Contractor Requirements Document (Supplemented) Form · requirements. For the purposes of this document, the term “sites” includes EM HQ, sites and facilities. Applicability This

Contractor Requirements Document

(Supplemented) Form

DOE-RL-RIMS-RPMS-RM-Supplemented Contractor Requirements Document 1 of 1

CRD #: CRD O 205.1B, Chg. 2 (Supplemented

Revision 2)

Title: Department of Energy Cyber Security

Program

Applicable Contractor(s): RCC OccMed X PRC X MSC X Other X (TOC,ATL,BNI)

Section A – Headquarters CRD: DOE O 205.1B, Chg. 2, Attachment 1

Section B – General Clarifications: Headquarters DOE O 205.1B, Chg. 2, Attachment 1, item 1 reads:

“1. The contractor is responsible for assessing and managing risk within its environment, in the context of

acceptable mission risk set collaboratively with the Federal Site Manager.”

The “acceptable mission risk” (i.e. drivers for a site-specific cyber security risk approach) is to be included in

the Site Risk Management Approach document after consultation with the RL Authorizing Official and RL

Authorizing Official Designated Representatives.

Headquarters DOE O 205.1B, Chg. 2, Attachment 1, item #2 reads:

“2. The contractor must formally establish a Site Risk Management Approach (RMA) that is consistent with the

requirements of the applicable Senior DOE Management (SDM) RMA implementation plan.”

The “SDM RMA implementation plan” shall refer to the Office of Environmental Management (EM) Cyber Security Policy and Risk Management Approach Implementation Plan (attached). Headquarters DOE O 205.1B, Chg. 2, Attachment 1, item #4 reads:

“4. The contractor must establish and implement a configuration management approach. Where mission

appropriate, the approach must consider federally established configurations, such as the Federal Desktop

Core Configuration (FDCC) as an alternative.”

This approach must use Federally established configuration baselines where possible, be documented in the

system security plan, and be approved by the RL Authorizing Official.

Section C – Specific Clarifications:

MSC, OccMed, PRC, TOC, and ATL Because MSC, OccMed, PRC, and TOC all share the same network (Hanford Federal Cloud), MSC will have

the lead in developing a common authorization boundary (or boundaries) with associated security assessment

and authorization documentation. MSC will solicit input from the other organizations to incorporate their

organization specific requirements into supplemental system security plans.

Section D – General Supplemental Requirements None.

Section E - Specific Supplemental Requirements: None.

________________________________________________________________________

DOE EM RMAIP1 of 266

Office of Environmental Management (EM)Cyber Security Policy and

Risk Management Approach ImplementationPlan

February 2014

Office of Environmental ManagementU.S. Department of Energy

Washington, DC

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

3 of 266

Table of Contents

SCOPE........................................................................................................................................................... 5

APPENDICES .............................................................................................................................................. 5

REFERENCES ............................................................................................................................................. 6

INTRODUCTION ........................................................................................................................................ 6

AUTHORIZING OFFICIAL .............................................................................................................................11AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE..............................................................................11EM CYBER SECURITY PROGRAM MANAGER .................................................................................................12RISK EXECUTIVE (RE) ................................................................................................................................12INFORMATION SYSTEM SECURITY MANAGER ................................................................................................13CERTIFICATION AGENT (CA).......................................................................................................................14INFORMATION SYSTEM SECURITY OFFICER (ISSO) ......................................................................................14INFORMATION TECHNOLOGY CONTINGENCY PLANNING DIRECTOR ..............................................................14DATABASE ADMINISTRATOR (DBA) .............................................................................................................15APPLICATION ADMINISTRATOR (AA)............................................................................................................15NETWORK DEVICE ADMINISTRATOR (NDA) .................................................................................................15CONTRACTING OFFICER (CO) ....................................................................................................................16

CORE CONTROLS ....................................................................................................................................17

PROGRAM MANAGEMENT CONTROLS............................................................................................20

EM CENTRAL REPOSITORY, EGOV RISK PORTFOLIO MANAGER (EGOV RPM) ................23

EM CM TEAM RESPONSIBILITIES FOR WORKING WITH EM SITES.......................................24

EM SITES CONTINUOUS MONITORING RESPONSIBILITIES......................................................25

INHERITED CONTROL GUIDANCE ....................................................................................................28

AO’S ANNUAL REAUTHORIZATION RESPONSIBILITIES............................................................28

NATIONAL SECURITY SYSTEMS ........................................................................................................28

FEDERAL INFORMATION SYSTEMS MANAGEMENT ACT OF 2002 ..........................................29

EM HQ MISSION INFORMATION PROTECTION PROGRAM (MIPP) SUPPORT ANDPARTICIPATION.......................................................................................................................................30

CONTINGENCY PLANNING ..................................................................................................................31

CONTRACTOR REQUIREMENTS, SYSTEM ACQUISITION AND SERVICES............................32

SUPPLY CHAIN RISK MANAGEMENT ...............................................................................................32

DOE’S ENHANCED CYBER SECURITY SERVICES (DEX)..............................................................33

MOBILE DEVICE GUIDELINES FOR FOREIGN TRAVEL..............................................................33

FOREIGN NATIONALS............................................................................................................................33

HSPD-12 REQUIREMENTS AND PROJECTED MILESTONES .......................................................34

IPV6 REQUIREMENTS AND PROJECTED MILESTONES...............................................................34

DOMAIN NAME SYSTEM SECURITY EXTENSIONS (DNSSEC) ....................................................35

INDUSTRIAL CONTROL SYSTEMS .....................................................................................................35

WIRELESS INFORMATION SYSTEMS................................................................................................35

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

4 of 266

CONTROLLED UNCLASSIFIED INFORMATION (CUI) PROTECTION.......................................36

APPENDIX A – NIST SP 800-53 REV 4 SECURITY CONTROLS AND GUIDANCE ......................37

APPENDIX B – NSS SECURITY CONTROLS...............................................................................149149

APPENDIX C – NIST SP 800-53 REV 4 CONTROL FAMILY POLICIES.................................242242

APPENDIX D – EM CONTRACTOR REQUIREMENTS.............................................................257257

ACRONYM LIST................................................................................................................................265265

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

5 of 266

Purpose

The purpose of this document is to implement the Department of Energy (DOE) RiskManagement Approach (RMA), as described in DOE O 205.1B, Chg.2, Department ofEnergy Cyber Security Program, within the Office of Environmental Management (EM).This document cancels the DOE Office of Environmental Management Program SecurityPlan, dated February 2009. This document is the Senior DOE Management (SDM)Cyber Security RMA Implementation Plan (IP) for EM Headquarters (HQ) and EM sites.

Scope

This RMAIP sets forth EM policy concerning cyber security requirements and providesEM sites with guidance and, where applicable, direction concerning specificrequirements. The requirements found in this document are in addition to therequirements set forth in National Institute of Standards and Technology (NIST) FederalInformation Processing Standards (FIPS)/Special Publications (SP), Committee onNational Security Systems (CNSS) and DOE O 205.1B, Chg.2. The latest versions ofNIST, FIPS and CNSS documents should be used in accordance with contractualrequirements. For the purposes of this document, the term “sites” includes EM HQ, sitesand facilities.

Applicability

This document applies to all EM sites and their respective information processingsystems, both government-owned and government owned/contractor-operated systems,that process, store, or communicate EM information/data. Field managers are to ensurethat contractor-developed Risk Management Approach documents required by DOE O205.1B, Chg 2, Attachment 1, meet the requirements of this RMAIP.

This document also applies to National Security Systems (NSS) operating on behalf of orlocated on EM sites that process, store, or communicate sensitive information (see NIST800-59 for determination of NSS systems). EM sites must use DOE O 205.1B, Chg.2,the most current versions of NIST SP 800 series specific to cyber security/accreditation,and CNSS Publications specific to the accreditation of NSS. The Office of CorporateInformation Technology, EM-72, has prepared Appendix B – NSS Security Controls, toassist the sites in system categorization and implementation of the CNSS securitycontrols. EM sites also must use the latest version of NIST SP 800-82 for securing theIndustrial Control Systems (ICS) that collect, process, or store data to support the EMmission.

Questions regarding this document should be directed to the EM Cyber Security ProgramManager (EM CSPM) at [email protected].

Appendices

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

6 of 266

Appendix A – NIST SP 800-53 Rev 3 Security Controls and GuidanceAppendix B – NSS Security ControlsAppendix C – Appendix C – NIST SP 800-53 Rev 3 -1 Control PoliciesAppendix D – EM Contractor RequirementsAppendix E – NIST 800-27 Rev A Engineering PrinciplesAppendix F – Sanitization and Disposal of Media and Mobile Devices

References

The most current versions of these documents are to be used by sites to secure IT systemsthat support the site missions.

1. Title III of the E-Government Act of 2002, entitled the Federal InformationSecurity Management Act (FISMA) of 2002

2. Office of Management and Budget (OMB) Circular A-130, Appendix III, 20003. DOE Order 205.1 B, Chg 2, DOE Cyber Security Management, May 20114. DOE Order 206.2, Identity, Credential, and Access Management, Feb 19, 20135. DOE 470.4-1B, chg.1, Safeguards and Security Program , July 20116. DOE Order 142.3A Unclassified Foreign Visits and Assignments Program,

October 14, 20107. FIPS 200, Minimum Security Requirements for Federal Information and

Information Systems, March 20068. FIPS 199, Standards for Security Categorization of Federal Information and

Information Systems, February 20049. NIST SP 800-18 (Feb 2006), 800-30 (Sept 2012), 800-34 (May 2010), 800-37

(Feb 2010), 800-40 (Sept 2012), 800-52 (2005), 800-53 (April 2013), 800-63 (Feb2013), 800-71, 800-73 (May 2013), 800-76 (July 2012), 800-78 (May 2013), 800-81 (April 2010), 800-82 (April 2013), 800-88 (Sept 2012), and 800-100 () (Oct2006)

10. Committee on National Security Systems (CNSS) 1253 (March 2012)

Introduction

EM information and information systems are critical to successful mission and businessoperations, and are dependent on the underlying information technology (IT)infrastructure. IT systems have become vital to performing and protecting the EMmission, assets, and personnel, and must be protected in a manner commensurate with theimpact to EM’s mission, acceptable risk levels, security requirements, and potentialmagnitude of harm. Disruption of IT systems can cause delays in achieving missionmilestones, productivity losses, loss of critical data, and can create data integrity issuesthat negatively impact mission success.

Secure IT solutions will enable EM to:

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

7 of 266

Be more efficient and productive in delivering IT services to meet or exceedcleanup milestones

Execute business operations that result in more waste shipments and lower life-cycle cost

Increase productivity Leverage secure and enhanced wireless services for more efficient waste

monitoring, processing, removal, inventory, and storage Decrease energy costs by producing greener IT services

As government IT systems continue to be the target of daily sophisticated securityattacks, signature-based protection programs, annual assessments and three-year staticcertification and accreditation (C&A) processes are no longer effective against thisadvanced persistent threat. Systems change, threats emerge, and sophisticated attacksoccur on a daily basis. Only active monitoring of security controls can prevent or addressthe detection, analysis, eradication, and timely incident response activities associatedwith these attacks.

FISMA requirements, OMB memorandums/policy, and NIST standards and guidelinesrequire a Continuous Monitoring (CM) approach for all Federal agency systems whetheroperated by federal or contractor staff. CM is the process required to constantly monitorthe security posture and risk levels of an accreditation boundary or system to makecertain that changes or successful attacks have not degraded the performance, affected thelevel of security controls, or created vulnerabilities in an IT system. The objective of aCM process is to determine if the complete set of planned, required, and deployedsecurity controls within an information system, or controls inherited by the system,continue to be effective and adequate over time. A key aspect of a correctly planned andexecuted CM process ensures that current security controls are adequate to mitigatenewly discovered threats, access or use violations, escalation of privileges, alteration ofconfigurations, loss of confidentiality, and changes in data integrity or availability. CMalso requires additional controls, above and beyond the NIST SP 800 series to bedeveloped and implemented to mitigate evolving threats. When tailoring controls, EMHQ and EM sites are encouraged to add controls specific to their site and mission thatmay not be identified in NIST documentation.

An effective CM process validates that security safeguards are implemented correctly,operating as intended and produces valid security results sufficient to protect the system.CM is used to stay abreast of malicious activity, evolving threats, and identifiedvulnerabilities to enable sound decision making. This means that sites are expected to beproactive in meeting these new threats, vulnerabilities, and attacks without waiting forcontractual changes in their respective contracts. It is also expected that federal andcontractor staff will take appropriate action, based on sound risk-management decisions,to mitigate the evolving threat. This includes updating hardware and software that isoutdated and unsupported by vendors, purchasing additional tools as technologyadvances, and mitigating any vulnerability due to technologic advancements. IT systemsmust evolve based on the threat. As hardware and software is updated or replaced, site ITstaff should use sound engineering principles, as identified in NIST 800-27 (as modified),

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

8 of 266

while conducting daily tasks. Appendix E is provided as guidance for sites concerningengineering principles as they apply to IT systems.A key component of CM is the continuous assessment of risk and the deployment ofcontrols in a timely manner to mitigate the risk to an acceptable level. The Department’sRMA, as documented in DOE O 205.1B, Chg 2, governs the continuous assessment ofrisk. EM sites must use the six steps of the Risk Management Framework (RMF),including a full Security Test and Evaluation (ST&E) for Authority to Operate (ATO), asrequired by FISMA and addressed in NIST SP 800 series documents for initialaccreditation of a system and to protect DOE information systems and data(categorization, selection of security controls, implementation of controls, assessment ofthe security controls, system authorization to operate and continuous monitoring).Currently, all EM systems have an ATO and have varying reauthorization dates. Systemscurrently authorized to operate must follow the Department’s RMA, CM, and ContinuousAuthorization to Operate (CAO) instructions outlined in this document.

Cloud computing must use the Federal Risk and Authorization Management Program(FedRAMP) select controls for accreditation if providing cloud services to otherprogrammatic elements or federal agencies. Cloud services that are purchased must usethe FedRAMP services to ensure that they are accredited to federal standards. Purchaseagreements must contain appropriate language to ensure that the provider of service isFedRAMP accredited.

At the end of the CM year, the accumulation of scan results, verified data documents,updated Risk Assessment (RA), and Plan of Action and Milestones (POA&M) will allowthe Authorizing Official (AO) to make a risk-based decision on the system’s ATO. TheCM year begins the day the ATO is signed by the AO.

The CM process outlined in this document moves EM sites from a document intensiveand three-year certification process to a more proactive, less laborious, and less expensiveCM process which will result in a risk-based decision annually regarding the ATO of thesystem(s). This RMAIP will be periodically updated and revised to reflect new andongoing cyber security risks and issues, as well as changes to national policy,Departmental policy, and other security guidance.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

9 of 266

Department of Energy Risk Management Approach (RMA)

For systems that are currently operational and have an ATO, the Department’s RMA (seeFig 1) is a four-step process used in the assessment of risk during step 6 (see Fig. 2) ofthe NIST Risk Management Framework (RMF). The RMA integrates into the NISTRMF, a six-step process that addresses the life-cycle of an information system. Thesetwo concepts are to be used in the management of risk for all EM IT systems. The firstthree steps of the RMA integrate into RMF step 2 (select security controls) and RMF step3, (the implementation of controls), when authorizing a new system (see Fig. 2). Step 4of the RMA is to be used in concert with and replaces RMF step 6, (see Fig. 2). TheRMA specifically calls out the stakeholders that should be involved in the riskdetermination and mitigation process.

The RMA deals mainly with the identification, monitoring, and management of riskbased on mission needs. All operational and accredited systems should be in the CM stepof the RMF. New systems, not yet accredited or approved for operation by the AO, mustundergo the entire six-step RMF and four-step RMA before they are allowed to operate,unless given temporary and conditional authorization by the AO. If mission dictates thata system must become operational, the AO has the authority to grant conditionalauthorization to operate prior to a full certification of the system. The four-step RMA isto be used to assess risk when major changes in the system, threat, or risk are identifiedfor all systems operating with a current ATO. For systems that are already operational,the four-step RMA is used to assess risk and to make risk-based decisions for futureATOs.

In order to accomplish the assessment of risk, a Business Impact Assessment (BIA) mustbe conducted. Each system must have a current BIA on file, or be identified in a BIA forthe site network, with the authorization documentation. The BIA must be completed withinput from the business stakeholders, IT staff, and system owners. A single BIA for anentire network, regardless of the number of authorized boundaries, is an acceptableapproach.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

10 of 266

Figure 1

Figure 2

DOE Risk Management Approach (RMA) Process

DOE Department RMA

Senior DOE Management (SDM) Cyber Security RMA Implementation Plans (IP)

Inputs Approved cyber

security protections Risk Management

Strategy

Step 4: Risk MonitoringInvolves

Federal Site Manager Senior Site Manager Authorizing Official

Activities Risk monitoring strategy Risk monitoring Contractor assurance

Federal oversight

Inputs Threat Statements Risk Response Risk Monitoring

Step 1: Risk FramingInvolves

SDM & Federal Site Manager Senior Site Manager Authorizing Official

Activities Establish risk assumptions,

constraints, & tolerance

ID priorities & trade-offs

Outputs Cyber security

effectivenessevaluation

RMA processassessment

Outputs Risk Management

Strategycommunicated toAO and Site CIO

Inputs Risk Assessment SDM RMA IP NIST Requirements

& Guides

Step 3: Risk ResponseInvolves Authorizing Official Site CIO

Activities ID and evaluate risk response

alternatives Determine appropriate risk response Implement cyber security

protections

Inputs SDM RMA IP Risk Response Risk Monitoring

Step 2: Risk AssessmentInvolves Authorizing Official Site CIO

Activities ID threats and vulnerabilities

Determine risk in context of missionOutputs

Approved &implemented cybersecurity protections

Outputs Risk Determination Residual Risk Resource

Requirements

Communications

How the RMF and RMA work together for EM

PROCESS

OVERVIEW

StartingPoint

Architecture DescriptionArchitecture Reference Models

Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries

Organizational InputsLaws, Directives, Policy Guidance

Strategic Goals and ObjectivesPriorities and Resource Availability

Supply Chain Considerations

Step 4

ASSESSSecurity Controls

Step 6

MONITOR

Security Controls

Step 3

IMPLEMENTSecurity Controls

Repeat as necessaryStep 1

CATEGORIZEInformation System Step 2

SELECT

Security Controls

Step 5

AUTHORIZEInformation System

RISK

MANAGEMENT

FRAMEWORKRMA Step 3

RiskResponse

RMA Step 4Risk

Monitoring

RMA Step 1Risk Framing

RMA Step 2Risk

Assessment

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

11 of 266

Roles and Responsibilities

This section describes the roles and responsibilities of key participants involved in anorganization’s CM process. Recognizing that staffing is a concern, care must be taken toensure separation of duties is adhered to when appointing these roles. One individualmay perform multiple roles as long as an insider threat vulnerability is not created. Aninsider threat may be presented by a malicious user who has approved access to EMinformation and information systems and who can use that access to cause damage orsteal sensitive information and system components. The key participants and theirresponsibilities are described below.

Authorizing Official

1. Must be a federal employee appointed in writing by the Assistant Secretary forEM.

2. Ensures that the requirements of the RMAIP are implemented.3. Accepts risk for the operation of an IT system.4. Directly appoints, in writing, a federal employee as the AO Designated

Representative (AODR).5. Furnishes a copy of the appointment letter for the AODR to the Cyber Security

Program Manager at EM Headquarters as well as the site Information SystemSecurity Manager (ISSM) within 60 days of appointment.

