | SP 800-45 | Examine: System and information integrity policy; procedures addressing spam protection; spam protection mechanisms; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for spam protection; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for spam protection; automated mechanisms supporting and/or implementing spam protection mechanisms with a learning capability. |
| SI-9 | Information input restrictions | Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6 | ||
| SI-10 | Information input validation | Review documentation to determine the input validation checks performed by system upon data entry. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Text input process with various input anomalies to verify input validation processes employed by the system. Discuss with System Owner, Developers, security staff, and Security Officer. | Examine: System and information integrity policy; access control policy and procedures; separation of duties policy and procedures; procedures addressing information input validation; documentation for automated tools and applications to verify validity of information; list of information inputs requiring validity checks; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Automated mechanisms supporting and/or implementing validity checks on information inputs. | |
| SI-10(1) | Information input validation: Manual override capability | Review documentation to determine the organizational implementation of manual override capabilities for any inputs into system. Review criteria and selection processes and procedures for manual override actions. Discuss with System Owner, operations staff, and Security Officer. | Examine: System and information integrity policy; access control policy and procedures; separation of duties policy and procedures; procedures addressing information input validation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for use of manual override capability; automated mechanisms supporting and/or implementing manual override capability for input validation; automated mechanisms supporting and/or implementing auditing of the use of manual override capability. | |
| SI-10(2) | Information input validation: Review/resolution of errors | Review documentation to evaluate processes and procedures for resolution of errors during input activities, to include correcting systemic causes of errors and resubmitting transactions with corrected input. Discuss with System Owner, Security Officer, and operations staff. | Examine: System and information integrity policy; access control policy and procedures; separation of duties policy and procedures; procedures addressing information input validation; information system design documentation; information system configuration settings and associated documentation; review records of information input validation errors and resulting resolutions; information input validation error logs or records; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators. Test: Organizational processes for review and resolution of input validation errors; automated mechanisms supporting and/or implementing review and resolution of input validation errors. | |
| SI-10(3) | Information input validation: Predictable behavior | Review documentation to determine capabilities of the system to resolve issues correctly, when given incorrect inputs. Identify the expected and predictable behavior resultant from incorrect inputs. Test system with unexpected inputs and evaluate the results. Discuss with System Owner, Developers, and Security Officer. | Examine: System and information integrity policy; procedures addressing information input validation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Automated mechanisms supporting and/or implementing predictable behavior when invalid inputs are received. | |
| SI-10(4) | Information input validation: Review/timing interactions | Review documentation to determine the organizational mechanism for handling and responding to timing of input actions, such as invalid information system inputs received across protocol interfaces, since this causes timing interactions become relevant, where one protocol needs to consider the impact of the error response on other protocols within the protocol stack. Test via test code inputs and review of outputs in response. Discuss with Security Officer, Developers, and System Owner. | Examine: System and information integrity policy; procedures addressing information input validation; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for determining appropriate responses to invalid inputs; automated mechanisms supporting and/or implementing responses to invalid inputs. | |
| SI-10(5) | Information input validation: Restrict inputs to trusted sources and approved formats | Review documentation to ensure that the system provides for whitelisting (list of trusted sources and sites) of valid sources of inputs to system. Discuss with Security Officer and System Owner. | Examine: System and information integrity policy; procedures addressing information input validation; information system design documentation; information system configuration settings and associated documentation; list of trusted sources for information inputs; list of acceptable formats for input restrictions; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for restricting information inputs; automated mechanisms supporting and/or implementing restriction of information inputs. | |
| SI-11 | Error handling | Review documentation for system to determine the error handling routines and messages for system and their required outputs to users. Ensure the structure/content of error messages only provides the needed information and not additional information, which can be used by malicious systems, programs, or attackers. Discuss with Developers, System Owner, and Security Officer. | Examine: System and information integrity policy; procedures addressing information system error handling; information system design documentation; information system configuration settings and associated documentation; documentation providing structure/content of error messages; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for error handling; automated mechanisms supporting and/or implementing error handling; automated mechanisms supporting and/or implementing management of error messages. | |
| SI-12 | Information handling and retention | Review documentation to ensure that the system and organization is performing information handling and storage actions in compliance of data retention requirements, federal law requirements, and agency regulations. Discuss with System Owner, operations staff, and Security Officer. | Examine: System and information integrity policy; federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention; media protection policy and procedures; procedures addressing information system output handling and retention; information retention records, other relevant documents or records. Interview: Organizational personnel with responsibility for information handling and retention; organizational personnel with information security responsibilities/network administrators. Test: Organizational processes for information handling and retention; automated mechanisms supporting and/or implementing information handling and retention. | |
| SI-13 | Predictable failure prevention | Review documentation for the organization to determine documented status and repair reports for security equipment and components. Review potential failures of specific information system components that provide security capability documents and maintenance reports to ensure MTTF (Mean Time To Fail) is with requirements and specifications for the system and organization. Discuss with security staff, System Owner, and Security Officer. | Examine: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; list of MTTF substitution criteria; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for MTTF determinations and activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities. Test: Organizational processes for managing MTTF. | |