6. Appoints a new or Acting AODR in the event of personnel turnover or extendedabsence of the AODR. An appointment letter for a new or Acting AODR must bedisseminated within twenty one (21) business days of the departure of theprevious AODR.

7. Ensures direct access to the AODR for all cyber security matters.8. Receives, at least quarterly, a formal cyber security status briefing directly from

the AODR.9. Ensures that personnel are appointed, in writing, to the roles of System Owner,

ISSM, Information System Security Officer (ISSO), and Information TechnologyContingency Planning Director.

Authorizing Official Designated Representative

1. Must be a federal employee appointed in writing by the AO.2. Acts on behalf of the AO (e.g., hold meetings, review SSPs, determine major vs.

minor changes) as specified in the appointment letter.3. Acts for the AO, but cannot formally accept risk to operate any system.4. Maintains continual awareness of the cyber security posture of the AO’s area of

responsibility, in coordination with the ISSM and other individuals as necessary.5. Coordinates the formal written appointments of the System Owner, ISSM, ISSO,

and IT Contingency Planning Director with the AO and other appropriate site-level management personnel.

6. Develops and presents a formal cyber security status briefing to the AO on aquarterly basis, or more frequently at the AO’s request.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

12 of 266

EM Cyber Security Program Manager

1. Must be a federal employee located at EM HQ with cyber security responsibilitiesfor the EM IT enterprise.

2. Maintains the RMAIP so that it remains consistent with the DOE RMA and withcurrent federal cyber security policies.

3. Conducts cyber security oversight for the enterprise.4. Justifies the need for and coordinates the implementation of standard solutions for

cyber security concerns across the enterprise.5. Delivers quarterly and annual FISMA reports and responds to all OMB and Chief

Information Officer (CIO) data calls.

Risk Executive (RE)

The RE is a function performed by an individual or group within an organization thathelps to ensure that: (1) risk-related considerations for individual informationsystems, to include authorization decisions, are viewed from an organization-wideperspective with regard to the overall strategic goals and objectives of theorganization in carrying out its core missions and business functions; and (2)management of information system-related security risk is consistent across anorganization, reflects organizational risk tolerance, and is considered along with othertypes of risks in order to ensure mission/business success. A group may becomprised of federal staff and contractors but must be led by a federal employee. TheRE coordinates with the senior leadership of an organization to:

1. Provide a comprehensive, organization-wide, holistic approach for addressingrisk—an approach that provides a greater understanding of the integratedoperations of the organization.

2. Develop a risk management strategy for the organization providing a strategicview of information security-related risks with regard to the organization as awhole.

3. Facilitate the sharing of risk-related information among authorizing officials andother senior leaders within the organization.

4. Provide oversight for all risk management-related activities across theorganization (e.g., security categorizations) to help ensure consistent and effectiverisk acceptance decisions.

5. Ensure that authorization decisions consider all factors necessary for mission andbusiness success.

6. Provide an organization-wide forum to consider all sources of risk (includingaggregated risk) to organizational operations and assets, individuals, otherorganizations and the Nation.

7. Promote cooperation and collaboration among authorizing officials to includeauthorization actions requiring shared responsibility.

8. Ensure that the shared responsibility for supporting organizationalmission/business functions using external providers of information and servicesreceives the needed visibility and is elevated to the appropriate decision-makingauthorities.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

13 of 266

9. Identify the organizational risk posture based on the aggregated risk toinformation from the operation and use of the information systems for which theorganization is responsible.

The RE does not require a specific organizational structure and can be assigned to anyone individual or group within the organization. The head of the agency/organizationmay choose to retain the RE function or to delegate the function to another official orgroup (e.g., an executive leadership council). The AO must appoint a RE for eachsystem.

System Owner

The System Owner may be a federal or contractor employee that directly supportscontingency planning activities described in the RMAIP Contingency Planningsection. The System Owner:

1. Identifies appropriate personnel to serve on teams to perform the recovery andreconstitution activities described in each site’s IT Contingency Plan.

2. Ensures that recovery and reconstitution team members receive appropriateannual training.

3. Meets with the IT Contingency Planning Director on a quarterly basis to reviewteam assignments and readiness.

4. Participates in the BIA process.5. Prepares a business continuity of operation plan for use in the event that a long

network outage is observed.

Information System Security Manager

1. The ISSM can be a contractor or federal employee appointed, in writing, by sitemanagement. The ISSM for each EM field site can be a federal employeecharged with the management responsibility for system security or the contractoremployee that reports to the federal employee charged with the managementresponsibility for system security.

2. The ISSM’s area of responsibility and authority is site-wide in scope and includesboth EM federally-owned systems as well as contractor systems which store orprocess EM-owned data.

3. The ISSM maintains appointment letters for personnel in the ISSM’s area ofresponsibility.

4. The ISSM is responsible for disseminating the RMAIP to all personnel (includingcontractors) in the ISSM’s area of responsibility.

5. The ISSM cannot perform the role of Certification Agent (CA) for accreditationboundaries where the ISSM has management authority over the ISSO or otherpersonnel (such as contractors) developing C&A documentation. The CA’s rolemust be performed by an independent party.

6. The ISSM ensures that at least one database administrator (DBA), applicationadministrator (AA) or network device administrator (NDA) attends an annual

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

14 of 266

security training class, conference, or workshop. An example may include theInformation Management Conference (IMC) or a SANS training event. Thatindividual is responsible for bringing the information back to the site fordissemination to all appropriate personnel.

Certification Agent (CA)

1. The CA may consist of federal employees or contractors.2. The CA is an individual or group that has complete management independence

from the personnel that developed the C&A documentation being certified.3. The CA conducts a comprehensive evaluation of the security controls employed

within or inherited by an information system to determine the overalleffectiveness.

4. The CA recommends corrective actions to address identified vulnerabilities.5. The CA writes the Security Assessment Report (SAR) and presents it to the AO.

The AO has discretion to accept or mitigate any vulnerability found in the SAR.

Information System Security Officer (ISSO)

1. The ISSO is the primary individual responsible for the day-to-day operation,coordination and execution of security functions, C&A, and all CM activities. Aproperly cleared and qualified contractor may hold this role. The ISSOcoordinates the identification and appointment of Project Security Officers (PSO)with the ISSM and other management officials.

2. The ISSO directly participates in configuration management oversight proceduresrelevant to the accreditation boundaries that the ISSO oversees.

3. The ISSO meets with the ISSM and PSOs, at minimum, twice per month.4. The ISSO disseminates the RMAIP to all PSOs within their accreditation

boundaries.

Information Technology Contingency Planning Director

1. The IT Contingency Planning Director is appointed at EM field sites by theAODR. A qualified contractor or federal employee with the proper securityclearance may hold this role.

2. The IT Contingency Planning Director analyzes and notifies the system owner,ISSM, and other appropriate management personnel of any staffing needsnecessary to perform the recovery and reconstitution activities described in eachsite’s Contingency Plan and Project Managers Contingency Plans.

3. The IT Contingency Planning Director meets with system owners on a quarterlybasis to review staffing assignments, contingency plan update status, integrationwith business continuity of operation or contingency plans, contingency plantesting status, contingency planning POA&Ms remediation status, and any othermatters related to contingency planning.

4. The IT Contingency Planning Director documents a test of the Contingency Planat least annually. Actual documented use of the Contingency Plan (e.g., inresponding to an actual event) may substitute for such a test.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

15 of 266

Database Administrator (DBA)

1. A DBA may be a federal or contractor employee.2. The DBA is responsible for performing administratively-privileged functions on a

relational database software product. Privileged functions include but are notlimited to configuring database startup parameters, adding and deleting database-level user IDs, granting and revoking rights for users, and creating or modifyingtable space definitions. A contractor may hold this role with the proper securityclearances and background.

3. At least one DBA must attend annual security training such as a SANS trainingevent or the DOE IMC; that individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.

4. The DBA implements patching requirements on database software products.5. The DBA implements password management requirements on database software

products.6. The DBA implements the audit logging requirements on database software

products.

Application Administrator (AA)

1. A AA may be a federal or contractor employee.2. The AA is responsible for performing privileged functions in a web-based

software application, client-server application, electronic mail server, or othertype of application server. Privileged functions include but are not limited toconfiguring application startup parameters, adding and deleting application userIDs, and granting and revoking folder/workspace permissions for users. Acontractor may hold this role with the proper security clearances and background.

3. At least one AA must attend annual security training such as the DOE IMC or aSANS training event. That individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.

4. The AA implements patching requirements on applicable software applications.5. The AA implements password management requirements on applicable software

applications.

Network Device Administrator (NDA)

1. A NDA may be a federal or contractor employee.2. The NDA is responsible for performing privileged functions on network

infrastructure equipment such as switches, routers, firewalls, remote accessequipment, virtual private networking (VPN) equipment and wide areanetworking (WAN) equipment hereafter referred to as “network devices.” Acontractor may hold this role with the proper security clearances and background.

3. At least one NDA must attend annual security training such as the DOE IMC or aSANS training event. That individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.

4. The NDA implements patching requirements on network devices.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

16 of 266

5. The NDA implements password management requirements on network devices.6. The NDA implements audit logging requirements on network devices.

Contracting Officer (CO)

The CO is a federal employee. The CO ensures the RMAIP is incorporated in EM contracts. The CO ensures that fee awards consider Cyber Security Performance; see

Appendix D for guidance. Cyber Security performance must be considered when calculating fee in all fee

based contracts. Fee should not be affected due to an intrusion into a network or system by an

outside entity, but should be negatively affected if sites do not report thoseincidents in a timely fashion and in accordance with the DOE Joint Cyber securityCoordination Center (JC3) guidance. All intrusions are not preventable; thereforeearly detection should be rewarded.

The CO works with local IT staff to determine metrics and measure performance. The CO ensures that the EM HQ CSPM has input to fee decisions; based on

contractor cooperation in the deployment of HQ EM-provided tools during siteassessments.

The CO incentivizes contractors to work together, partner, and share IT solutionsand infrastructure to save energy and funding through efficiencies andconsolidation where it makes sense.

General Instructions for Continuous Monitoring

Unless otherwise superseded by statute or other Federal policy, directive or guidance, allEM sites must use the instructions in DOE O 205.1B, Chg 2, and this RMAIP (or latestauthorized version) to comply with security requirements in defining the riskmanagement processes and mission-adjusted minimum security control baselinerequirements necessary for ensuring the protection of unclassified and classifiedinformation systems, commensurate with risk and mission needs.

The objective of the RMAIP is to improve EM’s organizational protection of informationsystems and data. All EM systems/accreditation boundaries have some level ofsensitivity and require protection as part of a good risk management framework practice.The protection of a system must be documented in a site’s accreditation boundary SystemSecurity Plan (SSP). The SSP must contain the systems categorization, systemdescription, a high level diagram, subsystems, review of security requirements,monitoring strategy, security controls provided by any hosted software (majorapplication), implemented controls with an implementation description, controls tailoredout and justification, and accepted risk due to the tailoring process. Security plans arerequired to be reviewed and updated within eGov Risk Portfolio Manager™ (eGov RPM)at least annually. The role of e-Gov RPM is discussed below.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

17 of 266

The AO for each EM accreditation boundary or site working in conjunction with the EMCSPM is responsible for adequately ensuring the confidentiality, integrity, andavailability of EM information systems/data and that the systems are operated inaccordance with CNSS NIST/DOE policies and directives.

Senior DOE management, the Federal Site Manager, the contractor’s senior IT manager,and the Site IT Director must annually conduct or review an Organization ImpactAssessment/BIA and perform a system risk assessment to determine the acceptable levelof risk for an accreditation boundary. These assessments will also be used to determine a“mission-adjusted minimum security controls baseline” for a sites’ system(s). Theseassessments must be performed for unclassified and classified systems. Performing theassessments will provide the necessary information for the AO to determine the correcttailoring of mission minimum security baseline controls for ATO decisions and CMplanning and execution.

The RE, AO, ISSM, ISSO, and site program offices must participate and agree on theorganization risk assessments, system categorization level, and the correct selection ofmission baseline security controls to be implemented on the accreditation boundary orsystem. The EM CSPM is available during these processes as required.

A senior-level federal employee must hold the AO function and responsibility. This isessential to ensure that the individual has an overall understanding of budgetary, missionoperation, and the organizational requirements of the accreditation boundary, as well asthe authority to make decisions concerning such systems.

The site AO is responsible for acceptance of the tailoring of security controls and thedecision to not implement a security control. Tailoring decisions must be documented inthe SSP with a justification and documentation of any resulting vulnerability or elevatedsecurity risk incurred. The site AO can also elect to implement a compensating(equivalent) security control provided it affords the same protection as the replacedcontrol and provides an acceptable level of risk. The use of compensating controlsshould be documented in the SSP.

The mission-adjusted baseline security controls must be implemented, tested, anddocumented in an SSP. Sites must perform CM on mission-adjusted minimum securitycontrol baselines. eGov RPM must be used to build SSPs and POA&Ms. All CMartifacts such as ATOs, audit reports, scan results, incident reports, contingency plans,and other security documents must be uploaded to eGov RPM.

Core Controls

Core controls must be implemented and must not be tailored out unless a waiver isrequested from and granted by the EM CSPM for any core control that is notimplemented. Core controls are listed in the table below.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

18 of 266

Table 1.

Cntl.#

En

ha

nce

me

nt

#

# - Control Name NIST SP 800-53 Control Requirements

1.AC-5 0 A Separation of Duties

The organization: Separates [Assignment:organization-defined duties of individuals];

2. AC-6 0 Least Privilege

The organization employs the concept ofleast privilege, allowing only authorizedaccesses for users (and processes actingon behalf of users) which are necessary toaccomplish assigned tasks in accordancewith organizational missions and businessfunctions.

3.

AC-8 0 A1

System Use Notification

The information system: Displays to users[Assignment: organization-defined system usenotification message or banner] beforegranting access to the system that providesprivacy and security notices consistent withapplicable federal laws, Executive Orders,directives, policies, regulations, standards,and guidance and states that: Users areaccessing a U.S. Government informationsystem;

4.AU-6 0 a

Audit Review, Analysis,and Reporting

The organization: Reviews and analyzesinformation system audit records[Assignment: organization-defined frequency]for indications of [Assignment: organization-defined inappropriate or unusual activity]; and

5. CA-5 0 aPlan of Action and

Milestones

The organization: Develops a plan of actionand milestones for the information system todocument the organization’s planned remedialactions to correct weaknesses or deficienciesnoted during the assessment of the securitycontrols and to reduce or eliminate knownvulnerabilities in the system; and

6.CM-

20 Baseline Configuration

The organization develops, documents, andmaintains under configuration control, acurrent baseline configuration of theinformation system.

7.

CM-3

b -Configuration Change

Control

The organization: Reviews proposedconfiguration-controlled changes to theinformation system and approves ordisapproves such changes with explicitconsideration for security impact analyses;

8.CM-

71 a Least Functionality

The organization: Reviews the informationsystem [Assignment: organization-definedfrequency] to identify unnecessary and/ornonsecure functions, ports, protocols, andservices; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

19 of 266

Cntl.#

En

ha

nce

me

nt

## - Control Name NIST SP 800-53 Control Requirements

9.

CP-4 0 aContingency Plan Testing

and Exercises

The Organization Tests the contingency planfor the information system [Assignment:organization-defined frequency] using[Assignment: organization-defined tests] todetermine the effectiveness of the plan and theorganizational readiness to execute the plan;

10.IA-2 1

Identification andAuthentication

(Organizational Users)

The information system uses multifactorauthentication for network access toprivileged accounts.

11.IA-2 2

Identification andAuthentication

(Organizational Users)

The information system uses multifactorauthentication for network access to non-privileged accounts.

12.IR-3 0

Incident Response Testingand Exercises

The organization tests and/or exercises theincident response capability for theinformation system [Assignment:organization-defined frequency] using[Assignment: organization-defined testsand/or exercises] to determine the incidentresponse effectiveness and documents theresults.

13.IR-4 0 a Incident Handling

The organization: Implements an incidenthandling capability for security incidents thatincludes preparation, detection and analysis,containment, eradication, and recovery;

14. IR-6 0 b Incident ReportingThe organization: Reports security incidentinformation to [Assignment: organization-defined authorities].

15.MA-2 0 d Controlled Maintenance

The organization sanitizes equipment toremove all information from associated mediaprior to removal from organizational facilitiesfor off-site maintenance or repairs; and

16. MP-5 4 Media Transport

The information system implementscryptographic mechanisms to protect theconfidentiality and integrity of informationstored on digital media during transportoutside of controlled areas.

17.PL-4 0 b Rules of Behavior

The organization: Receives a signedacknowledgment from such individuals,indicating that they have read, understand,and agree to abide by the rules of behavior,before authorizing access to information andthe information system;

18. SA-8 0Security Engineering

Principles

The organization applies information systemsecurity engineering principles in thespecification, design, development,implementation, and modification of theinformation system.

19.SC-28

Protection of Informationat Rest

The information system protects the[Selection (one or more): confidentiality;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

20 of 266

Cntl.#

En

ha

nce

me

nt

## - Control Name NIST SP 800-53 Control Requirements

integrity] of [Assignment: organization-defined information at rest].

Program Management Controls

The information security program management (PM) controls described in this sectioncomplement the security controls in Appendix A and focus on the organization-wideinformation security requirements that are independent of any particular informationsystem and are essential for managing information security programs.

Cntl. #

En

ha

nce

me

nt

#

# Control NameNIST SP 800-53 PM Control

RequirementsEM Implementation

PM-1 0 aInformation

SecurityProgram Plan

The organization develops anddisseminates an organization-wideinformation security program plan that:- Provides an overview of therequirements for the security programand a description of the securityprogram management controls andcommon controls in place or plannedfor meeting those requirements; -Provides sufficient information aboutthe program management controls andcommon controls (includingspecification of parameters for anyassignment and selection operationseither explicitly or by reference) toenable an implementation that isunambiguously compliant with theintent of the plan and a determinationof the risk to be incurred if the plan isimplemented as intended;- Includesroles, responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance;- Is approved by a senior official withresponsibility and accountability for therisk being incurred to organizationaloperations (including mission,functions, image, and reputation),

The RMAIP serves asthe InformationSecurity Program Planfor EM. The RMAIPprovides an overviewof the requirementsfor the EM enterprise,addresses therequired programmanagement controlsand roles andresponsibilities thatenable the program,and is approved by theEM Senior Advisor forthe Office ofEnvironmentalManagement.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

21 of 266

Cntl. #

En

ha

nce

me

nt

#



individuals, other organizations, andthe Nation;

PM-1 0 bInformation


The organization reviews theorganization-wide information securityprogram plan annually

The RMAIP is reviewedannually by the EM HQstaff.

PM-1 0 cInformation


The organization revises the plan toaddress organizational changes andproblems identified during planimplementation or security controlassessments.

EM HQ ensures thatthe RMAIP is updatedper any organizationalchanges.

PM-2 0

SeniorInformation

SecurityOfficer

The organization appoints a seniorinformation security officer with themission and resources to coordinate,develop, implement, and maintain anorganization-wide information securityprogram.

EM HQ has a CyberSecurity ProgramManager (CSPM) forthe enterprise. Eachsite has an appointedAODR for local cybersecurityresponsibilities.

PM-3 0 aInformation

SecurityResources

The organization ensures that allcapital planning and investmentrequests include the resources neededto implement the information securityprogram and documents all exceptionsto this requirement.

Capital Planning andInvestment Control(CPIC) activities arecoordinated at EM HQamong the respectivegroups responsible forresource identification.

PM-3 0 bInformation

SecurityResources

The organization employs a business

case/Exhibit 300/Exhibit 53 to recordthe resources required.

The EM HQ CPIC/EAteam has theresponsibility ofdeveloping andmaintaining cybersecurity Exhibit53/300s.

PM-3 0 cInformation

SecurityResources

The organization ensures thatinformation security resources areavailable for expenditure as planned.

The EM HQ MIPPTeam is established toprovide additionalsecurity resources toEM sites. An annualbudget is approvedand available forexpenditure asplanned.

PM-4 0

Plan of Actionand

MilestonesProcess

The organization implements a processfor ensuring that plans of action andmilestones for the security programand the associated organizationalinformation systems are maintainedand document the remedialinformation security actions to mitigate

EM has implementedRPM for enterpriseconsolidation ofPOA&Ms.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

22 of 266

Cntl. #

En

ha

nce

me

nt

#



risk to organizational operations andassets, individuals, other organizations,and the Nation.

PM-5 0Information

SystemInventory

The organization develops andmaintains an inventory of itsinformation systems.

System inventories aremaintained locally ateach site. In addition,Tenable SecuritySystem contains acentral database forthis information.

PM-6 0

InformationSecurity

Measures ofPerformance

The organization develops, monitors,and reports on the results ofinformation security measures ofperformance.

Cyber securityperformance metricsare addressed for theenterprise in theRMAIP. An EM cyberdashboard has beendeveloped for trackingsecurity measures ofperformance. Siteshave localperformance metricsimplemented.

PM-7 0Enterprise

Architecture

The organization develops anenterprise architecture withconsideration for information securityand the resulting risk to organizationaloperations, organizational assets,individuals, other organizations, andthe Nation.

The EnterpriseArchitecture isaddressed through theEM HQ CPIC/EA team.Coordinate occursbetween the EM HQcyber security teamand the CPIC/EA team.

PM-8 0Critical

InfrastructurePlan

The organization addresses informationsecurity issues in the development,documentation, and updating of acritical infrastructure and key resourcesprotection plan.

It has beendetermined that EMhas no criticalinfrastructure.

PM-9 0 aRisk

ManagementStrategy

The organization develops acomprehensive strategy to manage riskto organizational operations andassets, individuals, other organizations,and the Nation associated with theoperation and use of informationsystems

The RMAIP serves asthe risk managementstrategy for the EMenterprise.

PM-9 0 bRisk

ManagementStrategy

The organization implements thatstrategy consistently across theorganization.

The RMAIP serves asthe risk managementstrategy for the EMenterprise.

PM-10 0 aSecurity

AuthorizationProcess

The organization manages (i.e.,documents, tracks, and reports) thesecurity state of organizational

The EM ContinuousMonitoring Programserves as the primary

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

23 of 266

Cntl. #

En

ha

nce

me

nt

#



information systems through securityauthorization processes.

component of thesecurity authorizationprocess.

PM-10 0 bSecurity


The organization designates individualsto fulfill specific roles andresponsibilities within theorganizational risk managementprocess.

EM HQ and each sitehave designated cybersecurity rolesresponsibilities tofacilitate the securityauthorization process.

PM-10 0 cSecurity


The organization fully integrates thesecurity authorization processes intoan organization-wide risk managementprogram.

EM HQ has developedthe RMAIP to integratesecurity authorizationof systems into anenterprise riskmanagement program.

PM-11 0 a

Mission/BusinessProcess

Definition

The organization definesmission/business processes withconsideration for information securityand the resulting risk to organizationaloperations, organizational assets,individuals, other organizations, andthe Nation

Mission/businessprocess definitionaddressed through theRMAIP and each siteconsiders risk from amission/businessprocess perspectivelocally through riskassessments. Eachsite must conduct aBusiness ImpactAssessment for their ITsystems.

PM-11 0 b

Mission/BusinessProcess

Definition

The organization determinesinformation protection needs arisingfrom the defined mission/businessprocesses and revises the processes asnecessary, until an achievable set ofprotection needs is obtained.

EM HQ has acquired anumber of enterprisesecurity solutions thatare implemented atEM sites. Thisprogram procuressolutions based uponthreats to the EMmission and datasecurity.

EM Central Repository, eGov Risk Portfolio Manager (eGovRPM)

EM sites are to use the EM central repository and eGov RPM for IT and cyber securitydocumentation. The eGov RPM repository will serve as the “institutional memory” forEM sites, computer operational personnel, and will allow the CM team to assist the sites,

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

24 of 266

make operational recommendations, and gather report data for DOE and OMB. EM sitesmust evaluate their documentation for needed changes as a result to a major change to thesystem or guidance and update these changes to eGov RPM at least annually.

The ISSM or ISSO are responsible for ensuring that eGov RPM documents are loadedand updated in a timely manner for each accreditation boundary. eGov RPM trainingwill be provided by the CM team personnel at the request of each site or as required.

eGov RPM must be used by the CM team to provide preliminary security statusinformation prior to an on-site assessment. It is important that this documentation beup-to-date to shorten the on-site assessment time, the impact to IT personnel, and foraccurate reporting.

All sites must use eGov RPM to create their SSPs and upload the appropriateaccreditation boundary certification and Contingency Plan (CP), Incident Response (IRP)Plan, Configuration Management Plan (CMP), other audit artifacts, and trainingdocumentation into the EM eGov RPM central repository. This must be accomplished atleast annually, after review and upon updating or modification of the boundary or systemdocumentation.

EM CM Team Responsibilities for Working with EM Sites

The EM CM effort is viewed as a partnership among the EM CSPM, EM federal sites,and EM contractors. Each of these groups has specific tasks that must be accomplishedunder an effective CM process.

As part of the CM process, site assessment and assistance visits must be conductedannually by an independent party for each approved boundary. In the past, ITsystems/boundaries underwent certification testing, security assessment review and, ifapproved, accreditation. Under NIST SP 800-37 guidance, C&A is no longer used forexisting systems; the current requirement is for an ATO to be issued by the AO as a resultof CM requirements. Unless a new system is developed or major changes/modificationsoccur, as determined by the AO, an ST&E will no longer be performed every three years.Based on this change in philosophy and the emphasis on CM, the EM process willmigrate to a dependence on site assessment visits. Based on the assessment outcome,which will consist of several CM activities, the AO may be advised to renew or re-authorize the system/boundary. For these reasons the HQ EM CSPM will have input tofee determination.

The EM CM team will assist with the CM effort from an enterprise perspective. The CMteam will support the sites by a constant review and update of documentation throughoutthe life-cycle of the system and then concentrate efforts in identifying weaknesses andcorrective actions. The CM team members will continue to assist in fixingdocumentation as required and offering solutions that are acceptable for the mitigation ofdiscovered weaknesses. The EM CM team will ensure that one-third of the NISTmission-adjusted minimum security controls are tested for acceptable levels of residual

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

25 of 266

risk each year in such a manner that, at a minimum, all security controls arereviewed/tested every three years. The EM CM team will provide an independent,annual continuous monitoring assessment at each site. These on-site assessments willevaluate the site’s NIST mission-adjusted minimum security controls for acceptablelevels of residual risk in such a manner that, at a minimum, all security controls arereviewed/tested every three years. After the CM assessment, the CM team will produce aCM Security Assessment Report for the AO with a recommendation for reauthorizationstatus.

The CM team will lead and facilitate the testing of plans (e.g., contingency, incidentresponse) and assist in the validation of POA&M actions in order to verify and close thePOA&M item. Leveraging the vulnerability management tool deployment for risk-basedauditing against the functional baseline configurations of the sites will allow EM to reportnear real-time risk management conformance in a timely fashion to requests forinformation from, for example, the DOE Office of the Chief Information Officer orOMB. The CM team has developed the policy controls statements for all the NISTfamilies (e.g., AC-1, AT-1). The sites may use these policy statements to answer thefamily policy controls. Based on the cooperation of the contractor during theseassessments, the EM CSPM will have the ability to give input to fee determination andnegatively (or positively) impact fee, if warranted.

EM Sites Continuous Monitoring Responsibilities

EM sites are responsible for moving from a three-year based C&A posture to a CMprocess within 60 days of incorporation within a contract. Sites are to continually updatetheir cyber security programs based on NIST 800-37. Moving to a more robust CMprocess will reduce the cost of ATO, produce better cyber security, increase productivity,and render IT services more effective.

All EM government-owned and government-owned contractor-operated systemsexperience frequent changes whether to the hardware, software, organizationalenvironments, operational procedures/requirements, or changes in threat levels/riskassessment levels. Government- and contractor-operated systems must be able torespond to these daily near real-time emerging threats and continuous changes to theirinformation systems by using CM.

Site infrastructures are susceptible to both accidental and malicious changes that cancause a system to become vulnerable. CM can thwart many attacks, prevent the rapidand deep penetration into a network that sophisticated attacks are capable of, and detectvulnerabilities introduced into the infrastructure via changes or due to technologicalevolution, prior to being actively exploited.

In todays near real-time attack environment of sophisticated hackers, not all attacks canbe successfully prevented. Emphasis is now being placed on protection through theimplementation of more robust security controls and continuously monitoring the

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

26 of 266

operation of security controls to provide early detection, containment, and successfuleradication of any intrusion or successful attack.

All EM sites must use the latest version of NIST Security Controls (see Appendix A –NIST SP 800-53 Rev 4, Security Controls and Guidance for the current version).Appendix B – NSS Security Controls are to be used in performing CM evaluations onNSS. Appendices A and B provide EM supplemental guidance for each control withexamples of what controls a site may choose to adopt. eGov RPM contains the newcontrols and will automatically select the baseline control suite for tailoring based on thecategorization process in eGov RPM.

EM sites are responsible for the following tasks included within CM:

1. Instituting a CM plan that will permit an annual reauthorization to operate by theAO of the site’s accreditation boundaries based on the CM of the mission-adjusted minimum baseline security controls and the controls’ effectiveness toaddress evolving threats and attacks.

2. Coordinating with the EM CSPM to determine the appropriate mission-adjustedminimum security controls baseline and the accreditation boundary’s acceptablelevel of risk.

3. Assisting the CM assessment team in its annual assessment of the system’smission-adjusted minimum security controls.

4. Coordinating and fully participating in annual EM CM team site assistance visitsand all activities that are associated with the CM visit.

5. Performing an Organization Impact Analysis/BIA review and updating itannually.

6. Maintaining an up-to-date mission-adjusted minimum controls security baselineconfiguration for all major components within the accreditation boundary (e.g.,personal computers, servers, firewalls, intrusion detection systems). All thesebaselines must meet the NIST guidelines for such equipment. The EMVulnerability Management tool must be used to test the equipment forconformance.

7. Performing CM on the remaining mission-adjusted minimum security controlsbaseline not tested by the EM CM Team or other independent assessors.

8. Proactively adjusting, modifying, or implementing additional security controls toallow the system to remain at the same level of risk as when it was last authorizedand updating the SSP accordingly.

9. Recording CM assessment-discovered weaknesses that require further correctiveactions, as determined by the AO. These must be recorded as site, system, orprogram POA&Ms with corrective measures/timeline identified. Correctiveactions, if accomplished in 90 days or less, can be tracked by the site; actions thattake more than 90 days to complete must establish a POA&M.

10. Updating all CM assessments, POA&M information, SSP, CP, IR, and othersecurity documents as changes to the CM process are performed and entered intoeGov RPM by the ISSO (or his/her designee).

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

27 of 266

11. Preparing a quarterly report (by the ISSM or ISSO) for the AO or AODR on thesecurity controls status effectiveness. This report must include any new proposedPOA&M items or major changes/modifications within the accreditation boundary.This should be a high-level report and should not be more than three pages.

12. Forwarding (by the AODR) a copy of the ATO to the EM CSPM after theauthorization decision is reached.

13. Reviewing, analyzing, testing, and approving all configuration changes through aconfiguration control board; these configuration management program activitiesmust be performed by the sites. All these changes must be analyzed and tested forsecurity impact. These approved changes must be made to mission-adjustedminimum security controls and the baseline configuration documentation must beupdated.

14. Mitigating phishing attacks, which continue to be the most effective means for anintruder to gain a foothold into an IT system. EM sites must take actions tomitigate phishing attacks and to strengthen the weak link—the user—throughcontinuous training. Conducting annual training is no longer sufficient toeffectively combat phishing attacks. The EM Phishing server is available andmust be used on a regular basis to conduct phishing exercises on a site’s userbase. Measurement of effectiveness will then be available via the statisticscaptured by the server and made available to the site.

15. Providing incident response training and testing annually for both users andsystem security personnel.

16. Identifying, mitigating, categorizing, and reporting all cyber security incidentsinvolving federal information or federal information systems, including privacybreaches, under DOE or DOE contractor control, to the DOE JC3, in accordancewith JC3 procedures and guidance.

17. Reporting cyber security incidents involving national security informationsystems to JC3, in accordance with the requirements in DOE M 470.4B, chg.2Safeguards and Security Program.

18. Testing all accreditation boundaries with a contingency plan annually, at aminimum.

19. Developing the contractual fee determination metrics (by the site’s CO) set forthin Appendix D, and ensuring these metrics are used as a guide to develop sitespecific metrics to affect fee in all EM site management and operating M&O,service, and subcontractor contracts.

20. Addressing program management (PM) -6, 8, and 11 controls in the SSP.21. Ensuring and monitoring contractor implementation of cyber security

requirements as directed in the Contractors’ Requirements Document (CRD) ofDOE Cyber Security Management Order, DOE O 205.1B, Chg.2. This must beaccomplished by the Program/Site Offices in conjunction with the COs.

22. Signing the ATO by the AO. At the end of the CM year the accumulation of scanresults, verified data documents, updated RA, and POA&Ms will allow the AO tomake a risk-based decision on the system’s annual authorization to operate. TheCM year begins the day the ATO is signed.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

28 of 266

Inherited Control Guidance

EM sites may elect to employ a set of security controls that can be inherited by othersystems. The approved and tested inherited controls will be documented in the SSP ofthe system inheriting the controls. The AO and AODR must approve the inheritablecontrols selection. The inherited controls may be inherited from any accreditationboundary within the site. If a common controls implementation strategy is utilized, thecommon controls must undergo an independent assessment and be authorized by the AO.Inheritable controls are subject to independent assessment, authorization, and CM asoutlined in NIST SP 800-37. Inheritable controls are also subject to the “OngoingAuthorization” and “Continuous Monitoring Principles and Procedures” discussed above.

AO’s Annual Reauthorization Responsibilities

OMB Circular A-130, Appendix III, Federal Information Systems must (1) obtain anATO in writing and (2) be reauthorized on a CM basis of security controls, and based onthe effectiveness of CM efforts.

The AO for a system/accreditation boundary reviews a system’s CM package to make arisk-based decision on the reauthorization of the system. This CM package includes, at aminimum:

A BIA, An RA, A SSP, The CM team’s Security Status Assessment Report, The Site’s CM scan results, Incident response logs, intrusions, successful attacks or evolving threats, as

appropriate; and Quarterly AO security briefings by ISSM/ISSO.

National Security Systems

EM NSS will be guided by these key CNSS documents/instructions:

CNSS 42 CNSS 26 CNSSI-1253 CNSSI -1199

EM’s NSS tend to be either networked or stand-alone configurations. The stand-alonesystems are eligible for “type” certifications. The type authorization is used whensystems have the same configurations in hardware, software, and applications. In thisinstance, a few systems may be tested at random to determine the reauthorization of all

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

29 of 266

systems of that type. If sites have networked systems and these have the same hardware,software, and application configurations, then these systems may also use typecertification.

NSS boundaries must use the template in Appendix B – NSS Security Controls toperform CM. These controls conform to the CNSS 1253 requirements. Appendix Bidentifies the baseline security controls for NSS systems based on characterization. Thecontrols are designated as either stand-alone or networked. This baseline can be tailoredbased on the site’s risk profile. Values assigned to controls within CNSS 1253 may alsobe tailored based on the site’s risk profile. Any tailoring must be approved by the AOthrough the signing of the security plan and by issuing an ATO. Sites should make everyattempt to adopt the CNSS 1253 values, if at all possible, and especially if they intend tointerconnect to other NSS.

All NSS EM CM team assessments will result in a General Status Assessment Report thatwill be put into eGov RPM, but without any POA&M results. All POA&M results mustbe stored on the NSS and available only to cleared and qualified personnel. All site-levelCM scans must also be stored on the NSS and available only to cleared and qualifiedpersonnel.

All NSS systems must use diskless technology, or lock the central processing unit (CPU)and storage media in a manner that prevents users from having physical access to either,and to prevent physical access to universal serial bus (USB) ports. The exception may bea stand-alone workstation where these requirements may not be cost effective. In thiscase a waiver must be requested from and be approved by the EM HQ CSPM. Allsystems must use port locking software to manage access to USB ports to only authorizedconnections and the BIOS must be set to only boot from the C drive; any exceptions mustbe documented in the SSP.

Federal Information Systems Management Act of 2002

FISMA reports must be submitted to the OCIO on a quarterly basis. In this regard, EMHQ will issue data calls issued to sites for information for quarterly reports as well as toobtain information for other reports. Sites need to ensure that information is provided ona timely basis so that all due dates can be met. EM intends to use enterprise-deployedtools to respond to FISMA reporting requirements. When possible, data contained in theEM central repository will be used to respond to the Department of Homeland Security(DHS). If data is lacking, then a data call will be conducted.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

30 of 266

Incident Response

The near-real-time CM requirements will provide rapid unauthorized actions detection,analysis, and lead to more effective incident response practices and procedures. NIST SP800-61, Computer Security Incident Response Guide, requires EM sites to provide astructured and documented approach to the following minimum incident types:

Denial of Service Malicious code Root Compromise User Compromise Unauthorized access Inappropriate usage Multiple components Release of personally identifiable information (PII) in the public domain Observed activity that may result in future intrusions and appears to be of a

reconnaissance nature, out of the ordinary

EM HQ Mission Information Protection Program (MIPP)Support and Participation

The EM HQ MIPP team is dedicated to the continuous improvement of informationassurance and cyber security throughout the DOE EM organization. The team uses thelatest methodologies in analytics and monitoring; deploys state-of-the-art cyber securitytechnology to analyze and defend against attacks; provides oversight and assessments ofEM sites’ cyber security programs; and further enhances the MIPP security through siteassistance, education, and training. The EM HQ MIPP team also assists EM sites inmaturing their cyber security programs by providing guidance, expertise, enterprisesolutions, and leadership in safeguarding MIPP information and assets.

From an EM enterprise perspective, a critical metric to monitor is the time taken to patcha critical vulnerability. Critical vulnerabilities exist in operating systems and inapplications, which are often overlooked. Benchmarking this process would bebeneficial in determining risk throughout the enterprise. Deploying necessary patches isstill one of the most effective means of protection for a system. While patching does notmake systems impervious to attack, it raises the bar, making attacks more difficult andeasier to detect as a result. The MIPP team will monitor the progress each site makes inpatching critical vulnerabilities and assist when necessary.

As part of the CM strategy for the EM enterprise, the MIPP team will facilitate thesharing of information among EM sites and provide a means of central analysis for thedetection of malicious activity in a near-real-time mode utilizing the enterprise full-packet capture capability to perform analysis for known perpetrators and undiscoveredperpetrators. In addition, using benchmarking and monitoring metrics created based on

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

31 of 266

the use of the Headquarters Security System (HQSS) tool suite, MIPP team members willbe able to assist sites in mitigating vulnerabilities that are discovered. The CM team willensure that a consistent level of security is maintained throughout EM.