| SI-13(1) | Predictable failure prevention: Transferring component responsibilities | Review documentation for the system to ensure that time limits are set and used for substitution of component functionality, when original system components are experiencing long repair times. Discuss with System Owner and Security Officer | Examine: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for MTTF activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities. Test: Organizational processes for managing MTTF; automated mechanisms supporting and/or implementing transfer of component responsibilities to substitute components. | |
| SI-13(2) | Predictable failure prevention: Time limit on process execution without supervision | Withdrawn: Incorporated into SI-7(16) | ||
| SI-13(3) | Predictable failure prevention: Manual transfer between components | Review documentation to ensure that the organization invokes transfers to standby system or components, if primary component is experiencing long repair times. Discuss with System Owner and Security Officer. | Examine: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for MTTF activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities. Test: Organizational processes for managing MTTF and conducting the manual transfer between active and standby components. | |
| SI-13(4) | Predictable failure prevention: Standby component installation/notification | Review documentation to ensure that the process for automated or manual transfers of components are defined and instituted, when required. Discuss with System Owner, operations staff, and Security Officer. | Examine: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; list of actions to be taken once information system component failure is detected; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for MTTF activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities. Test: Organizational processes for managing MTTF; automated mechanisms supporting and/or implementing transparent installation of standby components; automated mechanisms supporting and/or implementing alarms or system shutdown if component failures are detected. | |
| SI-13(5) | Predictable failure prevention: Failover capability | Review documentation to ensure that the process for automated failover transfers of components are defined and instituted, when required. Discuss with System Owner, operations staff, and Security Officer. | Examine: System and information integrity policy; procedures addressing predictable failure prevention; information system design documentation; information system configuration settings and associated documentation; documentation describing failover capability provided for the information system; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for failover capability; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities. Test: Organizational processes for managing failover capability; automated mechanisms supporting and/or implementing failover capability. | |
| SI-14 | Nonpersistence | Review documentation of the organization to ensure that the nonpersistence of select components of system is performed. This risk from advanced persistent threats (APTs) is treated by significantly reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete cyber-attacks. Ensure system performs nonpersistence by evaluating logs for system, monitoring reports for select components, and access logs for user activities. Discuss with System Owner, security staff, and Security Officer. | Examine: System and information integrity policy; procedures addressing nonpersistence for information system components; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for nonpersistence; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Automated mechanisms supporting and/or implementing initiation and termination of nonpersistent components. | |
| SI-14(1) | Nonpersistence: Refresh from trusted sources | Review documentation for the system to ensure that refresh actions for system are performed with software/data from write-once, read-only media (WORM) or from selected off-line secure storage facilities. Discuss with System Owner, Security Officer, and security staff. | Examine: System and information integrity policy; procedures addressing nonpersistence for information system components; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for obtaining component and service refreshes from trusted sources; organizational personnel with information security responsibilities. Test: Organizational processes for defining and obtaining component and service refreshes from trusted sources; automated mechanisms supporting and/or implementing component and service refreshes. | |
| SI-15 | Information output filtering | Review documentation for the system and organization to ensure that the monitoring of outputs from system are consistently being performed to detect extraneous content, preventing such extraneous content from being displayed, and alerting monitoring tools that anomalous behavior has been discovered. Discuss with System Owner, operations staff, security staff, and Security Officer. | Examine: System and information integrity policy; procedures addressing information output filtering; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for validating information output; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational processes for validating information output; automated mechanisms supporting and/or implementing information output validation. | |
| SI-16 | Memory protection | Review documentation to ensure that the system provides memory protection methods to prevent unauthorized code execution. These techniques, such as data execution prevention and address space layout randomization are tested for proper execution via sample test injection tests and subsequent evaluations of results. Discuss with System Owner, security staff, and Security Officer. | Examine: System and information integrity policy; procedures addressing memory protection for the information system; information system design documentation; information system configuration settings and associated documentation; list of security safeguards protecting information system memory from unauthorized code execution; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for memory protection; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Automated mechanisms supporting and/or implementing safeguards to protect information system memory from unauthorized code execution. | |
| SI-17 | Fail-safe procedures | Review documentation to determine failure modes for system and actions to be taken as result of failure, such as do nothing, reestablish system settings, shut down processes, restart the system, or contact designated organizational personnel. Test system by causing an interruption of processing, correlated with operations, to evaluation failure techniques and actions of system. Discuss with operations staff, System Owner, security staff, and Security Officer. | Examine: System and information integrity policy; procedures addressing memory protection for the information system; information system design documentation; information system configuration settings and associated documentation; list of security safeguards protecting information system memory from unauthorized code execution; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibility for fail-safe procedures; organizational personnel with information security responsibilities; system/network administrators; system developer. Test: Organizational fail-safe procedures; automated mechanisms supporting and/or implementing fail-safe procedures. |
S. Privacy controls
a. SP 800-53, rev.4
Appendix J of the SP 800-53 rev. 4 contains the recommended privacy controls for the US Governmental systems broken out into 8 families of 26 specific privacy controls. These controls address the confidentiality and the integrity concerns for assessors to review and test against with respect to information privacy on the data retained by the system under review.
| Control number | Control name | Assessment methods | Notes and guidance documents |
| AP-1 | Authority to collect | Review documentation for the organization to determine legal and organizational requirements for PII collection. Ensure organization has assigned senior privacy official for organization and review their authorities and responsibilities. Ensure all privacy-related documentation is filed with appropriate external agencies. Discuss with System Owner, Senior Privacy Official, and Security Officer. | Privacy Act, E-Government Act, A-130, Appendix I |
| AP-2 | Purpose specification | Review documentation to ensure the organization describes the purpose(s) for which personally identifiable information (PII) is collected, used, maintained, and shared in its privacy notices and public documents. Ensure all privacy documents are completed and filed appropriately, such as PTAs, PIAs, and SORNs. Discuss with Senior Privacy Official, System Owner, and Security Officer. | Privacy Act, E-Government Act, A-130, Appendix I |
| AR-1 | Governance and privacy program | Review documentation for organization to ensure the Privacy plan encompasses all privacy considerations, plans, processes, policies and procedures for handling privacy-related information. Discuss with System Owner, Senior Privacy Official, and Security Officer. | Privacy Act, E-Government Act, FISMA, A-130, Appendix I, OMB M-03-22, OMB M-05-08, OMB M-07-16 |
| AR-2 | Privacy impact and risk assessment | Review documentation to ensure the organization has completed all privacy risk assessments, privacy threshold analysis documents and privacy impact analysis forms and documents. Review documents for completeness and accuracy. Discuss with Senior Privacy Official, Security Officer, and System Owner. | E-Government Act, FISMA, OMB M-03-22, OMB M-05-08, OMB 10-23, SP 800-30, rev. 1 |
| AR-3 | Privacy Requirements for contractors and service providers | Review documentation for organization to ensure all contracting actions, acquisition processes and contractors to organization are instructed in, advised on, and abide by all privacy regulations and guidance for the organization. Discuss with Senior Privacy Official, Acquisition staff, Security Officer, and System Owner. | Privacy Act, FAR, DFAR |
| AR-4 | Privacy monitoring and auditing | Review documentation for the organization to ensure monitoring of the privacy program and the auditing of the PII utilization is in accordance with federal guidelines and requirements. Review results with System Owner, Senior Privacy Official, and Security Officer. | Privacy Act, E-Government Act, FISMA, A-130, OMB M-03-22, OMB M-05-08, OMB M-07-16, OMB 10-23 |
| AR-5 | Privacy awareness and training | Review documentation for proof of training events and activities for all users of system which contains Privacy topics and overviews. Ensure all users receive training through review of training records, online tracking systems and review of educational materials. Discuss with Senior Privacy Official, System Owner, operations staff, and Security Officer. | Privacy Act, FISMA, OMB M-03-22, OMB M-07-16 |
| AR-6 | Privacy reporting | Review documentation to ensure all reporting requirements and needs are met and continue throughout the lifecycle of system. Ensure all reports contain correct and accurate data via sampling of reports and criteria from external agency. Discuss with Senior Privacy Official, System Owner, operations staff, Security Officer. | Privacy Act, E-Government Act, FISMA, 9/11 Commission Act, OMB A-130, OMB M-03-22 |
| AR-7 | Privacy-enhanced system design and development | Review documentation to verify system has automated privacy controls for the collection, use, retention, and disclosure of personally identifiable information (PII). Ensure automatic controls are appropriate, valid and functional. Discuss with security staff, operations staff, System Owner, Senior Privacy Official, and Security Officer. | Privacy Act, E-Government Act, OMB M-03-22 |
| AR-8 | Accounting of disclosures | Review documentation to ensure required accountings of disclosures of records are being properly maintained and provided to persons named in those records consistent with the dictates of the Privacy Act. Review criteria for reporting, based on agency requirements, and ensure organization fulfills these requirements when necessary. Discuss with Senior Privacy Official, System Owner, operations staff and Security Officer. | Privacy Act |
| DI-1 | Data quality | Review documentation to determine the extent the organization reviews and updates the PII retained in system for accuracy, relevance, timeliness, and completeness of that information. Ensure documentation and reporting reflects actions for quality control of retained PII. Discuss with operations staff, Senior Privacy Official, System Owner, and Security Officer. | Privacy Act, Paperwork Reduction Act, OMB M-07-16 |
| DI-1(1) | Data quality: Validate PII | Review documentation to ensure sensitive data quality requirements are reviewed, validated, and instituted by organization. Discuss with Senior Privacy Official, operations staff, Security Officer, and System Owner. | Privacy Act, Paperwork Reduction Act, OMB M-07-16 |
| DI-1(2) | Data quality: Revalidate PII | Review documentation to ensure sensitive data quality requirements are revalidated by organization on a periodic basis. Discuss with Senior Privacy Official, operations staff, Security Officer, and System Owner. | Privacy Act, Paperwork Reduction Act, OMB M-07-16 |
| DI-2 | Data integrity and data integrity board | Review documentation to ensure organization institutes security controls for integrity of PII and creates a data integrity board for PII oversight. Discuss with Senior Privacy Official, System Owner, operations staff, and Security Officer. | Privacy Act, Computer Matching and Privacy Protection Act, OMB A-130, App I |
| DI-2(1) | Data integrity and data integrity board: Publish agreements on website | Review documentation to ensure organization publishes all computer matching agreements on its public website. Observe agreements posted on website to validate compliance. Discuss with System Owner and Security Officer. | Privacy Act, Computer Matching and Privacy Protection Act, OMB A-130, App I |
| DM-1 | Minimization of personally identifiable information | Review documentation for organization to ensure minimization of retrieved and retained PII is maintained and documented. Ensure organization periodically reviews amount of retained PII and performs minimization when possible. Discuss with Senior Privacy Official, System Owner, operations staff, and Security Officer. | Privacy Act, E-Government Act, OMB M-03-22, OMB M-07-16, NISTIR 8053 |