EM has deployed a full-packet analysis capability at most of its sites. This capability isan invaluable asset to the CM process and provides an ability to determine malicious vs.suspicious activity in near real-time. Based on evolving known threats, EM has thecapability to determine if the known threats are active within the enterprise. EM siteshave the capability to identify co-opted systems and complete an accurate damageassessment. This capability will continue to be enhanced as new technology enables EMto detect and identify malicious activity. Daily analysis will be conducted, based onindicators from various sources, in an effort to detect and determine malicious activity.The MIPP team will look for ways to use this capability to enhance the CM process. Inaddition to known threats, analysis will be performed using heuristic tools to detectmalicious activity that is yet unknown to the cyber security community, providing EMwith a more proactive approach to provide new intelligence to the enterprise. Sitepersonnel have the ability to use this tool in conducting local investigations, which areeither specific to the site or due to malicious outsider activity.

CM requires the collaboration among program, Departmental, and outside entities (e.g.,SANS, Carnegie Mellon CIRT, etc.) concerning security incidents. The sharing ofincident data is a valuable tool for the prevention of successful attacks to a system. Onlythrough the real-time sharing of attack information can one expect to find an attack inprogress or to prevent a similar attack from happening. As the threat evolves, havingactionable information concerning the threat allows the threat to be mitigated and ifsuccessful, contained and eradicated. If users don’t know how the malware operates, it isimpossible to protect, contain, or eradicate. The real time sharing of information is theearly warning of a serious threat. With this information, it is possible to plot thepropagation of many attacks on a worldwide scale. One can see the rate of propagation,success rate, and therefore understand the critical window available for mitigation inorder to prevent a successful attack. The MIPP team will monitor intrusion sets based oninformation streams made available from this collaborative effort and will shareinformation gained within EM.

Sites are responsible to confirm and report all intrusions, intrusion attempts, suspiciousactivity, and incidents to JC3. The MIPP team can assist in detection, but only sites canvalidate, contain, and eradicate an intrusion. Intrusions are going to occur, 100%prevention is not possible, so reporting of incident information in a timely manner isinvaluable.

Contingency Planning

Each EM site is responsible for planning, documenting procedures, and then conductingan annual IT contingency exercise. These exercises should include realistic scenariosfound in past or anticipated system malfunctions.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

32 of 266

Individual sites must conduct a BIA to determine the maximum tolerable downtime(MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Thisexercise must include the sites senior managers—contractor and federal, functioning areaPM, business leads, and other stakeholders to ensure that realistic MTD, RTO, RPO andsystem restoration priority meet the mission’s MTD requirements. The BIA must bereviewed and updated annually to ensure it meets mission, security and/or regulatoryrequirements. The BIA is an exercise performed by the business line to determine theimpact of a network failure to the business and site mission. IT staff cannot make theseassessments, although they can play a support role to determine restoration priorities andsolutions to meet these priorities.

The RE, AODR, and site program managers must jointly agree on changes and levels inthe BIA.

Contractor Requirements, System Acquisition and Services

Site Managers must ensure that Contracting Officers are instructed to incorporate thisRMAIP into site/facility management contracts and service contracts, as appropriate.

A site Contracting Officer must implement, verify and monitor the EM RMAIP cybersecurity clauses within their contract vehicles/documents (see Appendix D – EMContractor Requirements).

All hardware and software procured to support the EM cyber security requirements mustcomply with all federal statutes, policy, presidential directives and other guidance.

Application software purchased for significant deployment must be HSPD-12compliant and must be able to operate in conformance with NIST 800-53 (asmodified) that govern the secure operation of applications, (e.g., the applicationmust time out after a designated time of inactivity).

All hardware purchased must be capable of IPv6, including diagnostic toolspurchased for current and future use.

ENERGY STAR® equipment must be procured and green IT solutions must beconsidered for future deployments, (e.g., thin client, VMware, cloud technology,hot and cold lane configurations in server rooms)

Supply Chain Risk Management

When purchasing software and hardware for deployment in government-owned systemsand systems that will be processing government data, supply chain should be managedbased on risk. Sites must consider supply chain risks when purchasing components usedin NSS and any unclassified systems categorized as High Impact, in accordance withFIPS 199. Supply chain risk management must be considered when procuring IT. Whensoftware and hardware is purchased for deployment in NSS, consideration should be

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

33 of 266

given as to whether the supplier should be made aware of the intended implementation.Sites should update their awareness training to cover supply chain concerns.

All IT parts and components are not manufactured within the United States and the originis difficult to determine. For this reason, sites must perform a criticality analysis, used inconjunction with the sites BIA, to determine a priority for supply chain concerns. Athreat and risk assessment must be conducted and the country of origin must beconsidered when purchases are made. Products should be evaluated for supply chainconcerns and operations security (OPSEC) mitigation methodologies should be usedbased on the evaluation and determined need.

Large sites have the ability to discuss supply chain issues with their sitecounterintelligence (CI) contact and should check with their CI contact prior to any majorpurchase. Smaller sites that do not have a CI contact may use the EM MIPP team foradvice on purchases and supply chain concerns. The MIPP team has access to CIinformation and can supply information that can be used in the threat and riskassessment.

DOE’s Enhanced Cyber Security Services (DEX)

All EM sites are to participate in the DEX program. The EM CSPM will determine ifparticipation is not justified and in the best interest of the government on a case-by-casebasis.

Mobile Device Guidelines for Foreign Travel

All EM-owned data stored on laptops must be encrypted while at rest and in transit withFIPS 140-2 certified encryption modules. Mobile devices and removable media must beprotected in accordance with site procedures.

Use of all mobile devices is subject to the Department’s Safe Passage Program, or similarprogram.

All mobile devices must be sanitized of data and restored to the mission-adjustedminimum security baselines upon return from foreign travel. This must be accomplishedprior to connecting the device to or accessing DOE networks.

Foreign Nationals

The ISSM must implement site-level procedures to comply with DOE Order 142.3AUnclassified Foreign Visits and Assignments Program, October 14, 2010.

Foreign nationals must not be assigned or granted system administrator privileges on EMsystems. Foreign nationals will be granted access to systems only on a need to know orjob function basis. The EM CSPM can be requested to grant an exception to this

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

34 of 266

requirement in situations of operational necessity. DOE Order 142.3Arequires a securityplan for the visit/assignment and IT security must be a component addressed in the plan.

HSPD-12 Requirements and Projected Milestones

All EM sites must comply with HSPD-12 requirements and OMB memorandum (M11-11) by instituting the following:

All new systems under development must be enabled to use personal identityverification (PIV) credentials in accordance with DOE O 206.2 Identity,Credential, and Access Management, and NIST SP 800-76, Biometric DataSpecifications for Personal Identity Verification guidance, prior to theirauthorization to operate by the AO.

All existing physical and unclassified logical access control systems must use PIVcredentials for authorization. This must be accomplished prior to the sites usingdevelopment or technology refresh funds to complete other activities.

All procurement of services and products for facility or system access controlsmust be consistent with HSPD-12 and the Federal Acquisition Regulation.

OMB memorandum 06-18 (Acquisition of Products or Services forImplementation of HSPD-12) requires that organizations acquire products andservices that are compliant with federal policy and standards, and supporttechnical specifications.

Organizations must accept electronically-verified PIV credentials issued by otheragencies or organizations.

All authentications to EM IT systems must be accomplished using two factors byMay 31, 2014. Authentication by user ID and password is no longer allowed afterthis date.

EM sites and HQ must develop a plan for PIV that meets the content found in theFederal CIO Council’s, “Federal Identity, Credential and Access Roadmap andImplementation Guidance” (www.idmanagement.gov).

IPv6 Requirements and Projected Milestones

EM sites and HQ were instructed to commence the development of a plan to upgradepublic and external facing servers/services (this includes web, email, domain namesystem (DNS), Internet service provider (ISP) services and other external-facing services)to operationally meet IPv6 by the end of fiscal year (FY) 2012. In addition, sites and HQneed to upgrade client applications that communicate with public Internet servers andsupporting networks to operationally use native IPv6 by the end of FY 2014. All EMsites need to ensure that procurement of networked IT equipment meets the requirementsset forth in the USGv6 Profile and Test Program for completeness and quality of IPv6capabilities.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

35 of 266

It is also recommended that sites appoint an IPv6 Transition Manager to serve as theperson responsible for planning and leading the implementation and testing of IPv6criteria to meet the stated milestones.

Domain Name System Security Extensions (DNSSEC)

The original design of the DNS did not include security or protection mechanisms;instead it was designed to be a scalable distributed system. DNSSEC attempts to addsecurity features while maintaining backwards compatibility.

It is strongly recommended that sites implement the DNSSEC, NIST SP 800-71 forsecuring certain kinds of information provided by the DNS as used on IP networks.DNSSEC is a set of extensions to DNS that provide to DNS clients (resolvers) originauthentication of DNS data, authenticated denial of existence and data integrity, but notavailability or confidentiality.

Industrial Control Systems

All EM sites that utilize Industrial Control Systems (ICS) must use NIST 800-37, NIST800-53, and NIST 800-82 as guidelines for evaluating ICS systems. The EM CM team,in accordance with the principles outlined in NIST 800-82, must evaluate sites thatpossess ICS. ICS are considered IT systems and require ATO and are held to the samerules as information processing systems. ICS systems control processes and thereforerequire scheduling around those processes to be able to accomplish many of theprocedures required by security controls. As a result, ICS controls must be tailoredaccordingly; for example, group authenticators, less frequent patch cycles, and notrequiring screen timeouts are acceptable implementations.

Wireless Information Systems

Wireless devices, services, and technologies that are integrated or connected to EMnetworks are considered part of those networks and must comply with all DOErequirements (e.g., password management, auditing, and cryptography). Wirelessdevices must use the “safe harbor” principles, U.S. Department of Commerce, July 21,2000, for protection. Wireless networks and devices must obtain an initial authorizationand then undergo CM procedures. A wireless intrusion detection system (WIDS) must bedeployed to monitor the wireless environment. The WIDS must monitor the entirebandwidth used by 802.11 technologies. To consistently and confidently monitor signals,the system must monitor the complete industrial, scientific, and medical (ISM) bandsused for the Institute of Electrical and Electronics Engineers (IEEE) 802.11, including 2.4GHz and 5 GHz. Security firmware updates and patches to wireless hardware andsoftware components must be tested and deployed in accordance with configurationmanagement procedures.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

36 of 266

Controlled Unclassified Information (CUI) Protection

CUI consists of information that may be exempt from public release (Official Use Only,(including PII), Unclassified Controlled Nuclear Information (UCNI)). CUI should beprotected while stored at rest and during transmission. FIPS 140-2 approved encryptionmust be used for the transmission of this type of information. Entrust is available fortransmission within the DOE complex. Information at rest must also be protected.Encryption is cost prohibitive and products are not currently available to enable data atrest to be easily encrypted and managed. Currently most systems use physicalprotections and network segmentation and restricted access to protect this type ofinformation. Backups of CUI must be encrypted unless solutions such as a mirrored diskare used. As technology advances, encryption at rest will eventually become feasible andaffordable and should be considered. Until then, EM sites are to take special steps toprotect SUI and to encrypt at rest with available solutions wherever possible. EM sitesare also required to develop a protection plan for CUI and update that plan annually astechnology advances and move to encryption at rest as soon as feasible. Sites mustdocument a business justification for the collection and use of PII for each applicationthat requires that PII be processed on a system. PII must be collected and processed inaccordance with applicable laws, regulations and DOE policy. Sites should reduce theuse of PII as much as practical.

________________________________________________________________________

DOE EM RMAIP37 of 266

Appendix A – NIST SP 800-53 Rev 4 Security Controls andGuidance

This table is a guide for tailoring and implementing the 800-53 Security Controls. Thetable has values/lists that the EM CSPM recommends be implemented by EM sites whereNIST has identified Control Requirements [Organizationally defined values/lists].Supplemental guidance is provided only for controls that historically have been difficultto define and for which it is difficult to determine appropriate mitigation action. The tableis to be used as a baseline and guide when determining site values/lists in accordancewith mission needs where NIST notes {organization-defined}and is not meant to betotally implemented as written. Contracting Officers are not to require that a contractorimplement each and every control listed in this table.

Cntl.#

En

han

cem

ent

#

# - Control NameNIST ControlRequirements

Recommendorganizationallydefined values

EM SupplementalGuidance

AC-1

0 a 1Access Control Policy

and Procedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An access control policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and

Security Staff andAdministrative Staff

AC-1

0 a 2Access Control Policy

and Procedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theaccess control policy andassociated access controls;and


AC-1

0 b 1Access Control Policy

and Procedures

The organization: Reviewsand updates the current:Access control policy[Assignment: organization-defined frequency]; and

Annually or any timethere is a major change

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

38 of 266

Cntl.#

En

han

cem

ent

#




AC-1

0 b 2Access Control Policy

and Procedures

The organization: Reviewsand updates the current:Access control procedures[Assignment: organization-defined frequency].


AC-2

0 a Account Management

The organization Identifiesand selects the followingtypes of information systemaccounts to supportorganizationalmissions/business functions:[Assignment: organization-defined information systemaccount types];

AC-2

0 b Account Management

The organization Assignsaccount managers forinformation systemaccounts;

AC-2

0 c Account ManagementThe organizationEstablishes conditions forgroup and role membership;

AC-2

0 d Account Management

The organization Specifiesauthorized users of theinformation system, groupand role membership, andaccess authorizations (i.e.,privileges) and otherattributes (as required) foreach account;

AC-2

0 e Account Management

The organization Requiresapprovals by [Assignment:organization-definedpersonnel or roles] forrequests to createinformation systemaccounts;

AC-2

0 f Account Management

The organization Creates,enables, modifies, disables,and removes informationsystem accounts inaccordance with[Assignment: organization-defined procedures orconditions];

AC-2

0 g Account ManagementThe organization Monitorsthe use of, informationsystem accounts;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

39 of 266

Cntl.#

En

han

cem

ent

#




AC-2

0 h 1 Account Management

The organization Notifiesaccount managers whenaccounts are no longerrequired;

AC-2


The organization Notifiesaccount managers Whenusers are terminated ortransferred; and

AC-2


The organization Notifiesaccount managers Whenindividual informationsystem usage or need-to-know changes;

AC-2

0 i 1 Account Management

The organization authorizesaccess to the informationsystem based on a validaccess authorization;

AC-2


The organization authorizesaccess to the informationsystem based on Intendedsystem usage; and

AC-2


The organization authorizesaccess to the informationsystem based on Otherattributes as required by theorganization or associatedmissions/business functions;

AC-2

0 j Account Management

Reviews accounts forcompliance with accountmanagement requirements[Assignment: organization-defined frequency]; and

Every 90 days

AC-2

0 k Account Management

Establishes a process forreissuing shared/groupaccount credentials (ifdeployed) when individualsare removed from the group.

AC-2

1Account Management- Automated System

Account Management

The organization employsautomated mechanisms tosupport the management ofinformation systemaccounts.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

40 of 266

Cntl.#

En

han

cem

ent

#




AC-2

2

Account Management- Removal of

Temporary/EmergencyAccounts

The information systemautomatically [Selection:removes; disables]temporary and emergencyaccounts after [Assignment:organization-defined timeperiod for each type ofaccount].

Disabled immediatelyat the conclusion of the

activity that requiredthe account but notlonger than after 30

days

AC-2

3Account Management

- Disable InactiveAccounts

The information systemautomatically disablesinactive accounts after[Assignment: organizationdefined time period].

Immediately at theconclusion of the

activity that requiredthe account and notlonger than after 30

days

AC-2

4Account Management

- Automated AuditActions

The information systemautomatically audits accountcreation, modification,enabling, disabling, andremoval actions, andnotifies [Assignment:organization-definedpersonnel or roles].

AC-3

0 Access Enforcement

The information systemenforces approvedauthorizations for logicalaccess to information andsystem resources inaccordance with applicableaccess control policies.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

41 of 266

Cntl.#

En

han

cem

ent

#




AC-4

0Information Flow

Enforcement

The information systemenforces approvedauthorizations forcontrolling the flow ofinformation within thesystem and betweeninterconnected systemsbased on [Assignment:organization-definedinformation flow controlpolicies].

Information flow controlregulates where informationis allowed to travel within aninformation system andbetween information systems(as opposed to who isallowed to access theinformation) and withoutexplicit regard to subsequentaccesses to that information.A few examples of flowcontrol restrictions include:keeping export controlledinformation from beingtransmitted in the clear to theInternet, blocking outsidetraffic that claims to be fromwithin the organization andnot passing any web requeststo the Internet that are notfrom the internal web proxy.Information flow controlpolicies and enforcementmechanisms are commonlyemployed by organizations tocontrol the flow ofinformation betweendesignated sources anddestinations (e.g., networks,individuals, devices) withininformation systems andbetween interconnectedsystems.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

42 of 266

Cntl.#

En

han

cem

ent

#




AC-5

0 a Separation of Duties

The organization: Separates[Assignment: organization-defined duties ofindividuals];

Examples of separation ofduties include: (i) missionfunctions and distinctinformation system supportfunctions are divided amongdifferent individuals/roles;(ii) different individualsperform information systemsupport functions (e.g.,system management, systemsprogramming, configurationmanagement, qualityassurance and testing,network security); (iii)security personnel whoadminister access controlfunctions do not administeraudit functions; and (iv)different administratoraccounts for different roles.

AC-5

0 b Separation of DutiesThe organization:Documents separation ofduties of individuals; and

AC-5

0 c Separation of Duties

The organization: Definesinformation system accessauthorizations to supportseparation of duties.

AC-6

0 Least Privilege

The organization employsthe principle of leastprivilege, allowing onlyauthorized accesses forusers (or processes acting onbehalf of users) which arenecessary to accomplishassigned tasks in accordancewith organizational missionsand business functions.

System admin (root)System admin (limited)

Network admin(firewalls, routers, etc.)

Security admin(monitoring tools)

Physical access admin(NSS) Removable

media admin (NSS)

One or two individualsshould not be able to havelogical or physical access tokey system components sothat their actions would beundetectable by others.

AC-6

1 Least Privilege

The organization explicitlyauthorizes access to[Assignment: organization-defined security functions(deployed in hardware,software, and firmware) andsecurity-relevantinformation].

Security functions: (a)access to any security

related deviceconfiguration options;or (b) configuration

items set and controlledby network or system

defined criteria

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

43 of 266

Cntl.#

En

han

cem

ent

#




AC-6

2 Least Privilege

The organization requiresthat users of informationsystem accounts, or roles,with access to [Assignment:organization-definedsecurity functions orsecurity-relevantinformation], use non-privileged accounts or roles,when accessing non-securityfunctions.

Security functions: (a)access to any security

related deviceconfiguration options;or (b) Configuration

items set and controlledby network or system

defined criteria

AC-6

5 Least Privilege

The organization restrictsprivileged accounts on theinformation system to[Assignment: organization-defined personnel or roles].

AC-6

9 Least PrivilegeThe information systemaudits the execution ofprivileged functions.

AC-6

10 Least Privilege

The information systemprevents non-privilegedusers from executingprivileged functions includedisabling, circumventing, oraltering implementedsecuritysafeguards/countermeasures.

AC-7

0 aUnsuccessful Login

Attempts

The information system:Enforces a limit of[Assignment: organization-defined number]consecutive invalid logonattempts by a user during a[Assignment: organization-defined time period]; and

3 attempts & 1 hour

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

44 of 266

Cntl.#

En

han

cem

ent

#




AC-7

0 bUnsuccessful Login

Attempts

The information system:Automatically [Selection:locks the account/node foran [Assignment:organization-defined timeperiod]; locks theaccount/node until releasedby an administrator; delaysnext logon promptaccording to [Assignment:organization-defined delayalgorithm]] when themaximum number ofunsuccessful attempts isexceeded.