| DM-1(1) | Minimization of personally identifiable information: Locate/Remove/Redact/Anonymize PII | Review documentation to ensure location and redacting of PII is performed whenever possible in accordance with federal standards and agency requirements. Discuss PII redaction and anonymization efforts with Senior Privacy official, operations staff, System Owner, and Security Officer. | Privacy Act, E-Government Act, OMB M-03-22, OMB M-07-16, SP 800-122, NISTIR 8053 |
| DM-2 | Data retention and disposal | Review documentation to ensure organization retains and disposes of PII information utilizing proper agency procedures and policies and in accordance with federal guidelines. Ensure data is stored on appropriate media and marked correctly. Discuss with System Owner, Senior Privacy Official, Security Officer, and operations staff. | Privacy Act, E-Government Act, OMB M-07-16, SP 800-88, NISTIR 8053, NARA Record Retention regulations |
| DM-2(1) | Data retention and disposal: System configuration | Review documentation for organization to ensure all PII data identified and recorded to include the date PII is collected, created, or updated and when PII is to be deleted or archived. Test the system configuration settings by observing the actual configurations and their system implementation within the organizational system. Discuss with System Owner, Security Officer, operations staff, and security staff. | Privacy Act, E-Government Act, OMB M-07-16, SP 800-88, NISTIR 8053, NARA Record Retention regulations |
| DM-3 | Minimization of PII used in testing, training, and research | Review documentation for organization to ensure use of PII data is minimized during testing and training efforts. Organizations often use PII for testing new applications or information systems prior to deployment, and this practice needs to be reviewed closely to ensure no release of live data occurs during testing, research efforts and training. Discuss with Senior Privacy Official, operations staff, development staff, Security Officer, and System Owner. | SP 800-122 |
| DM-3(1) | Minimization of PII used in testing, training, and research: Risk minimization techniques | Revie documentation to ensure organization uses de-identification techniques to minimize the risk to privacy of using PII for research, testing, or training where and when possible. Discuss with Senior Privacy Official, System Owner, development staff, operations staff, and Security Officer. | SP 800-122, NISTIR 8053, SP 800-82 |
| IP-1 | Consent | Review documentation for organization to ensure the practice of obtaining consent to PII collection and data retention is documented for all data and information retained by system. Ensure review of the methods of obtaining consent through opt-in, opt-out, or implied consent are documented, approved and implemented for all users and objects of the system. Review with Senior Privacy Official, System Owner, Security Officer, and operations staff | Privacy Act, E-Government Act, OMB M-03-22, OMB M-10-22 |
| IP-1(1) | Consent: Mechanisms supporting itemized or tiered consent | Review documentation to ensure the organizational process for consent includes options for individuals’ itemized choices as to whether they wish to be contacted for any of a variety of purposes. Ensure all policies and procedures for this process are documented and implemented. Discuss with Senior Privacy Official, System Owner, Security Officer, and operations staff. | E-Government Act, Privacy Act, OMB M-03-22, OMB 10-22 |
| IP-2 | Individual access | Review documentation to ensure organization enacts methods and techniques for individuals the ability to review PII about them held within organizational systems of records. Ensure all processes and requests for access are processed and appropriately adjudicated by organization. Discuss with System Owner, Security Officer, operations staff, and Senior Privacy Official. | Privacy Act, OMB A-130 |
| IP-3 | Redress | Review documentation to ensure organization provides the ability of individuals to ensure the accuracy of PII held by organizations. Effective redress processes demonstrate organizational commitment to data quality especially in those business functions where inaccurate data may result in inappropriate decisions or denial of benefits and services to individuals. This review includes review of PII retention and organizations options for correction or amendment of records of individuals. Discuss with Senior Privacy Official, System Owner, operations staff, legal staff, and Security Officer. | Privacy Act, OMB A-130 |
| IP-4 | Complaint management | Review documentation for organization to ensure all complaints are handled correctly and in accordance with documented procedures. This ability of individuals to ensure the accuracy of PII held by organizations is considered important to help define the effective redress processes which demonstrate organizational commitment to data quality especially in those business functions where inaccurate data may result in inappropriate decisions or denial of benefits and services to individuals. Review and discuss these processes with the Senior Privacy Official, operations staff, legal staff, System Owner, and Security Officer. | OMB A-130, OMB M-07-16, OMB M-08-09 |
| IP-4(1) | Complaint management: Response times | Review documentation to ensure tracking mechanisms to ensure that all complaints received are reviewed and appropriately addressed in a timely manner and appropriate time-frame. Discuss with Senior Privacy Official, operations staff, System Owner, and Security Officer. | OMB A-130, OMB M-07-16, OMB M-08-09 |
| SE-1 | Inventory of personally identifiable information | Review documentation to ensure a full and accurate inventory of all PII retained within system is maintained for its accuracy, currency and completeness. Review and discuss with Senior Privacy Official, System Owner, Security Officer, and operations staff. | Privacy Act, E-Government Act, FIPS-199, OMB M-03-22, SP 800-37, rev. 1, SP 800-122 |
| SE-2 | Privacy incident response | Review documentation to ensure Incident Response efforts include focus on only those incidents that relate to personally identifiable information (PII). Discuss with operations staff, security staff, Senior Privacy Official, System Owner, and Security Officer. | Privacy Act, FISMA, OMB M-06-19, OMB M-07-16, SP 800-37, rev. 1, SP 800-651, rev. 2 |
| TR-1 | Privacy notice | Review documentation to ensure all PII collection is given effective notice to all individuals. Effective notice, by virtue of its clarity, readability, and comprehensiveness, enables individuals to understand how an organization uses PII generally and, where appropriate, to make an informed decision prior to providing PII to an organization. Discuss with System Owner, Security Officer, operations staff, and Senior Privacy Official. | Privacy Act, E-Government Act, OMB M-03-22, OMB M-07-16, OMB M-10-22, OMB M-10-23, ISE Guidelines |
| TR-1(1) | Privacy notice: Real-time or layered notice | Review documentation to ensure appropriate notice is gen at time of collection. Real-time notice is defined as notice at the point of collection. A layered notice approach involves providing individuals with a summary of key points in the organization’s privacy policy. Discuss with Senior Privacy Official, operations staff, legal staff, System Owner, and Security Officer. | Privacy Act, E-Government Act, OMB M-03-22, OMB M-07-16, OMB M-10-22, OMB M-10-23, ISE Guidelines |
| TR-2 | System of records notices and privacy act statements | Review documentation to ensure organizational filing of SORN are accomplished successfully and timely. The organization is required to publish System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII). Review process, documents and approvals for SORN actions and activities. Discuss with Approving Official (AO), Senior Privacy Official, System Owner, and Security Officer. | Privacy Act, OMB A-130 |
| TR-2(1) | System of records notices and privacy act statements: Public website publication | Review documentation to ensure all SORNs are published publically on agency website for public review. Discuss with Senior Privacy Official, System Owner, operations staff, and Security Officer. | Privacy Act, OMB A-130 |
| TR-3 | Dissemination of privacy program information | Review documentation to ensure organization provides the public with information on the privacy requirements and standards it maintains and follows. Method of dissemination include, but not limited to, privacy impact assessments (PIAs), SORNs, privacy reports, publicly available web pages, email distributions, blogs, and periodic publications (e.g., quarterly newsletters). Ensure documents are publically available and verified. Discuss with Senior Privacy Official, System Owner, operations staff, and Security Officer. | Privacy Act, E-Government Act, OMB M-03-22, OMB M-10-23 |
| UL-1 | Internal use | Review documentation to ensure all PII in system is used only for authorized and documented usage within the organization. Discuss with Senior Privacy Official, System Owner, operations staff, security staff, legal staff, and Security Officer. | Privacy Act |
| UL-2 | Information sharing with third parties | Review documentation to ensure only approved and appropriate usage of PII is subject to information sharing with other agencies and this external sharing of PII, including with other public, international, or private sector entities, will be consistent with uses described in the existing organizational public notice(s). Discuss with Senior Privacy Official, operations staff, legal staff, System Owner, and Security Officer. | Privacy Act, ISE Guidelines |
T. DOD specific controls
All DOD security controls from DODI 8500.2 have now been replaced with the SP 800-53, rev. 4 controls throughout all of the services. The DOD RMF transition process for the controls is automated under the DISA E-MASS tool and the controls are defined and discussed on the RMF Knowledge Service run by DISA and OSD. The site is DOD specific and requires a DOD-PKI cert in order to obtain the DOD versions of the SP 800-53 controls and the site is at https://rmfks.osd.mil
U. DHS EBK controls
a. Application security family
The primary assessment areas for these controls include:
□ Evaluate security requirements during software development activities on a system
□ Review processes that translate security requirements into application design elements
□ Audit mechanisms that govern the development of secure code and exploit mitigation
b. Data security family
The primary assessment areas for these controls include:
□ Review controls that facilitate the necessary levels of confidentiality of information found within the organization’s information system
□ Evaluate safeguards in the system that facilitate the necessary levels of integrity of information found within information systems
□ Audit controls that facilitate the necessary levels of availability of information and information systems
c. Regulatory and standards compliance family
The primary assessment areas for these controls include:
□ Audit strategies for compliance with the organization’s information security program
□ Identify and stay current on all laws, regulations, standards, and best practices applicable to the organization
□ Establish relationships with all regulatory information security organizations and appropriate industry groups, forums, and stakeholders
□ Keep informed on pending information security changes, trends, and best practices by participating in collaborative settings
□ Review information security compliance performance measurement components
V. ISO 27001/27002 specific controls
There are 114 controls in 14 groups
a. Information security policies – 2 controls
Management should define a set of policies to clarify their direction of, and support for, information security. At the top level, there should be an overall “information security policy.”
b. Organization of information security – 7 controls
The organization should define the roles and responsibilities for information security, and allocate them to assigned individuals. Where relevant, duties should be segregated across roles and individuals to avoid potential conflicts of interest and prevent inappropriate activities, such as fraud and collusion. There should be contacts with relevant external authorities on information security matters. Information security should be an integral part of the management of all types of project. There should be security policies and controls for mobile devices and teleworking.
c. Human resources security – 6 controls
Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff (e.g., through adequate job descriptions, pre-employment screening, and background checks) and included in contracts (e.g., terms and conditions of employment and other signed agreements (such as Nondisclosure agreements [NDAs]) on security roles and responsibilities). Managers should ensure that employees and contractors are made aware of and motivated to comply with their information security obligations. A formal disciplinary process is necessary to define and handle information security breaches. Security aspects of a person’s exit from the organization or significant changes of roles should be managed, such as returning corporate information and equipment in their possession, updating their access rights, and reminding them of their ongoing obligations under privacy laws, contractual terms, etc.