Until released by anadministrator

AC-8

0 a 1System UseNotification

The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Users are accessing a U.S.Government informationsystem;

AC-8


The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Information system usagemay be monitored, recorded,and subject to audit;

DOE approved banner

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

45 of 266

Cntl.#

En

han

cem

ent

#




AC-8


The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Unauthorized use of theinformation system isprohibited and subject tocriminal and civil penalties;and

AC-8


The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Use of the informationsystem indicates consent tomonitoring and recording;

AC-8

0 bSystem UseNotification

The information system:Retains the notificationmessage or banner on thescreen until usersacknowledge the usageconditions and take explicitactions to log on to orfurther access theinformation system; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

46 of 266

Cntl.#

En

han

cem

ent

#




AC-8

0 c 1System UseNotification

The information system: Forpublicly accessible systems:Displays system useinformation [Assignment:organization-definedconditions], before grantingfurther access;

AC-8


The information system: Forpublicly accessible systems:Displays references, if any,to monitoring, recording, orauditing that are consistentwith privacyaccommodations for suchsystems that generallyprohibit those activities; and

AC-8


The information system: Forpublicly accessible systems:Includes a description of theauthorized uses of thesystem.

AC-11

0 a Session Lock

The information systemprevents further access tothe system by initiating asession lock after[Assignment: organization-defined time period] ofinactivity or upon receivinga request from a user; and

15 minutes

AC-11

0 b Session Lock

The information systemRetains the session lockuntil the user reestablishesaccess using establishedidentification andauthentication procedures.

AC-11

1 Session Lock

The information systemconceals, via the sessionlock, information previouslyvisible on the display with apublicly viewable image.

AC-12

0 Session Termination

The information systemautomatically terminates auser session after[Assignment: organization-defined conditions or triggerevents requiring sessiondisconnect].

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

47 of 266

Cntl.#

En

han

cem

ent

#




AC-14

0 aPermitted Actions

without Identificationor Authentication

The organization Identifies[Assignment: organization-defined user actions] thatcan be performed on theinformation system withoutidentification orauthentication consistentwith organizationalmissions/business functions;and

AC-14

0 bPermitted Actions

without Identificationor Authentication

The organization documentsand provides supportingrationale in the security planfor the information system,user actions not requiringidentification andauthentication.

AC-17

0 a Remote Access

The organization establishesand documents usagerestrictions,configuration/connectionrequirements, andimplementation guidancefor each type of remoteaccess allowed; and

AC-17

0 b Remote Access

The organization authorizesremote access to theinformation system prior toallowing such connections.

AC-17

1 Remote AccessThe information systemmonitors and controlsremote access methods.

AC-17

2 Remote Access

The information systemimplements cryptographicmechanisms to protect theconfidentiality and integrityof remote access sessions.

AC-17

3 Remote Access

The information systemroutes all remote accessesthrough [Assignment:organization-definednumber] managed networkaccess control points.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

48 of 266

Cntl.#

En

han

cem

ent

#




AC-17

4 a Remote Access

The organization Authorizesthe execution of privilegedcommands and access tosecurity-relevantinformation via remoteaccess only for[Assignment: organization-defined needs]; and

Authorized privilegedusers performing timesensitive or emergency

activities

AC-17

4 b Remote Access

The organizationDocuments the rationale forsuch access in the securityplan for the informationsystem.

AC-18

0 a Wireless Access

The organizationEstablishes usagerestrictions,configuration/connectionrequirements, andimplementation guidancefor wireless access; and

Wireless technologiesinclude, but are not limitedto, microwave, satellite,packet radio (UHF/VHF),802.11x, and Bluetooth.

AC-18

0 b Wireless Access

The organization Authorizeswireless access to theinformation system prior toallowing such connections.

AC-18

1 Wireless Access

The information systemprotects wireless access tothe system usingauthentication of [Selection(one or more): users;devices] and encryption.

AC-19

0 aAccess Control for

Mobile Devices

The organizationEstablishes usagerestrictions, configurationrequirements, connectionrequirements, andimplementation guidancefor organization-controlledmobile devices; and

Mobile devices includeportable storage media (e.g.,USB memory sticks, externalhard disk drives) and portablecomputing andcommunications devices withinformation storagecapability (e.g.,notebook/laptop computers,personal digital assistants,cellular telephones, digitalcameras, and audio recordingdevices).

AC-19

0 bAccess Control for

Mobile Devices

The organization Authorizesthe connection of mobiledevices to organizationalinformation systems.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

49 of 266

Cntl.#

En

han

cem

ent

#




AC-19

5Access Control for

Mobile Devices

The organization employs[Selection: full-deviceencryption; containerencryption] to protect theconfidentiality and integrityof information on[Assignment: organization-defined mobile devices].

Full disk encryption onlaptops and external orremovable hard drivesnot physically secured

AC-20

0 aUse of External

Information Systems

The organization establishesterms and conditions,consistent with any trustrelationships establishedwith other organizationsowning, operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: Access theinformation system from theexternal informationsystems; and

External information systemsare information systems orcomponents of informationsystems that are outside ofthe authorization boundaryestablished by theorganization and for whichthe organization typically hasno direct supervision andauthority over the applicationof required security controlsor the assessment of securitycontrol effectiveness.

AC-20

0 bUse of External

Information Systems

The organization establishesterms and conditions,consistent with any trustrelationships establishedwith other organizationsowning, operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: Process,store, and/or transmitorganization-controlledinformation using theexternal informationsystems.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

50 of 266

Cntl.#

En

han

cem

ent

#




AC-20

1 aUse of External

Information Systems

The organization permitsauthorized individuals touse an external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: Verifies theimplementation of requiredsecurity controls on theexternal system as specifiedin the organization’sinformation security policyand security plan; or

AC-20

1 bUse of External

Information Systems

The organization permitsauthorized individuals touse an external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: Retainsapproved informationsystem connection orprocessing agreements withthe organizational entityhosting the externalinformation system.

AC-20

2Use of External

Information Systems

The organization [Selection:restricts; prohibits] the useof organization-controlledportable storage devices byauthorized individuals onexternal informationsystems.

AC-22

0 aPublicly Accessible

Content

The organization designatesindividuals authorized topost information onto apublicly accessibleinformation system;

AC-22

0 bPublicly Accessible

Content

The organization Trainsauthorized individuals toensure that publiclyaccessible information doesnot contain nonpublicinformation;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

51 of 266

Cntl.#

En

han

cem

ent

#




AC-22

0 cPublicly Accessible

Content

The organization Reviewsthe proposed content ofinformation prior to postingonto the publicly accessibleinformation system toensure that nonpublicinformation is not included;and

AC-22

0 dPublicly Accessible

Content

The organization Reviewsthe content on the publiclyaccessible informationsystem for nonpublicinformation [Assignment:organization-definedfrequency] and removessuch information, ifdiscovered.

Monthly

AT-1

0 a 1Security Awarenessand Training Policy

and Procedures

The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A security awareness andtraining policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


AT-1

0 a 2Security Awarenessand Training Policy

and Procedures

The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesecurity awareness andtraining policy andassociated securityawareness and trainingcontrols; and


AT-1

0 b 1Security Awarenessand Training Policy

and Procedures

Reviews and updates thecurrent Security awarenessand training policy[Assignment: organization-defined frequency]; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

52 of 266

Cntl.#

En

han

cem

ent

#




AT-1

0 b 2Security Awarenessand Training Policy

and Procedures

Reviews the current securityawareness and trainingprocedures [Assignment:organization-definedfrequency].


AT-2

0 aSecurity Awareness

Training

The organization providesbasic security awarenesstraining to informationsystem users (includingmanagers, senior executives,and contractors): As part ofinitial training for newusers;

AT-2

0 bSecurity Awareness

Training

The organization providesbasic security awarenesstraining to informationsystem users (includingmanagers, senior executives,and contractors): Whenrequired by informationsystem changes; and

AT-2

0 cSecurity Awareness

Training

The organization providesbasic security awarenesstraining to informationsystem users (includingmanagers, senior executives,and contractors):[Assignment: organization-defined frequency]thereafter.

Annually

AT-2

2 Security Awareness

The organization includessecurity awareness trainingon recognizing andreporting potentialindicators of insider threat.

AT-3

0 aRole-Based Security

Training

The organization providesrole-based security trainingto personnel with assignedsecurity roles andresponsibilities: Beforeauthorizing access to theinformation system orperforming assigned duties;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

53 of 266

Cntl.#

En

han

cem

ent

#




AT-3

0 bRole-Based Security

Training

The organization providesrole-based security trainingto personnel with assignedsecurity roles andresponsibilities: Whenrequired by informationsystem changes; and

AT-3

0 cRole-Based Security

Training

The organization providesrole-based security trainingto personnel with assignedsecurity roles andresponsibilities:[Assignment: organization-defined frequency]thereafter.

Annually

AT-4

0 aSecurity Training

Records

The organizationDocuments and monitorsindividual informationsystem security trainingactivities including basicsecurity awareness trainingand specific informationsystem security training;and

AT-4

0 bSecurity Training

Records

The organization Retainsindividual training recordsfor [Assignment:organization-defined timeperiod].

Retains individualtraining records for at

least five years or whensuperseded or obsolete,

whichever is sooner

AU-1

0 a 1

Audit andAccountability

Policies andProcedures

Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An audit and accountabilitypolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

54 of 266

Cntl.#

En

han

cem

ent

#




AU-1

0 a 2



Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of the auditand accountability policyand associated audit andaccountability controls; and


AU-1

0 b 1



Reviews and updates thecurrent: Audit andaccountability policy[Assignment: organization-defined frequency]; and


AU-1

0 b 2



Reviews and updates thecurrent: Audit andaccountability procedures[Assignment: organization-defined frequency].


AU-2

0 a Audit Events

The organization:Determines that theinformation system iscapable of auditing thefollowing events:[Assignment: organization-defined auditable events];

Successful andunsuccessful logon

events to the networkor any device; Logoff

events; Change ofpassword; Startup,

reboot, and any systemcommand event; All

actions by systemadministrator accounts;Startup and shutdown

of audit function;Clearing of any logfile; Successful and

unsuccessful changesto user/group accounts

and permissions;Successful and

unsuccessful changesto the configuration ofthe auditing subsystem;

Successful andunsuccessful changesto the configuration orpolicy of any device

The purpose of this control isfor the organization toidentify events which need tobe auditable as significantand relevant to the security ofthe information system;giving an overall systemrequirement in order to meetongoing and specific auditneeds. To balance auditingrequirements with otherinformation system needs,this control also requiresidentifying that subset ofauditable events that are to beaudited at a given point intime.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

55 of 266

Cntl.#

En

han

cem

ent

#




AU-2

0 b Audit Events

Coordinates the securityaudit function with otherorganizational entitiesrequiring audit-relatedinformation to enhancemutual support and to helpguide the selection ofauditable events;

AU-2

0 c Audit Events

Provides a rationale for whythe auditable events aredeemed to be adequate tosupport after-the-factinvestigations of securityincidents; and

AU-2

0 d Audit Events

Determines that thefollowing events are to beaudited within theinformation system:[Assignment: organization-defined audited events (thesubset of the auditableevents defined in AU-2 a.)along with the frequency of(or situation requiring)auditing for each identifiedevent].

Successful andunsuccessful logon

events to the networkor any device; Logoff

events; Change ofpassword; Startup,

reboot, and any systemcommand event; All

actions by systemadministrator accounts;Startup and shutdown

of audit function;Clearing of any logfile; Successful and

unsuccessful changesto user/group accounts

and permissions;Successful and

unsuccessful changesto the configuration ofthe auditing subsystem;

Successful andunsuccessful changesto the configuration orpolicy of any device

AU-2

3 Audit Events

The organization reviewsand updates the auditedevents [Assignment:organization-definedfrequency].

Annually

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

56 of 266

Cntl.#

En

han

cem

ent

#




AU-3

0Content of Audit

Records

The information systemgenerates audit recordscontaining information thatestablishes what type ofevent occurred, when theevent occurred, where theevent occurred, the sourceof the event, the outcome ofthe event, and the identity ofany individuals or subjectsassociated with the event.

Audit record content thatmay be necessary to satisfythe requirement of thiscontrol, includes, forexample, time stamps, sourceand destination addresses,user/process identifiers, eventdescriptions, success/failindications, filenamesinvolved, and access controlor flow control rules invoked.

AU-3

1Content of Audit

Records

The information systemgenerates audit recordscontaining the followingadditional information:[Assignment: organization-defined additional, moredetailed information].

Any technicallyfeasible risk basedaudit information

AU-4

0Audit Storage

Capacity

The organization allocatesaudit record storage capacityin accordance with[Assignment: organization-defined audit record storagerequirements].

AU-5

0 aResponse to AuditProcessing Failures

The information system:Alerts [Assignment:organization-definedpersonnel or roles] in theevent of an audit processingfailure; and

Audit processing failuresinclude, for example,software/hardware errors,failures in the audit capturingmechanisms, and auditstorage capacity beingreached or exceeded.

AU-5

0 bResponse to AuditProcessing Failures

The information system:Takes the followingadditional actions:[Assignment: organization-defined actions to be taken(e.g., shut down informationsystem, overwrite oldestaudit records, stopgenerating audit records)].

As defined in theincident response planbased upon assessed

risks to the informationstored, processed and

transferred by theinformation system

technology/components

Audit logs should beautomatically stored in a logcorrelation solution or SIEMsolution to preventintentional destruction ofaudit logs and to allowoptions such as overwritingthe oldest audit records.

AU-6

0 aAudit Review,Analysis, and

Reporting

The organization: Reviewsand analyzes informationsystem audit records[Assignment: organization-defined frequency] forindications of [Assignment:organization-definedinappropriate or unusualactivity]; and

Weekly

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

57 of 266

Cntl.#

En

han

cem

ent

#




AU-6

0 bAudit Review,Analysis, and

Reporting

The organization: Reportsfindings to [Assignment:organization-definedpersonnel or roles].

AU-6

1Audit Review,Analysis and

Reporting

The organization employsautomated mechanisms tointegrate audit review,analysis, and reportingprocesses to supportorganizational processes forinvestigation and responseto suspicious activities.

AU-6

3Audit Review,Analysis and

Reporting

The organization analyzesand correlates audit recordsacross different repositoriesto gain organization-widesituational awareness.

AU-7

0 aAudit Reduction andReport Generation

The information systemprovides an audit reductionand report generationcapability that: Supports on-demand audit review,analysis, and reportingrequirements and after-the-fact investigations ofsecurity incidents; and

An audit reduction and reportgeneration capabilityprovides support for nearreal-time audit review,analysis, and reportingrequirements described inAU-6 and after-the factinvestigations of securityincidents. Audit reductionand reporting tools do notalter original audit records. Itis also a safeguard for leastprivilege to help protectagainst insider threat.

AU-7

0 bAudit Reduction andReport Generation

The information systemprovides an audit reductionand report generationcapability that: Does notalter the original content ortime ordering of auditrecords.

AU-7

1Audit Reduction andReport Generation

The information systemprovides the capability toprocess audit records forevents of interest based on[Assignment: organization-defined audit fields withinaudit records].

AU-8

0 a Time Stamps

The information system:Uses internal system clocksto generate time stamps foraudit records; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

58 of 266

Cntl.#

En

han

cem

ent

#




AU-8

0 b Time Stamps

The information system:Records time stamps foraudit records that can bemapped to CoordinatedUniversal Time (UTC) orGreenwich Mean Time(GMT) and meets[Assignment: organization-defined granularity of timemeasurement].

AU-8

1 a Time Stamps

The information system:Compares the internalinformation system clocks[Assignment: organization-defined frequency] with[Assignment: organization-defined authoritative timesource]; and

Daily & time.doe.gov

AU-8

b Time Stamps

The information system:Synchronizes the internalsystem clocks to theauthoritative time sourcewhen the time difference isgreater than [Assignment:organization-defined timeperiod].

Two minutes

A time frequency such asweekly or monthly may beused in lieu of a defined timeperiod.

AU-9

0Protection of Audit

Information

The information systemprotects audit informationand audit tools fromunauthorized access,modification, and deletion.

AU-9

4Protection of Audit

Information

The organization authorizesaccess to management ofaudit functionality to only[Assignment: organization-defined subset of privilegedusers].

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

59 of 266

Cntl.#

En

han

cem

ent

#




AU-11

0Audit Record

Retention

The organization retainsaudit records for[Assignment: organization-defined time periodconsistent with recordsretention policy] to providesupport for after-the-factinvestigations of securityincidents and to meetregulatory andorganizational informationretention requirements.

At least one year oruntil no longer neededfor legal, investigative,or evidence purposes

The organization retains auditrecords until it is determinedthat they are no longerneeded for administrative,legal, audit, or otheroperational purposes. Thisincludes, for example,retention and availability ofaudit records relative toFreedom of Information Act(FOIA) requests, subpoena,and law enforcement actions.Standard categorizations ofaudit records relative to suchtypes of actions and standardresponse processes for eachtype of action are developedand disseminated. TheNational Archives andRecords Administration(NARA) General RecordsSchedules (GRS) providefederal policy on recordretention.

AU-12

0 a Audit Generation

The information system:Provides audit recordgeneration capability for theauditable events defined inAU-2 a. at [Assignment:organization-definedinformation systemcomponents];

System componentsthat access any

security-related devicesincluding devices withnetwork defined and

controlled by networkor system defined

criteria

AU-12

0 b Audit Generation

The information system:Allows [Assignment:organization-definedpersonnel or roles] to selectwhich auditable events areto be audited by specificcomponents of theinformation system; and

AU-12

0 c Audit Generation

The information system:Generates audit records forthe events defined in AU-2d. with the content definedin AU-3.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

60 of 266

Cntl.#

En

han

cem

ent

#




CA-1

0 a 1

Security Assessmentand Authorization


The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A security assessment andauthorization policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


CA-1

0 a 2



The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesecurity assessment andauthorization policy andassociated securityassessment andauthorization controls; and


CA-1

0 b 1



Reviews and updates thecurrent: Security assessmentand authorization policy[Assignment: organization-defined frequency]; and


CA-1

0 b 2



Reviews and updates thecurrent: Security assessmentand authorizationprocedures [Assignment:organization-definedfrequency].


CA-2

0 a 1 Security Assessments

The organization develops asecurity assessment planthat describes the scope ofthe assessment including: -Security controls andcontrol enhancements underassessment;

CA-2


Assessment procedures tobe used to determinesecurity controleffectiveness; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

61 of 266

Cntl.#

En

han

cem

ent

#




CA-2


Assessment environment,assessment team, andassessment roles andresponsibilities;

CA-2

0 b Security Assessments

Assesses the securitycontrols in the informationsystem [Assignment:organization-definedfrequency] to determine theextent to which the controlsare implemented correctly,operating as intended, andproducing the desiredoutcome with respect tomeeting the securityrequirements for the system;

The site performs aninitial ST&E toauthorize new

boundaries, performsannual continuous

monitoring assessmentsand re-issues

authorization annuallyor at least every threeyears (maximum) if

appropriate

Continuous monitoring is acombination of efforts, thetesting of 1/3 of the controlsby EM HQ, site assessmentsof site determined controls,site and enterprise securitymonitoring tools, phishingexercises and penetrationtesting efforts.

CA-2

0 c Security Assessments

Produces a securityassessment report thatdocuments the results of theassessment; and

CA-2

0 d Security Assessments

Provides the results of thesecurity control assessment,in writing, to [Assignment:organization-definedindividuals or roles].

CA-2

1 Security Assessments

The organization employsan independent assessor orassessment team with[Assignment: organization-defined level ofindependence] to conductsecurity controlassessments.

EM HQ provides this serviceto EM sites.

CA-3

0 aInformation System

Connections

The organization:Authorizes connectionsfrom the information systemto other information systemsthrough the use ofInterconnection SecurityAgreements;

This control applies todedicated connectionsbetween information systemsand does not apply totransitory, user-controlledconnections such as emailand website browsing.

CA-3

0 bInformation System

Connections

The organization:Documents, for eachconnection, the interfacecharacteristics, securityrequirements, and the natureof the informationcommunicated; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

62 of 266

Cntl.#

En

han

cem

ent

#




CA-3

0 cInformation System

Connections

The organization: Reviewsand updates InterconnectionSecurity Agreements[Assignment: organization-defined frequency].

At least annually orwhen changes are made

to any interfacecontrols documented in

the agreement.

CA-3

5Information System

Connections

The organization employs[Selection: allow-all, deny-by-exception; deny-all,permit-by-exception] policyfor allowing [Assignment:organization-definedinformation systems] toconnect to externalinformation systems.

CA-5

0 aPlan of Action and

Milestones

The organization: Developsa plan of action andmilestones for theinformation system todocument the organization’splanned remedial actions tocorrect weaknesses ordeficiencies noted duringthe assessment of thesecurity controls and toreduce or eliminate knownvulnerabilities in thesystem; and

Actions that will takesignificant resources and willtake 90 days or more will bedocumented in a POA&Mwithin eGovRPM.

CA-5

0 bPlan of Action and

Milestones

The organization: Updatesexisting plan of action andmilestones [Assignment:organization-definedfrequency] based on thefindings from securitycontrols assessments,security impact analyses,and continuous monitoringactivities.

Quarterly

CA-6

0 a Security Authorization

The organization: Assigns asenior-level executive ormanager to the role ofauthorizing official for theinformation system;

CA-6

0 b Security Authorization

The organization: Ensuresthat the authorizing officialauthorizes the informationsystem for processing beforecommencing operations;and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

63 of 266

Cntl.#

En

han

cem

ent

#




CA-6

0 c Security Authorization

The organization: Updatesthe security authorization[Assignment: organization-defined frequency].

The site may either updatethe authorization on a yearlybasis (based on ContinuousMonitoring assessments) orevery three years

CA-7

0 aContinuousMonitoring

The organization establishesa continuous monitoringstrategy and implements acontinuous monitoringprogram that includes:Establishment of[Assignment: organization-defined metrics] to bemonitored;

.

A continuous monitoringprogram allows anorganization to maintain thesecurity authorization of aninformation system over timein a highly dynamicenvironment of operationwith changing threats,vulnerabilities, technologies,and missions/businessprocesses. EM HQ assistswith this as a service to allEM Sites. Program levelmetrics have been developedand are available via the EMPortal.

CA-7

0 bContinuousMonitoring

Establishment of[Assignment: organization-defined frequencies] formonitoring and[Assignment: organization-defined frequencies] forassessments supporting suchmonitoring;

CA-7

0 cContinuousMonitoring

Ongoing security controlassessments in accordancewith the organizationalcontinuous monitoringstrategy; and

CA-7

0 dContinuousMonitoring

Ongoing security statusmonitoring of organization-defined metrics inaccordance with theorganizational continuousmonitoring strategy;

CA-7

0 eContinuousMonitoring

Correlation and analysis ofsecurity-related informationgenerated by assessmentsand monitoring;

CA-7

0 fContinuousMonitoring

Response actions to addressresults of the analysis ofsecurity-related information;and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

64 of 266

Cntl.#

En

han

cem

ent

#




CA-7

0 gContinuousMonitoring

Reporting the security statusof organization and theinformation system to[Assignment: organization-defined personnel or roles][Assignment: organization-defined frequency].

AODR & AO annuallyas part of CM process

CA-7

1ContinuousMonitoring

The organization employsassessors or assessmentteams with [Assignment:organization-defined levelof independence] to monitorthe security controls in theinformation system on anongoing basis.

This is performed as a serviceby EM HQ.

CA-9

0 aInternal System

Connections

The organization Authorizesinternal connections of[Assignment: organization-defined information systemcomponents or classes ofcomponents] to theinformation system; and

CA-9

0 bInternal System

Connections

The organizationdocuments, for each internalconnection, the interfacecharacteristics, securityrequirements, and the natureof the informationcommunicated.

CM-1

0 a 1Configuration

Management Policyand Procedures

The organization:Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A configurationmanagement policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

65 of 266

Cntl.#

En

han

cem

ent

#




CM-1

0 a 2Configuration


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theconfiguration managementpolicy and associatedconfiguration managementcontrols; and


CM-1

0 b 1Configuration


Reviews and updates thecurrent: Configurationmanagement policy[Assignment: organization-defined frequency]; and


CM-1

0 b 2Configuration


Reviews and updates thecurrent: Configurationmanagement procedures[Assignment: organization-defined frequency].


CM-2

ConfigurationBaseline

The organization develops,documents, and maintainsunder configuration control,a current baselineconfiguration of theinformation system.

This control establishes abaseline configuration for theinformation system and itsconstituent componentsincluding communicationsand connectivity-relatedaspects of the system. Thebaseline configurationprovides information aboutthe components of aninformation system (e.g., thestandard software load for aworkstation, server, networkcomponent, or mobile deviceincluding operatingsystem/installed applicationswith current version numbersand patch information),network topology, and thelogical placement of thecomponent within the systemarchitecture.

CM-2

1 a -Configuration

Baseline

The organization reviewsand updates the baselineconfiguration of theinformation system:[Assignment: organization-defined frequency];

As needed or at leastannually

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

66 of 266

Cntl.#

En

han

cem

ent

#




CM-2

1 b -Configuration

Baseline

The organization reviewsand updates the baselineconfiguration of theinformation system: Whenrequired due to [Assignmentorganization-definedcircumstances]; and


CM-2

1 c -Configuration

Baseline

The organization reviewsand updates the baselineconfiguration of theinformation system: As anintegral part of informationsystem componentinstallations and upgrades.

CM-2

3Configuration

Baseline

The organization retains[Assignment: organization-defined previous versions ofbaseline configurations ofthe information system] tosupport rollback.

Two versions

CM-2

7 aConfiguration

Baseline

The organization: Issues[Assignment: organization-defined informationsystems, systemcomponents, or devices]with [Assignment:organization-definedconfigurations] toindividuals traveling tolocations that theorganization deems to be ofsignificant risk; and

The suggestion here is tohave a cache of mobiledevices that would be usedon foreign travel. Thedevices would be cleanedprior to and after travel sothat no malware wouldremain if placed on thedevice while on travel. Also,digital imaging should beused in order to determine ifthe device was physicallyaltered. The DOE SafePassage Program is availableto EM sites.

CM-2

7 bConfiguration

Baseline

The organization: Applies[Assignment: organization-defined security safeguards]to the devices when theindividuals return.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

67 of 266

Cntl.#

En

han

cem

ent

#




CM-3

0 a -Configuration Change

Control

The organization:Determines the types ofchanges to the informationsystem that areconfiguration-controlled;

The site determines the typesof changes to the informationsystem that are configurationcontrolled. Configurationchange control for theinformation system involvesthe systematic proposal,justification, implementation,test/evaluation, review, anddisposition of changes to thesystem, including upgradesand modifications.

CM-3

b -Configuration Change

Control

The organization: Reviewsproposed configuration-controlled changes to theinformation system andapproves or disapprovessuch changes with explicitconsideration for securityimpact analyses;

CM-3

c -Configuration Change

Control

The organization:Documents configurationchange decisions associatedwith the informationsystem;

CM-3

d -Configuration Change

Control

The organization:Implements approvedconfiguration-controlledchanges to the informationsystem;

CM-3

e -Configuration Change

Control

The organization: Retainsrecords of configuration-controlled changes to theinformation system for[Assignment: organization-defined time period];

CM-3

f -Configuration Change

Control

The organization: Auditsand reviews activitiesassociated withconfiguration-controlledchanges to the informationsystem; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

68 of 266

Cntl.#

En

han

cem

ent

#




CM-3

g -Configuration Change

Control

The organization:Coordinates and providesoversight for configurationchange control activitiesthrough [Assignment:organization-definedconfiguration changecontrol element (e.g.,committee, board] thatconvenes [Selection (one ormore): [Assignment:organization-definedfrequency]; [Assignment:organization-definedconfiguration changeconditions]].

A change control boardthat convenes at least

monthly or morefrequently if needed to

review andapprove/disapprove

changes

CM-3

2 -Configuration Change

Control

The organization tests,validates, and documentschanges to the informationsystem before implementingthe changes on theoperational system.

CM-4

-Security Impact

Analyses

The organization analyzeschanges to the informationsystem to determinepotential security impactsprior to changeimplementation.

Security impact analysis mayinclude, for example,reviewing informationsystem documentation suchas the security plan tounderstand how specificsecurity controls areimplemented within thesystem and how the changesmight affect the controls.Security impact analysis mayalso include an assessment ofrisk to understand the impactof the changes and todetermine if additionalsecurity controls are required.Security impact analysis isscaled in accordance with thesecurity categorization of theinformation system.

CM-5

-Access Restrictions

for Change

The organization defines,documents, approves, andenforces physical andlogical access restrictionsassociated with changes tothe information system.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

69 of 266

Cntl.#

En

han

cem

ent

#




CM-6

a - Configuration Settings

The organizationEstablishes and documentsconfiguration settings forinformation technologyproducts employed withinthe information systemusing [Assignment:organization-definedsecurity configurationchecklists] that reflect themost restrictive modeconsistent with operationalrequirements;

Baseline checklist suchas USGCB, SCAP, orCIS for its different

kinds of systems

Configuration settings are theconfigurable security-relatedparameters of informationtechnology products that arepart of the informationsystem. Security-relatedparameters are thoseparameters impacting thesecurity state of the systemincluding parameters relatedto meeting other securitycontrol requirements.Security-related parametersinclude, for example, registrysettings; account, file, anddirectory settings (i.e.,permissions); and settings forservices, ports, protocols, andremote connections.

CM-6

b - Configuration SettingsThe organization:Implements theconfiguration settings;

CM-6

c - Configuration Settings

The organization Identifies,documents, and approvesany deviations fromestablished configurationsettings for [Assignment:organization-definedinformation systemcomponents] based on[Assignment: organization-defined operationalrequirements]; and

CM-6

d - Configuration Settings

The organization: Monitorsand controls changes to theconfiguration settings inaccordance withorganizational policies andprocedures.

CM-7

0 a - Least Functionality

The organization:Configures the informationsystem to provide onlyessential capabilities; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

70 of 266

Cntl.#

En

han

cem

ent

#




CM-7

0 b - Least Functionality

The organization: Prohibitsor restricts the use of thefollowing functions, ports,protocols, and/or services:[Assignment: organization-defined prohibited orrestricted functions, ports,protocols, and/orservices].

Any function, port,protocol or service notspecifically required

for the operation of theinformation system and

those specificallyprohibited by the AO

The functions and servicesprovided by organizationalinformation systems, orindividual components ofinformation systems, arecarefully reviewed todetermine which functionsand services are candidatesfor elimination (e.g., VoiceOver Internet Protocol,Instant Messaging, auto-execute, file sharing).Organizations considerdisabling unused orunnecessary physical andlogical ports and protocols(e.g., Universal Serial Bus[USB], File Transfer Protocol[FTP], Internet ProtocolVersion 6 [IPv6], Hyper TextTransfer Protocol [HTTP])on information systemcomponents to preventunauthorized connection ofdevices, unauthorizedtransfer of information, orunauthorized tunneling.Organizations can utilizenetwork scanning tools,intrusion detection andprevention systems, and end-point protections such asfirewalls and host-basedintrusion detection systems toidentify identify and preventthe use of prohibitedfunctions, ports, protocols,and services.

CM-7


The organization: Reviewsthe information system[Assignment: organization-defined frequency] toidentify unnecessary and/ornon-secure functions, ports,protocols, and services; and

Annually

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

71 of 266

Cntl.#

En

han

cem

ent

#




CM-7


The organization: Disables[Assignment: organization-defined functions, ports,protocols, and serviceswithin the informationsystem deemed to beunnecessary and/or non-secure].

Disable all that are notnecessary.

CM-7

2 - Least Functionality

The information systemprevents program executionin accordance with[Selection (one or more):[Assignment: organization-defined policies regardingsoftware program usage andrestrictions];rules authorizing the termsand conditions of softwareprogram usage].

CM-7


The organization: Identifies[Assignment: organization-defined software programsnot authorized to execute onthe information system];

CM-7


The organization: Employsan allow-all, deny-by-exception policy to prohibitthe execution ofunauthorized softwareprograms on the informationsystem; and

CM-7

4 c - Least Functionality

The organization: Reviewsand updates the list ofunauthorized softwareprograms [Assignment:organization definedfrequency].

Annually

CM-8

0 a 1Information System

Component Inventory

The organization: Developsand documents an inventoryof information systemcomponents that:Accurately reflects thecurrent information system;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

72 of 266

Cntl.#

En

han

cem

ent

#




CM-8


Component Inventory

The organization: Developsand documents an inventoryof information systemcomponents that: Includesall components within theauthorization boundary ofthe information system;

This function should beautomated and the SSPcontrol statement shouldpoint to the system (e.g.,Tenable Security Center)

CM-8


Component Inventory

The organization: Developsand documents an inventoryof information systemcomponents that: Is at thelevel of granularity deemednecessary for tracking andreporting; and

This function should beautomated and the SSPcontrol statement shouldpoint to the system (e.g.,Tenable Security Center)

CM-8


Component Inventory

The organization: Developsand documents an inventoryof information systemcomponents that: Includes[Assignment: organization-defined information deemednecessary to achieveeffective information systemcomponent accountability];and

Device type, model, serialnumber or tracking number,location, and owner nameand phone number

CM-8

0 b -Information System

Component Inventory

The organization: Reviewsand updates the informationsystem componentinventory [Assignment:organization-definedfrequency].

CM-8

1Information System

Component Inventory

The organization updatesthe inventory of informationsystem components as anintegral part of componentinstallations, removals, andinformation system updates.

CM-8

3 aInformation System

Component Inventory

The organization Employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe presence of unauthorizedhardware, software, andfirmware componentswithin the informationsystem; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

73 of 266

Cntl.#

En

han

cem

ent

#




CM-8

3 bInformation System

Component Inventory

The organization: Takes thefollowing actions whenunauthorized componentsare detected: [Selection (oneor more): disables networkaccess by such components;isolates the components;notifies [Assignment:organization-definedpersonnel or roles]].

CM-8

5Information System

Component Inventory

The organization verifiesthat all components withinthe authorization boundaryof the information systemare not duplicated in otherinformation systeminventories.

CM-9

a -Configuration

Management Plan

The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Addressesroles, responsibilities, andconfiguration managementprocesses and procedures;

The configurationmanagement plan satisfiesthe requirements in theorganization’s configurationmanagement policy whilebeing tailored to theindividual informationsystem. The configurationmanagement plan definesdetailed processes andprocedures for howconfiguration management isused to support systemdevelopment life cycleactivities at the informationsystem level. The plandescribes how to move achange through the changemanagement process, howconfiguration settings andconfiguration baselines areupdated, how the informationsystem component inventoryis maintained, howdevelopment, test, andoperational environments arecontrolled, and finally, howdocuments are developed,released, and updated.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

74 of 266

Cntl.#

En

han

cem

ent

#




CM-9

b -Configuration

Management Plan

The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Establishes aprocess for identifyingconfiguration itemsthroughout the systemdevelopment life cycle andfor managing theconfiguration of theconfiguration items;

CM-9

c -Configuration

Management Plan

The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Defines theconfiguration items for theinformation system andplaces the configurationitems under configurationmanagement; and

CM-9

d -Configuration

Management Plan

The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Protects theconfiguration managementplan from unauthorizeddisclosure and modification.

CM-10

0 aSoftware Usage

Restrictions

The organization: Usessoftware and associateddocumentation inaccordance with contractagreements and copyrightlaws;

CM-10

0 bSoftware Usage

Restrictions

The organization: Tracks theuse of software andassociated documentationprotected by quantitylicenses to control copyingand distribution; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

75 of 266

Cntl.#

En

han

cem

ent

#




CM-10

0 cSoftware Usage

Restrictions

The organization: Controlsand documents the use ofpeer-to-peer file sharingtechnology to ensure thatthis capability is not usedfor the unauthorizeddistribution, display,performance, orreproduction of copyrightedwork.

CM-11

0 aUser-Installed

Software

The organization:Establishes [Assignment:organization-definedpolicies] governing theinstallation of software byusers;

CM-11

0 bUser-Installed

Software

The organization: Enforcessoftware installation policiesthrough [Assignment:organization-definedmethods]; and

CM-11

0 cUser-Installed

Software

The organization: Monitorspolicy compliance at[Assignment: organization-defined frequency].

CP-1 0 a 1Contingency PlanningPolicy and Procedures

The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A contingency planningpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


CP-1 0 a 2Contingency PlanningPolicy and Procedures

The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thecontingency planning policyand associated contingencyplanning controls; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

76 of 266

Cntl.#

En

han

cem

ent

#




CP-1 0 b 1Contingency PlanningPolicy and Procedures

The organization Reviewsand updates the currentContingency planningpolicy [Assignment:organization-definedfrequency]; and


CP-1 1 b 2Contingency PlanningPolicy and Procedures

The organization Reviewsand updates the currentContingency planningprocedures [Assignment:organization-definedfrequency].


CP-2 0 a 1 Contingency Plan

The Organization develops acontingency plan for theinformation system thatIdentifies essential missionsand business functions andassociated contingencyrequirements;


The Organization develops acontingency plan for theinformation system thatProvides recoveryobjectives, restorationpriorities, and metrics;


Addresses contingencyroles, responsibilities,assigned individuals withcontact information;


The Organization develops acontingency plan for theinformation system thatAddresses maintainingessential missions andbusiness functions despitean information systemdisruption, compromise, orfailure;


The Organization develops acontingency plan for theinformation system thatAddresses eventual, fullinformation systemrestoration withoutdeterioration of the securitymeasures originally plannedand implemented; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

77 of 266

Cntl.#

En

han

cem

ent

#





The Organization develops acontingency plan for theinformation system that Isreviewed and approved bydesignated officials withinthe organization;

CP-2 0 b Contingency Plan

The organization distributescopies of the contingencyplan to [Assignment:organization-defined list ofkey contingency personnel(identified by name and/orby role) and organizationalelements];

System owner,business function,

AODR, ISSM, ISSO,system admins andphysical security.

CP-2 0 c Contingency Plan

The Organizationcoordinates contingencyplanning activities withincident handling activities;

CP-2 0 d Contingency Plan

The organization reviewsthe contingency plan for theinformation system[Assignment: organization-defined frequency];

Annually

CP-2 0 e Contingency Plan

The organization updatesthe contingency plan toaddress changes to theorganization, informationsystem, or environment ofoperation and problemsencountered duringcontingency planimplementation, execution,or testing;

CP-2 0 f Contingency Plan

The organizationcommunicates contingencyplan changes to[Assignment: organization-defined key contingencypersonnel (identified byname and/or by role) andorganizational elements];and

System owner,business function,

AODR, ISSM, ISSO,system admins andphysical security.