d. Asset management – 10 controls
All information assets should be inventoried and owners should be identified to be held accountable for their security. “Acceptable use” policies should be defined, and assets should be returned when people leave the organization. Information should be classified and labeled by its owners according to the security protection needed, and handled appropriately. Information storage media should be managed, controlled, moved, and disposed of in such a way that the information content is not compromised.
e. Access control – 14 controls
The organization’s requirements to control access to information assets should be clearly documented in an access control policy and procedures. Network access and connections should be restricted. The allocation of access rights to users should be controlled from the initial user registration through the removal of access rights when it is no longer required. This includes special restrictions for privileged access rights and the management of passwords. Plus, regular reviews and updates of access rights. Users should be made aware of their responsibilities toward maintaining effective access controls, for example, choosing strong passwords and keeping them confidential. Information access should be restricted in accordance with the access control policy, for example, through secure log-on, password management, control over privileged utilities, and restricted access to program source code.
f. Cryptography – 2 controls
There should be a policy on the use of encryption, plus cryptographic authentication, and integrity controls such as digital signatures and message authentication codes, and cryptographic key management.
g. Physical and environmental security – 15 controls
Defined physical perimeters and barriers, with physical entry controls and working procedures, should protect the premises, offices, rooms, delivery/loading areas etc. against unauthorized access. Specialist advice should be sought regarding protection against fires, floods, earthquakes, bombs, etc. “Equipment” (meaning ICT equipment, mostly) plus supporting utilities (such as power and air conditioning) and cabling should be secured and maintained. Equipment and information should not be taken off-site unless authorized, and must be adequately protected both on and off-site. Information must be destroyed prior to storage media being disposed of or reused. Unattended equipment must be secured and there should be a clear desk and clear screen policy.
h. Operations security – 14 controls
IT operating responsibilities and procedures should be documented. Changes to IT facilities and systems should be controlled. Capacity and performance should be managed. Development, test, and operational systems should be separated. Malware controls are required, including user awareness. Appropriate backups should be taken and retained in accordance with a backup policy. System user and administrator/operator activities, exceptions, faults, and information security events should be logged and protected. Clocks should be synchronized. Software installation on operational systems should be controlled. Technical vulnerabilities should be patched, and there should be rules in place governing software installation by users. IT audits should be planned and controlled to minimize adverse effects on production systems, or inappropriate data access.
i. Communications security – 7 controls
Networks and network services should be secured, for example, by segregation. There should be policies, procedures, and agreements (e.g., nondisclosure agreements) concerning information transfer to/from third parties, including electronic messaging.
j. System acquisition, development, and maintenance – 13 controls
Security control requirements should be analyzed and specified, including web applications and transactions. Rules governing secure software/systems development should be defined as policy. Changes to systems (both applications and operating systems) should be controlled. Software packages should ideally not be modified, and secure system engineering principles should be followed. The development environment should be secured, and outsourced development should be controlled. System security should be tested and acceptance criteria defined to include security aspects. Test data should be carefully selected/generated and controlled.
k. Supplier relationships – 5 controls
There should be policies, procedures, awareness etc., to protect the organization’s information that is accessible to IT outsourcers and other external suppliers throughout the supply chain, agreed within the contracts or agreements. Service delivery by external suppliers should be monitored, and reviewed/audited against the contracts/agreements. Service changes should be controlled.
l. Information security incident management – 7 controls
There should be responsibilities and procedures to manage (report, assess, respond to, and learn from) information security events, incidents, and weaknesses consistently and effectively, and to collect forensic evidence.
m. Business continuity management – 4 controls
The continuity of information security should be planned, implemented, and reviewed as an integral part of the organization’s business continuity management systems. IT facilities should have sufficient redundancy to satisfy availability requirements.
n. Compliance – 8 controls
The organization must identify and document its obligations to external authorities and other third parties in relation to information security, including intellectual property, [business] records, privacy/personally identifiable information, and cryptography. The organization’s information security arrangements should be independently reviewed (audited) and reported to management. Managers should also routinely review employees’ and systems’ compliance with security policies, procedures etc. and initiate corrective actions where necessary.
The following spreadsheet lists each of the ISO controls along with the corresponding SP 800-53 control(s) associated with the ISO control. This table, from Appendix H of SP 800-53, provides the correlating test criteria for each control. There are many ISO controls, which cover more than 1 SP 800-53 control, which means when you test these controls, you must review all controls for full evaluation needs. Following the assessment criteria for the SP 800-53 controls will provide an almost complete evaluation criterion, but there are a few controls, which require additional areas for testing. The reference “A.” number (i.e., A.6.1.2) in front of the control refers to the ISO 27001 number.