CP-2 0 g Contingency Plan

The organization protectsthe contingency plan fromunauthorized disclosure andmodification.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

78 of 266

Cntl.#

En

han

cem

ent

#




CP-2 1 Contingency Plan

The organizationcoordinates contingencyplan development withorganizational elementsresponsible for relatedplans.


The organization plans forthe resumption of essentialmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency plan activation.


The organization identifiescritical information systemassets supporting essentialmissions and businessfunctions.

CP-3 0 a Contingency Training

The organization providescontingency training toinformation system usersconsistent with assignedroles and responsibilities:Within [Assignment:organization-defined timeperiod] of assuming acontingency role orresponsibility;

CP-3 0 b Contingency Training

The organization providescontingency training toinformation system usersconsistent with assignedroles and responsibilities:When required byinformation system changes;and

CP-3 0 c Contingency Training

The organization providescontingency training toinformation system usersconsistent with assignedroles and responsibilities:[Assignment: organization-defined frequency]thereafter.

Annually

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

79 of 266

Cntl.#

En

han

cem

ent

#




CP-4 0 aContingency Plan

Testing

The Organization Tests thecontingency plan for theinformation system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests] to determinethe effectiveness of the planand the organizationalreadiness to execute theplan;

The CP is testedannually by table top

exercises one year andsimulated/live exercise

every other year foreffectiveness and

ability to meetcontingencies

There are several methods fortesting and/or exercisingcontingency plans to identifypotential weaknesses (e.g.,checklist, walk-through/tabletop, simulation:parallel, full interrupt).Contingency plan testingand/or exercises include adetermination of the effectson site operations and assets(e.g., reduction in missioncapability) and individualsarising due to contingencyoperations in accordance withthe plan.

CP-4 0 bContingency Plan

Testing

The organization Reviewsthe contingency plan testresults; and

CP-4 1 cContingency Plan

TestingThe organization Initiatescorrective actions, if needed.

CP-4 1Contingency Plan

Testing

The organizationcoordinates contingencyplan testing withorganizational elementsresponsible for relatedplans.

CP-6 0 a Alternate Storage Site

The organization establishesan alternate storage siteincluding necessaryagreements to permit thestorage and retrieval ofinformation system backupinformation; and

CP-6 0 b Alternate Storage Site

The organization ensuresthat the alternate storage siteprovides informationsecurity safeguardsequivalent to that of theprimary site.

CP-6 1 Alternate Storage Site

The organization identifiesan alternate storage site thatis separated from theprimary storage site toreduce susceptibility to thesame threats.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

80 of 266

Cntl.#

En

han

cem

ent

#




CP-6 3 Alternate Storage Site

The organization identifiespotential accessibilityproblems to the alternatestorage site in the event ofan area-wide disruption ordisaster and outlines explicitmitigation actions.

CP-7 0 aAlternate Processing

Site

The organization establishesan alternate processing siteincluding necessaryagreements to permit thetransfer and resumption of[Assignment: organization-defined information systemoperations] for essentialmissions/business functionswithin [Assignment:organization-defined timeperiod consistent withrecovery time and recoverypoint objectives] when theprimary processingcapabilities are unavailable;

The site has developed analternate processing site thatis approved (throughagreements) and that allowsthe site to meet the missionrequirements (one dayrecommended)

CP-7 0 bAlternate Processing

Site

The organization ensuresthat equipment and suppliesrequired to transfer andresume operations areavailable at the alternateprocessing site or contractsare in place to supportdelivery to the site withinthe organization-definedtime period fortransfer/resumption; and

CP-7 0 cAlternate Processing

Site

The organization ensuresthat the alternate processingsite provides informationsecurity safeguardsequivalent to that of theprimary site.

CP-7 1Alternate Processing

Site

The organization identifiesan alternate processing sitethat is separated from theprimary processing site toreduce susceptibility to thesame threats.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

81 of 266

Cntl.#

En

han

cem

ent

#





Site

The organization identifiespotential accessibilityproblems to the alternateprocessing site in the eventof an area-wide disruptionor disaster and outlinesexplicit mitigation actions.


Site

The organization developsalternate processing siteagreements that containpriority-of-serviceprovisions in accordancewith organizationalavailability requirements(including recovery timeobjectives).

CP-8 0Telecommunications

Services

The organization establishesalternatetelecommunications servicesincluding necessaryagreements to permit theresumption of [Assignment:organization-definedinformation systemoperations] for essentialmissions and businessfunctions within[Assignment: organization-defined time period] whenthe primarytelecommunicationscapabilities are unavailableat either the primary oralternate processing orstorage sites.

The site establishes alternatetelecommunications servicesagreements to meet themission restorationrequirements (in accordancewith BIA) (Recommend onebusiness day maximum)

CP-8 1 aTelecommunications

Services

The organization developsprimary and alternatetelecommunications serviceagreements that containpriority-of-serviceprovisions in accordancewith organizationalavailability requirements(including recovery timeobjectives); and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

82 of 266

Cntl.#

En

han

cem

ent

#




CP-8 1 bTelecommunications

Services

The organization requestsTelecommunicationsService Priority for alltelecommunications servicesused for national securityemergency preparedness inthe event that the primaryand/or alternatetelecommunications servicesare provided by a commoncarrier.

CP-8 2Telecommunications

Services

The organization obtainsalternatetelecommunications servicesto reduce the likelihood ofsharing a single point offailure with primarytelecommunicationsservices.

CP-9 0 aInformation System

Backup

The organization conductsbackups of user-levelinformation contained in theinformation system[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives];

Daily

CP-9 0 bInformation System

Backup

The organization conductsbackups of system-levelinformation contained in theinformation system[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives];

CP-9 0 cInformation System

Backup

The organization conductsbackups of informationsystem documentationincluding security-relateddocumentation[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives];and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

83 of 266

Cntl.#

En

han

cem

ent

#




CP-9 0 dInformation System

Backup

The organization protectsthe confidentiality andintegrity of backupinformation at the storagelocation.

CP-9 1Information System

Backup

The organization testsbackup information[Assignment: organization-defined frequency] to verifymedia reliability andinformation integrity.

At least annually

CP-10

0Information System

Recovery andReconstitution

The organization providesfor the recovery andreconstitution of theinformation system to aknown state after adisruption, compromise, orfailure.

CP-10

2Information System

Recovery andReconstitution

The information systemimplements transactionrecovery for systems thatare transaction-based.

IA-1 0 a 1Identification and

Authentication Policyand Procedures

The organization: develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An identification andauthentication policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


IA-1 0 a 2Identification and


The organization: develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theidentification andauthentication policy andassociated identification andauthentication controls; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

84 of 266

Cntl.#

En

han

cem

ent

#




IA-1 0 b 1Identification and


The organization reviewsand updates the current:Identification andauthentication policy[Assignment: organization-defined frequency]; and


IA-1 0 b 2Identification and


The organization reviewsand updates the current:Identification andauthentication procedures[Assignment: organization-defined frequency].


IA-2 0Identification and

Authentication(Organizational Users)

The information systemuniquely identifies andauthenticates organizationalusers (or processes acting onbehalf of organizationalusers).



The information systemimplements multifactorauthentication for networkaccess to privilegedaccounts.



The information systemimplements multifactorauthentication for networkaccess to non-privilegedaccounts.



The information systemimplements multifactorauthentication for localaccess to privilegedaccounts.



The information systemimplements replay-resistantauthentication mechanismsfor network access toprivileged accounts.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

85 of 266

Cntl.#

En

han

cem

ent

#






The information systemimplements multifactorauthentication for remoteaccess to privileged andnon-privileged accountssuch that one of the factorsis provided by a deviceseparate from the systemgaining access and thedevice meets [Assignment:organization-definedstrength of mechanismrequirements].



The information systemaccepts and electronicallyverifies Personal IdentityVerification (PIV)credentials.

IA-3 0Device Identificationand Authentication

The information systemuniquely identifies andauthenticates [Assignment:organization definedspecific and/or types ofdevices] before establishinga [Selection (one or more):local; remote; network]connection.

Single useauthenticators beforeestablishing a remote

connection

IA-4 0 a Identifier Management

The organization managesinformation systemidentifiers by: Receivingauthorization from[Assignment: organization-defined personnel or roles]to assign an individual,group, role, or deviceidentifier;

All personnel

IA-4 0 b Identifier Management

The organization managesinformation systemidentifiers by: Selecting anidentifier that identifies anindividual, group, role, ordevice;

IA-4 0 c Identifier Management

The organization managesinformation systemidentifiers by: Assigning theidentifier to the intendedindividual, group, role, ordevice;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

86 of 266

Cntl.#

En

han

cem

ent

#




IA-4 0 d Identifier Management

The organization managesinformation systemidentifiers by: Preventingreuse of identifiers for[Assignment: organization-defined time period]; and

IA-4 0 e Identifier Management

The organization managesinformation systemidentifiers by: Disabling theidentifier after [Assignment:organization-defined timeperiod of inactivity].

90 days

IA-5 0 aAuthenticatorManagement

The organization managesinformation systemauthenticators by: Verifying,as part of the initialauthenticator distribution,the identity of theindividual, group, role, ordevice receiving theauthenticator;

IA-5 0 bAuthenticatorManagement

The organization managesinformation systemauthenticators by:Establishing initialauthenticator content forauthenticators defined bythe organization;

IA-5 0 cAuthenticatorManagement

The organization managesinformation systemauthenticators by: Ensuringthat authenticators havesufficient strength ofmechanism for theirintended use;

IA-5 0 dAuthenticatorManagement

The organization managesinformation systemauthenticators by:Establishing andimplementingadministrative proceduresfor initial authenticatordistribution, forlost/compromised ordamaged authenticators, andfor revoking authenticators;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

87 of 266

Cntl.#

En

han

cem

ent

#




IA-5 0 eAuthenticatorManagement

The organization managesinformation systemauthenticators by: Changingdefault content ofauthenticators prior toinformation systeminstallation

IA-5 0 fAuthenticatorManagement

The organization managesinformation systemauthenticators by:Establishing minimum andmaximum lifetimerestrictions and reuseconditions forauthenticators;

IA-5 0 gAuthenticatorManagement

The organization managesinformation systemauthenticators by:Changing/refreshingauthenticators [Assignment:organization-defined timeperiod by authenticatortype];

If passwords are still used therecommended time to force achange is 90 days or less. Ifmultifactor is used the pincan be changed every 6months.

IA-5 0 hAuthenticatorManagement

The organization managesinformation systemauthenticators by: Protectingauthenticator content fromunauthorized disclosure andmodification;

IA-5 0 iAuthenticatorManagement

The organization managesinformation systemauthenticators by: Requiringindividuals to take, andhaving devices implement,specific security safeguardsto protect authenticators;and

IA-5 0 jAuthenticatorManagement

The organization managesinformation systemauthenticators by: Changingauthenticators for group/roleaccounts when membershipto those accounts changes

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

88 of 266

Cntl.#

En

han

cem

ent

#





The information system, forpassword-basedauthentication: Enforcesminimum passwordcomplexity of [Assignment:organization-definedrequirements for casesensitivity, number ofcharacters, mix of upper-case letters, lower-caseletters, numbers, and specialcharacters, includingminimum requirements foreach type];

At least sixteencharacters, at leastsixteen nonblank

characters, combinationof letters, numbers, and

at least one specialcharacter in the first

seven positions, do notcontain user ID, no

simple pattern of lettersor numbers


The information system, forpassword-basedauthentication: Enforces atleast the following numberof changed characters whennew passwords are created:[Assignment: organization-defined number];

At least 4 characters


The information system, forpassword-basedauthentication: Stores andtransmits only encryptedrepresentations ofpasswords;


The information system, forpassword-basedauthentication: Enforcespassword minimum andmaximum lifetimerestrictions of [Assignment:organization definednumbers for lifetimeminimum, lifetimemaximum];

Minimum of one day,maximum of 90 days

IA-5 1 eAuthenticatorManagement

The information system, forpassword-basedauthentication: Prohibitspassword reuse for[Assignment: organization-defined number]generations; and

24

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

89 of 266

Cntl.#

En

han

cem

ent

#




IA-5 1 fAuthenticatorManagement

The information system, forpassword-basedauthentication: Allows theuse of a temporary passwordfor system logons with animmediate change to apermanent password.


The information system, forPKI-based authentication:Validates certifications byconstructing and verifying acertification path to anaccepted trust anchorincluding checkingcertificate statusinformation;


The information system, forPKI-based authentication:Enforces authorized accessto the corresponding privatekey;


The information system, forPKI-based authentication:Maps the authenticatedidentity to the account of theindividual or group; and


The information system, forPKI-based authentication:Implements a local cache ofrevocation data to supportpath discovery andvalidation in case ofinability to accessrevocation information viathe network.

IA-5 3AuthenticatorManagement

The organization requiresthat the registration processto receive [Assignment:organization defined typesof and/or specificauthenticators] be conducted[Selection: in person; by atrusted third party] before[Assignment: organization-defined registrationauthority] with authorizationby [Assignment:organization-definedpersonnel or roles].

Two-factorauthenticators and/or

encryption keys

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

90 of 266

Cntl.#

En

han

cem

ent

#




IA-5 11

The information system, forhardware token-basedauthentication, employsmechanisms that satisfy[Assignment: organization-defined token qualityrequirements].

IA-6Authenticator

Feedback

The information systemobscures feedback ofauthentication informationduring the authenticationprocess to protect theinformation from possibleexploitation/use byunauthorized individuals.

IA-7Cryptographic Module

Authentication

The information systemimplements mechanisms forauthentication to acryptographic module thatmeet the requirements ofapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance for suchauthentication.

IA-8Identification and

Authentication (Non-Organizational Users)

The information systemuniquely identifies andauthenticates non-organizational users (orprocesses acting on behalfof non-organizational users).

Non-organizational usersinclude all informationsystem users other thanorganizational usersexplicitly covered by IA-2.



The information systemaccepts and electronicallyverifies Personal IdentityVerification (PIV)credentials from otherfederal agencies.



The information systemaccepts only FICAM-approved third-partycredentials

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

91 of 266

Cntl.#

En

han

cem

ent

#






The organization employsonly FICAM-approvedinformation systemcomponents in [Assignment:organization-definedinformation systems] toaccept third-partycredentials.



The information systemconforms to FICAM-issuedprofiles.

IR-1 0 a 1Incident Response

Policy and Procedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An incident response policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance;




The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theincident response policy andassociated incident responsecontrols; and


IR-1 0 b 1Incident Response


The organization: Reviewsand updates the current:Incident response policy[Assignment: organization-defined frequency]; and


IR-1 0 b 2Incident Response


The organization: Reviewsand updates the current:Incident responseprocedures [Assignment:organization-definedfrequency].


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

92 of 266

Cntl.#

En

han

cem

ent

#




IR-2 0 aIncident Response

Training

The organization providesincident response training toinformation system usersconsistent with assignedroles and responsibilities:Within [Assignment:organization-defined timeperiod] of assuming anincident response role orresponsibility;

Six weeks

Incident response trainingincludes user training in theidentification and reportingof suspicious activities, bothfrom external and internalsources.

IR-2 0 bIncident Response

Training

The organization providesincident response training toinformation system usersconsistent with assignedroles and responsibilities:When required byinformation system changes;and

IR-2 0 cIncident Response

Training

The organization providesincident response training toinformation system usersconsistent with assignedroles and responsibilities:[Assignment: organization-defined frequency]thereafter.

Annually

IR-3 0Incident Response

Testing and Exercises

The organization tests theincident response capabilityfor the information system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests] to determinethe incident responseeffectiveness and documentsthe results.

The site test exercisesincident responsescenarios at leastannually; this willinclude detection,

analysis, containment,eradication and

recovery


Testing and Exercises

The organizationcoordinates incidentresponse testing withorganizational elementsresponsible for relatedplans.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

93 of 266

Cntl.#

En

han

cem

ent

#




IR-4 0 a Incident Handling

The organization:Implements an incidenthandling capability forsecurity incidents thatincludes preparation,detection and analysis,containment, eradication,and recovery;

IR-4 0 b Incident Handling

The organization:Coordinates incidenthandling activities withcontingency planningactivities; and

IR-4 0 c Incident Handling

The organization:Incorporates lessons learnedfrom ongoing incidenthandling activities intoincident responseprocedures, training, andtesting/exercises, andimplements the resultingchanges accordingly.

IR-4 1 Incident Handling

The organization employsautomated mechanisms tosupport the incidenthandling process.

IR-5 0 Incident MonitoringThe organization tracks anddocuments informationsystem security incidents

IR-6 0 a Incident Reporting

The organization: Requirespersonnel to reportsuspected security incidentsto the organizationalincident response capabilitywithin [Assignment:organization-defined timeperiod]; and

Immediately upondetection if the incident

is thought to involvePII or two hours for

moderate categorizedsystems for all other

types of incidents

EM requires that the EMCSPM and the EM -1 benotified when PII of 100 ormore is affected or in the caseof a release of classifiedinformation into the publicdomain.

IR-6 0 b Incident Reporting

The organization: Reportssecurity incidentinformation to [Assignment:organization-definedauthorities].

JC3

IR-6 1 Incident Reporting

The organization employsautomated mechanisms toassist in the reporting ofsecurity incidents.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

94 of 266

Cntl.#

En

han

cem

ent

#





Assistance

The organization providesan incident response supportresource, integral to theorganizational incidentresponse capability thatoffers advice and assistanceto users of the informationsystem for the handling andreporting of securityincidents.


Assistance

The organization employsautomated mechanisms toincrease the availability ofincident response relatedinformation and support.


Plan

The organization: Developsan incident response planthat: Provides theorganization with a roadmapfor implementing itsincident response capability;

It is important thatorganizations have a formal,focused, and coordinatedapproach to responding toincidents. The organization’smission, strategies, and goalsfor incident response helpdetermine the structure of itsincident response capability.


Plan

The organization: Developsan incident response planthat: Describes the structureand organization of theincident response capability;


Plan

The organization: Developsan incident response planthat: Provides a high-levelapproach for how theincident response capabilityfits into the overallorganization;


Plan

The organization: Developsan incident response planthat: Meets the uniquerequirements of theorganization, which relate tomission, size, structure, andfunctions;


Plan

The organization: Developsan incident response planthat: Defines reportableincidents;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

95 of 266

Cntl.#

En

han

cem

ent

#





Plan

The organization: Developsan incident response planthat: Provides metrics formeasuring the incidentresponse capability withinthe organization;


Plan

The organization: Developsan incident response planthat: Defines the resourcesand management supportneeded to effectivelymaintain and mature anincident response capability;and


Plan

The organization: Developsan incident response planthat: Is reviewed andapproved by [Assignment:organization-definedpersonnel or roles];

Incident response team

IR-8 0 bIncident Response

Plan

The organization:Distributes copies of theincident response plan to[Assignment: organization-defined incident responsepersonnel (identified byname and/or by role) andorganizational elements];

IR-8 0 cIncident Response

Plan

The organization: Reviewsthe incident response plan[Assignment: organization-defined frequency];

Annually

IR-8 0 dIncident Response

Plan

The organization: Updatesthe incident response plan toaddresssystem/organizationalchanges or problemsencountered during planimplementation, execution,or testing;

IR-8 0 eIncident Response

Plan

The organization:Communicates incidentresponse plan changes to[Assignment: organization-defined incident responsepersonnel (identified byname and/or by role) andorganizational elements];and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

96 of 266

Cntl.#

En

han

cem

ent

#




IR-8 0 fIncident Response

Plan

The organization: Protectsthe incident response planfrom unauthorizeddisclosure and modification.