| ISO/IEC 27001 controls | NIST SP 800-53 controls |
| A.5 Information Security Policies | |
| A.5.1 Management direction for information security | |
| A.5.1.1 Policies for information security | All XX-1 controls |
| A.5.1.2 Review of the policies for information security | All XX-1 controls |
| A.6 Organization of information security | |
| A.6.1 Internal organization | |
| A.6.1.1 Information security roles and responsibilities | All XX-1 controls, CM-9, CP-2,PS-7, SA-3, SA-9, PM-2, PM-10 |
| A.6.1.2 Segregation of duties | AC-5 |
| A.6.1.3 Contact with authorities | IR-6 |
| A.6.1.4 Contact with special interest groups | SI-5, PM-15 |
| A.6.1.5 Information security in project management | SA-3, SA-9, SA-15 |
| A.6.2 Mobile devices and teleworking | |
| A.6.2.1 Mobile device policy | AC-17, AC-18, AC-19 |
| A.6.2.2 Teleworking | AC-3, AC-17, PE-17 |
| A.7 Human Resources Security | |
| A.7.1 Prior to Employment | |
| A.7.1.1 Screening | PS-3, SA-21 |
| A.7.1.2 Terms and conditions of employment | PL-4, PS-6 |
| A.7.2 During employment | |
| A.7.2.1 Management responsibilities | PL-4, PS-6, PS-7, SA-9 |
| A.7.2.2 Information security awareness, education, and training | AT-2, AT-3, CP-3, IR-2, PM-13 |
| A.7.2.3 Disciplinary process | PS-8 |
| A.7.3 Termination and change of employment | |
| A.7.3.1 Termination or change of employment responsibilities | PS-4, PS-5 |
| A.8 Asset Management | |
| A.8.1 Responsibility for assets | |
| A.8.1.1 Inventory of assets | CM-8 |
| A.8.1.2 Ownership of assets | CM-8 |
| A.8.1.3 Acceptable use of assets | PL-4 |
| A.8.1.4 Return of assets | PS-4, PS-5 |
| A.8.2 Information Classification | |
| A.8.2.1 Classification of information | RA-2 |
| A.8.2.2 Labelling of Information | MP-3 |
| A.8.2.3 Handling of Assets | MP-2, MP-4, MP-5, MP-6, MP-7, PE-16, PE-18, PE-20, SC-8, SC-28 |
| A.8.3 Media Handling | |
| A.8.3.1 Management of removable media | MP-2, MP-4, MP-5, MP-6, MP-7 |
| A.8.3.2 Disposal of media | MP-6 |
| A.8.3.3 Physical media transfer | MP-5 |
| A.9 Access Control | |
| A.9.1 Business requirement of access control | |
| A.9.1.1 Access control policy | AC-1 |
| A.9.1.2 Access to networks and network services | AC-3, AC-6 |
| A.9.2 User access management | |
| A.9.2.1 User registration and de-registration | AC-2, IA-2, IA-4, IA-5, IA-8 |
| A.9.2.2 User access provisioning | AC-2 |
| A.9.2.3 Management of privileged access rights | AC-2, AC-3, AC-6, CM-5 |
| A.9.2.4 Management of secret authentication information of users | IA-5 |
| A.9.2.5 Review of user access rights | AC-2 |
| A.9.2.6 Removal or adjustment of access rights | AC-2 |
| A.9.3 User responsibilities | |
| A.9.3.1 Use of secret authentication information | IA-5 |
| A.9.4 System and application access control | |
| A.9.4.1 Information access restriction | AC-3, AC-24 |
| A.9.4.2 Secure logon procedures | AC-7, AC-8, AC-9, IA-6 |
| A.9.4.3 Password management system | IA-5 |
| A.9.4.4 Use of privileged utility programs | AC-3, AC-6 |
| A.9.4.5 Access control to program source code | AC-3, AC-6, CM-5 |
| A.10 Cryptography | |
| A.10.1 Cryptographic controls | |
| A.10.1.1 Policy on the use of cryptographic controls | SC-13 |
| A.10.1.2 Key Management | SC-12, SC-17 |
| A.11 Physical and environmental security | |
| A.11.1 Secure areas | |
| A.11.1.1 Physical security perimeter | PE-3* |
| A.11.1.2 Physical entry controls | PE-2, PE-3, PE-4, PE-5 |
| A.11.1.3 Securing offices, rooms and facilities | PE-3, PE-5 |
| A.11.1.4 Protecting against external and environmental threats | CP-6, CP-7, PE-9, PE-13, PE-14, PE-15, PE-18, PE-19 |
| A.11.1.5 Working in secure areas | SC-42(3)* |
| A.11.1.6 Delivery and loading areas | PE-16 |
| A.11.2 Equipment | |
| A.11.2.1 Equipment siting and protection | PE-9, PE-13, PE-14, PE-15, PE-18, PE-19 |
| A.11.2.2 Supporting utilities | CP-8, PE-9, PE-10, PE-11, PE-12, PE-14, PE-15 |
| A.11.2.3 Cabling security | PE-4, PE-9 |
| A.11.2.4 Equipment maintenance | MA-2, MA-6 |
| A.11.2.5 Removal of assets | MA-2, MP-5, PE-16 |
| A.11.2.6 Security of equipment and assets off-premises | AC-19, AC-20, MP-5, PE-17 |
| A.11.2.7 Secure disposal or reuse of equipment | MP-6 |
| A.11.2.8 Unattended user equipment | AC-11 |
| A.11.2.9 Clear desk and clear screen policy | AC-11, MP-2, MP-4 |
| A.12 Operations security | |
| A.12.1 Operational procedures and responsibilities | |
| A.12.1.1 Documented operating procedures | All XX-1 controls, SA-5 |
| A.12.1.2 Change management | CM-3, CM-5, SA-10 |
| A.12.1.3 Capacity management | AU-4, CP-2(2), SC-5(2) |
| A.12.1.4 Separation of development, testing, and operational environments | CM-4(1)*, CM-5* |
| A.12.2 Protection from malware | |
| A.12.2.1 Controls against malware | AT-2, SI-3 |
| A.12.3 Backup | |
| A.12.3.1 Information backup | CP-9 |
| A.12.4 Logging and monitoring | |
| A.12.4.1 Event logging | AU-3, AU-6, AU-11, AU-12, AU-14 |
| A.12.4.2 Protection of log information | AU-9 |
| A.12.4.3 Administrator and operator logs | AU-9, AU-12 |
| A.12.4.4 Clock synchronization | AU-8 |
| A.12.5 Control of operational software | |
| A.12.5.1 Installation of software on operational systems | CM-5, CM-7(4), CM-7(5), CM-11 |
| A.12.6 Technical vulnerability management | |
| A.12.6.1 Management of technical vulnerabilities | RA-3, RA-5, SI-2 |
| A.12.6.2 Restrictions on software installation | CM-11 |
| A.12.7 Information systems audit considerations | |
| A.12.7.1 Information systems audit controls | AU-5* |
| A.13 Communications security | |
| A.13.1 Network security management | |
| A.13.1.1 Network controls | AC-3, AC-17, AC-18, AC-20, SC-7, SC-8, SC-10 |
| A.13.1.2 Security of network services | CA-3, SA-9 |
| A.13.1.3 Segregation in networks | AC-4, SC-7 |
| A.13.2 Information transfer | |
| A.13.2.1 Information transfer policies and procedures | AC-4, AC-17, AC-18, AC-19, AC-20, CA-3, PE-17, SC-7, SC-8, SC-15 |
| A.13.2.2 Agreements on information transfer | CA-3, PS-6, SA-9 |
| A.13.2.3 Electronic messaging | SC-8 |
| A.13.2.4 Confidentiality or nondisclosure agreements | PS-6 |
| A.14 System acquisition, development and maintenance | |
| A.14.1 Security requirements of information systems | |
| A.14.1.1 Information security requirements analysis and specification | PL-2, PL-7, PL-8, SA-3, SA-4 |
| A.14.1.2 Securing application services on public networks | AC-3, AC-4, AC-17, SC-8, SC-13 |
| A.14.1.3 Protecting application services transactions | AC-3, AC-4, SC-7, SC-8, SC-13 |
| A.14.2 Security in development and support processes | |
| A.14.2.1 Secure development policy | SA-3, SA-15, SA-17 |
| A.14.2.2 System change control procedures | CM-3, SA-10, SI-2 |
| A.14.2.3 Technical review of applications after operating platform changes | CM-3, CM-4, SI-2 |
| A.14.2.4 Restrictions on changes to software packages | CM-3, SA-10 |
| A.14.2.5 Secure system engineering principles | SA-8 |
| A.14.2.6 Secure development environment | SA-3* |
| A.14.2.7 Outsourced development | SA-4, SA-10, SA-11, SA-12, SA-15 |
| A.14.2.8 System security testing | CA-2, SA-11 |
| A.14.2.9 System acceptance testing | SA-4, SA-12(7) |
| A.14.3 Test data | |
| A.14.3.1 Protection of test data | SA-15(9)* |
| A.15 Supplier Relationships | |
| A.15.1 Information security in supplier relationships | |
| A.15.1.1 Information security policy for supplier relationships | SA-12 |
| A.15.1.2 Address security within supplier agreements | SA-4, SA-12 |
| A.15.1.3 Information and communication technology supply chain | SA-12 |
| A.15.2 Supplier service delivery management | |
| A.15.2.1 Monitoring and review of supplier services | SA-9 |
| A.15.2.2 Managing changes to supplier services | SA-9 |
| A.16 Information security incident management | |
| A.16.1 Managing of information security incidents and improvements | |
| A.16.1.1 Responsibilities and procedures | IR-8 |
| A.16.1.2 Reporting information security events | AU-6, IR-6 |
| A.16.1.3 Reporting information security weaknesses | SI-2 |
| A.16.1.4 Assessment of and decision on information security events | AU-6, IR-4 |
| A.16.1.5 Response to information security incidents | IR-4 |
| A.16.1.6 Learning from information security incidents | IR-4 |
| A.16.1.7 Collection of evidence | AU-11* |
| A.17 Information security aspects of business continuity management | |
| A.17.1 Information security continuity | |
| A.17.1.1 Planning information security continuity | CP-2 |
| A.17.1.2 Implementing information security continuity | CP-6, CP-7, CP-8, CP-9, CP-10, CP-11, CP-13 |
| A.17.1.3 Verify, review, and evaluate information security continuity | CP-4 |
| A.17.2 Redundancies | |
| A.17.2.1 Availability of information processing facilities | CP-2,CP-6, CP-7 |
| A.18 Compliance | |
| A.18.1 Compliance with legal and contractual requirements | |
| A.18.1.1 Identification of applicable legislation and contractual requirements | All XX-1 controls |
| A.18.1.2 Intellectual property rights | CM-10 |
| A.18.1.3 Protection of records | AC-3, AU-9, CP-9 |
| A.18.1.4 Privacy and protection of personal information | Appendix J Privacy controls |
| A.18.1.5 Regulation of cryptographic controls | IA-7, SC-13 |
| A.18.2 Information security reviews | |
| A.18.2.1 Independent review of information security | CA-2(1), SA-11(3) |
| A.18.2.2 Compliance with security policies and standards | All XX-1 controls, CA-2 |
| A.18.2.3 Technical compliance review | CA-2 |
Note: An asterisk (*) indicates that the NIST control does not fully satisfy the intent of the ISO/IEC control.