MA-1

a -Maintenance Policy

and Procedures

The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system maintenancepolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


MA-1

a -Maintenance Policy

and Procedures

The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem maintenance policyand associated systemmaintenance controls; and


MA-1

b -Maintenance Policy

and Procedures

The organization: Reviewsand updates the current:System maintenance policy[Assignment: organization-defined frequency]; and


MA-1

b -Maintenance Policy

and Procedures

The organization: Reviewsand updates the current:System maintenanceprocedures [Assignment:organization-definedfrequency].


MA-2

a -Controlled

Maintenance

The organization schedules,performs, documents, andreviews records ofmaintenance and repairs oninformation systemcomponents in accordancewith manufacturer or vendorspecifications and/ororganizational requirements;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

97 of 266

Cntl.#

En

han

cem

ent

#




MA-2

b -Controlled

Maintenance

The organization approvesand monitors allmaintenance activities,whether performed on siteor remotely and whether theequipment is serviced onsite or removed to anotherlocation;

MA-2

c -Controlled

Maintenance

The organization requiresthat [Assignment:organization-definedpersonnel or roles] explicitlyapprove the removal of theinformation system orsystem components fromorganizational facilities foroff-site maintenance orrepairs;

MA-2

d -Controlled

Maintenance

The organization sanitizesequipment to remove allinformation from associatedmedia prior to removal fromorganizational facilities foroff-site maintenance orrepairs; and

MA-2

e -Controlled

Maintenance

The organization checks allpotentially impactedsecurity controls to verifythat the controls are stillfunctioning properlyfollowing maintenance orrepair actions.

MA-2

f -Controlled

Maintenance

The organization includes[Assignment: organization-defined maintenance-relatedinformation] inorganizational maintenancerecords.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

98 of 266

Cntl.#

En

han

cem

ent

#




MA-3

- Maintenance Tools

The organization approves,controls, and monitorsinformation systemmaintenance tools.

The intent of this control is toaddress the security-relatedissues arising from thehardware and softwarebrought into the informationsystem specifically fordiagnostic and repair actions(e.g., a hardware or softwarepacket sniffer that isintroduced for the purpose ofa particular maintenanceactivity).

MA-3

1 - Maintenance Tools

The organization inspectsthe maintenance toolscarried into a facility bymaintenance personnel forimproper or unauthorizedmodifications.

MA-3

2 - Maintenance Tools

The organization checksmedia containing diagnosticand test programs formalicious code before themedia are used in theinformation system.

MA-4

a -Non-Local

Maintenance

The organization approvesand monitors non-localmaintenance and diagnosticactivities;

Non-local maintenance anddiagnostic activities are thoseactivities conducted byindividuals communicatingthrough a network; either anexternal network (e.g., theInternet) or an internalnetwork.

MA-4

b -Non-Local

Maintenance

The organization allows theuse of non-localmaintenance and diagnostictools only as consistent withorganizational policy anddocumented in the securityplan for the informationsystem;

MA-4

c -Non-Local

Maintenance

The organization employsstrong authenticators in theestablishment of nonlocalmaintenance and diagnosticsessions;

MA-4

d -Non-Local

Maintenance

The organization maintainsrecords for non-localmaintenance and diagnosticactivities; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

99 of 266

Cntl.#

En

han

cem

ent

#




MA-4

e -Non-Local

Maintenance

The organization terminatessession and networkconnections when non-localmaintenance is completed.

MA-4

2 -Non-Local

Maintenance

The organization documentsin the security plan for theinformation system, thepolicies and procedures forthe establishment and use ofnonlocal maintenance anddiagnostic connections.

MA-5

a -Maintenance

Personnel

The organization establishesa process for maintenancepersonnel authorization andmaintains a list ofauthorized maintenanceorganizations or personnel;

MA-5

b -Maintenance

Personnel

The organization ensuresthat non-escorted personnelperforming maintenance onthe information system haverequired accessauthorizations; and

MA-5

c -Maintenance

Personnel

The organization designatesorganizational personnelwith required accessauthorizations and technicalcompetence to supervise themaintenance activities ofpersonnel who do notpossess the required accessauthorizations.

MA-6

- Timely Maintenance

The organization obtainsmaintenance support and/orspare parts for [Assignment:organization-definedinformation systemcomponents] within[Assignment: organization-defined time period] offailure.

The organization specifiesthose information systemcomponents that, when notoperational, result inincreased risk toorganizations, individuals, orthe Nation because thesecurity functionalityintended by that componentis not being provided.Security-critical componentsinclude, for example,firewalls, guards, gateways,intrusion detection systems,audit repositories,authentication servers, andintrusion prevention systems.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

100 of 266

Cntl.#

En

han

cem

ent

#




MP-1

a 1Media Protection


The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:a media protection policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


MP-1

a 2Media Protection


The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of the mediaprotection policy andassociated media protectioncontrols; and


MP-1

b 1Media Protection


The organization reviewsand updates the current:Media protection policy[Assignment: organization-defined frequency]; and


MP-1

b 2Media Protection


The organization reviewsand updates the current:Media protection procedures[Assignment: organization-defined frequency].


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

101 of 266

Cntl.#

En

han

cem

ent

#




MP-2

- Media Access

The organization restrictsaccess to [Assignment:organization-defined typesof digital and/or non-digitalmedia] to [Assignment:organization-definedpersonnel or roles].

Information system mediaincludes both digital media(e.g., diskettes, magnetictapes, external/removablehard drives, flash/thumbdrives, compact disks, digitalvideo disks) and non-digitalmedia (e.g., paper,microfilm). This control alsoapplies to mobile computingand communications deviceswith information storagecapability (e.g.,notebook/laptop computers,personal digital assistants,cellular telephones, digitalcameras, and audio recordingdevices). Controlledunclassified information(e.g., Official Use Only,Personally IdentifiableInformation, UnclassifiedControlled NuclearInformation (UCNI),Sensitive SecurityInformation). Thoseindividuals with definedbusiness requirement. Groupor other assigned accessrestrictions which are clearlydocumented.

MP-3

a - Media Marking

The organization marksinformation system mediaindicating the distributionlimitations, handlingcaveats, and applicablesecurity markings (if any) ofthe information; and

MP-3

b - Media Marking

The organization exempts[Assignment: organization-defined types of informationsystem media] frommarking as long as themedia remain within[Assignment: organization-defined controlled areas]

This applies to media thatwould remain in anoperational component that isinstalled in a limited accessarea where the physicalcontrol of the assigned deviceis assigned and tracked to anindividual in the DOEphysically controlled space.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

102 of 266

Cntl.#

En

han

cem

ent

#




MP-4

a - Media Storage

The organization physicallycontrols and securely stores[Assignment: organization-defined types of digitaland/or non-digital media]within [Assignment:organization-definedcontrolled areas]; and

All digital and non-digital controlled

unclassifiedinformation (e.g.,

backup tapes,external/removable

hard drives,flash/thumb drives,

compact discs, DVDs)

MP-4

b - Media Storage

The organization protectsinformation system mediauntil the media aredestroyed or sanitized usingapproved equipment,techniques, and procedures.

MP-5

a - Media Transport

The organization: Protectsand controls [Assignment:organization-defined typesof information systemmedia] during transportoutside of controlled areasusing [Assignment:organization-definedsecuritysafeguards];

All digital and non-digital controlled

unclassifiedinformation (e.g.,

backup tapes,external/removable

hard drives,flash/thumb drives,

compact discs, DVDs)- using FIPS 140-2

This control also applies tomobile computing andcommunications devices withinformation storagecapability (e.g.,notebook/laptop computers,personal digital assistants,cellular telephones, digitalcameras, and audio recordingdevices) that are transportedoutside of controlled areas.

MP-5

b - Media Transport

The organization:Maintains accountability forinformation system mediaduring transport outside ofcontrolled areas;

MP-5

c - Media Transport

The organization:Documents activitiesassociated with the transportof information systemmedia; and

MP-5

d - Media Transport

The organization: Restrictsthe activities associated withthe transport of informationsystem media to authorizedpersonnel.

MP-5

4 - Media Transport

The information systemimplements cryptographicmechanisms to protect theconfidentiality and integrityof information stored ondigital media duringtransport outside ofcontrolled areas.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

103 of 266

Cntl.#

En

han

cem

ent

#




MP-6

a - Media Sanitization

The organization: Sanitizes[Assignment: organization-defined information systemmedia] prior to disposal,release out of organizationalcontrol, or release for reuseusing [Assignment:organization definedsanitization techniques andprocedures] in accordancewith applicable federal andorganizational standards andpolicies; and

This control applies to allmedia subject to disposal orreuse, whether or notconsidered removable.

MP-6

b - Media Sanitization

The organization: Employssanitization mechanismswith the strength andintegrity commensurate withthe security category orclassification of theinformation.

As an example, all mediaused in NSS would bedestroyed via a shredder and/or degaussing.

MP-7

Media Use

The organization [Selection:restricts; prohibits] the useof [Assignment:organization defined typesof information systemmedia] on [Assignment:organization-definedinformation systems orsystem components] using[Assignment: organization-defined security safeguards].

MP-7

1 Media Use

The organization prohibitsthe use of portable storagedevices in organizationalinformation systems whensuch devices have noidentifiable owner.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

104 of 266

Cntl.#

En

han

cem

ent

#




PE-1 0 a 1

Physical andEnvironmental

Protection Policy andProcedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A physical andenvironmental protectionpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


PE-1 0 a 2



The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thephysical and environmentalprotection policy andassociated physical andenvironmental protectioncontrols; and


PE-1 0 b 1



The organization reviewsand updates the current:Physical and environmentalprotection policy[Assignment: organization-defined frequency]; and


PE-1 0 b 2



The organization reviewsand updates the current:Physical and environmentalprotection procedures[Assignment: organization-defined frequency].


PE-2 0 aPhysical AccessAuthorizations

The organization: Develops,approves, and maintains alist of individuals withauthorized access to thefacility where theinformation system resides;

PE-2 0 bPhysical AccessAuthorizations

The organization: Issuesauthorization credentials forfacility access;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

105 of 266

Cntl.#

En

han

cem

ent

#




PE-2 0 cPhysical AccessAuthorizations

The organization: Reviewsthe access list detailingauthorized facility access byindividuals [Assignment:organization-definedfrequency]; and

Every 6 months

PE-2 0 dPhysical AccessAuthorizations

The organization: Removesindividuals from the facilityaccess list when access is nolonger required.

PE-3 0 a 1Physical Access

Control

The organization: Enforcesphysical accessauthorizations at[Assignment: organization-defined entry/exit points tothe facility where theinformation system resides]by; Verifying individualaccess authorizations beforegranting access to thefacility; and

PE-3 0 a 2Physical Access

Control

The organization: Enforcesphysical accessauthorizations at[Assignment: organization-defined entry/exit points tothe facility where theinformation system resides]by; Controllingingress/egress to the facilityusing [Selection (one ormore): [Assignment:organization-definedphysical access controlsystems/devices]; guards];

PE-3 0 bPhysical Access

Control

The organization: Maintainsphysical access audit logsfor [Assignment:organization-definedentry/exit points];

PE-3 0 cPhysical Access

Control

The organization: Provides[Assignment: organization-defined security safeguards]to control access to areaswithin the facility officiallydesignated as publiclyaccessible;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

106 of 266

Cntl.#

En

han

cem

ent

#




PE-3 0 dPhysical Access

Control

The organization: Escortsvisitors and monitors visitoractivity [Assignment:organization-definedcircumstances requiringvisitor escorts andmonitoring];

PE-3 0 ePhysical Access

Control

The organization: Secureskeys, combinations, andother physical accessdevices;

PE-3 0 fPhysical Access

Control

The organization:Inventories [Assignment:organization-definedphysical access devices]every [Assignment:organization-definedfrequency]; and

Every 6 months

PE-3 0 gPhysical Access

Control

The organization: Changescombinations and keys[Assignment: organization-defined frequency] and/orwhen keys are lost,combinations arecompromised, or individualsare transferred orterminated.

Every 6 months forcombinations. Key

locks should bechanges when anindividual leaves.

PE-4 0Access Control for

Transmission Medium

The organization controlsphysical access to[Assignment: organization-defined information systemdistribution andtransmission lines] withinorganizational facilitiesusing [Assignment:organization-definedsecurity safeguards].

PE-5 0Access Control for

Output Devices

The organization controlsphysical access toinformation system outputdevices to preventunauthorized individualsfrom obtaining the output.

PE-6 0 aMonitoring Physical

Access

The organization: Monitorsphysical access to thefacility where theinformation system residesto detect and respond tophysical security incidents;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

107 of 266

Cntl.#

En

han

cem

ent

#




PE-6 0 bMonitoring Physical

Access

The organization: Reviewsphysical access logs[Assignment: organization-defined frequency] and uponoccurrence of [Assignment:organization-defined eventsor potential indications ofevents]; and

Every 6 months

PE-6 0 cMonitoring Physical

Access

The organization:Coordinates results ofreviews and investigationswith the organizationalincident response capability.

PE-6 1Monitoring Physical

Access

The organization monitorsphysical intrusion alarmsand surveillance equipment.

PE-8 0 aVisitor Access

Records

The organization maintainsvisitor access records to thefacility where theinformation system residesfor [Assignment:organization-defined timeperiod]; and

PE-8 0 bVisitor Access

Records

The organization reviewsvisitor access records[Assignment: organization-defined frequency].

Every 6 months

PE-9 0Power Equipment and

Power Cabling

The organization protectspower equipment and powercabling for the informationsystem from damage anddestruction.

PE-10

0 a Emergency Shutoff

The organization providesthe capability of shutting offpower to the informationsystem or individual systemcomponents in emergencysituations;

PE-10

0 b Emergency Shutoff

The organization placesemergency shutoff switchesor devices in [Assignment:organization-definedlocation by informationsystem or systemcomponent] to facilitate safeand easy access forpersonnel; and

A single room orenvironment within

datacenters and otherareas with a significantamount of IT resources

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

108 of 266

Cntl.#

En

han

cem

ent

#




PE-10

0 c Emergency Shutoff

The organization protectsemergency power shutoffcapability fromunauthorized activation.

PE-11

0 Emergency Power

The organization provides ashort-term uninterruptiblepower supply to facilitate[Selection (one or more): anorderly shutdown of theinformation system;transition of the informationsystem to long-termalternate power] in theevent of a primary powersource loss.

PE-12

0 Emergency Lighting

The organization employsand maintains automaticemergency lighting for theinformation system thatactivates in the event of apower outage or disruptionand that covers emergencyexits and evacuation routeswithin the facility.

For small equipment roomsseveral home styleemergency lights available atmost hardware stores issufficient for emergencylighting. In large datacenters, these would not besuitable.

PE-13

0 Fire Protection

The organization employsand maintains firesuppression and detectiondevices/systems for theinformation system that aresupported by an independentenergy source.

PE-13

3 Fire Protection

The organization employsan automatic firesuppression capability forthe information systemwhen the facility is notstaffed on a continuousbasis.

PE-14

0 aTemperature and

Humidity Controls

The organization maintainstemperature and humiditylevels within the facilitywhere the informationsystem resides at[Assignment: organization-defined acceptable levels];and

68-77 degreesFahrenheit, 45-55%

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

109 of 266

Cntl.#

En

han

cem

ent

#




PE-14

0 bTemperature and

Humidity Controls

The organization monitorstemperature and humiditylevels [Assignment:organization-definedfrequency].

Daily

PE-15

0Water Damage

Protection

The organization protectsthe information system fromdamage resulting from waterleakage by providing mastershutoff or isolation valvesthat are accessible, workingproperly, and known to keypersonnel.

PE-16

0 Delivery and Removal

The organization authorizes,monitors, and controls[Assignment: organization-defined types of informationsystem components]entering and exiting thefacility and maintainsrecords of those items.

Alltelecommunications orIT related devices (can

be over certain $threshold)

PE-17

0 a Alternate Work Site

The organization employs[Assignment: organization-defined security controls] atalternate work sites;

All management,operational, and

technical informationsystem security

controls

PE-17

0 b Alternate Work Site

The organization assesses asfeasible, the effectiveness ofsecurity controls at alternatework sites; and

PE-17

0 c Alternate Work Site

The organization provides ameans for employees tocommunicate withinformation securitypersonnel in case of securityincidents or problems.

PL-1 0 a 1Security Planning


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A security planning policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

110 of 266

Cntl.#

En

han

cem

ent

#




PL-1 0 a 2Security Planning


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesecurity planning policy andassociated security planningcontrols; and


PL-1 0 b 1Security Planning


The organization: Reviewsand updates the current:Security planning policy[Assignment: organization-defined frequency]; and


PL-1 0 b 2Security Planning


The organization: Reviewsand updates the current:Security planningprocedures [Assignment:organization-definedfrequency].


PL-2 0 a 1 System Security Plan

The organization: Developsa security plan for theinformation system that: Isconsistent with theorganization’s enterprisearchitecture;

The EM eGovRPMrepository must be used tocreate and maintain a securityplan and to store any securityrelated documentation.


The organization: Developsa security plan for theinformation system that:Explicitly defines theauthorization boundary forthe system;


The organization: Developsa security plan for theinformation system that:Describes the operationalcontext of the informationsystem in terms of missionsand business processes;


The organization: Developsa security plan for theinformation system that:Provides the securitycategorization of theinformation systemincluding supportingrationale;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

111 of 266

Cntl.#

En

han

cem

ent

#





The organization: Developsa security plan for theinformation system that:Describes the operationalenvironment for theinformation system andrelationships with orconnections to otherinformation systems;


The organization: Developsa security plan for theinformation system that:Provides an overview of thesecurity requirements for thesystem;


The organization: Developsa security plan for theinformation system that:Identifies any relevantoverlays, if applicable;


The organization: Developsa security plan for theinformation system that:Describes the securitycontrols in place or plannedfor meeting thoserequirements including arationale for the tailoringand supplementationdecisions; and


The organization: Developsa security plan for theinformation system that: Isreviewed and approved bythe authorizing official ordesignated representativeprior to planimplementation;

PL-2 0 b System Security Plan

The organization distributescopies of the security planand communicatessubsequent changes to theplan to [Assignment:organization-definedpersonnel or roles];

Security Staff,Administrative Staff,the AODR & the AO

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

112 of 266

Cntl.#

En

han

cem

ent

#




PL-2 0 c System Security Plan

The organization reviewsthe security plan for theinformation system[Assignment: organization-defined frequency];

Annually

PL-2 0 d System Security Plan

The organization updatesthe plan to address changesto the informationsystem/environment ofoperation or problemsidentified during planimplementation or securitycontrol assessments; and

PL-2 0 e System Security Plan

The organization protectsthe security plan fromunauthorized disclosure andmodification.

PL-2 3 System Security Plan

The organization plans andcoordinates security-relatedactivities affecting theinformation system with[Assignment: organization-defined individuals orgroups] before conductingsuch activities in order toreduce the impact on otherorganizational entities.

PL-4 0 a Rules of Behavior

The organization:Establishes and makesreadily available toindividuals requiring accessto the information system,the rules that describe theirresponsibilities andexpected behavior withregard to information andinformation system usage;

PL-4 0 b Rules of Behavior

The organization: Receivesa signed acknowledgmentfrom such individuals,indicating that they haveread, understand, and agreeto abide by the rules ofbehavior, before authorizingaccess to information andthe information system;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

113 of 266

Cntl.#

En

han

cem

ent

#




PL-4 0 c Rules of Behavior

The organization: Reviewsand updates the rules ofbehavior [Assignment:organization-definedfrequency]; and

PL-4 0 d Rules of Behavior

The organization: Requiresindividuals who have signeda previous version of therules of behavior to read andresign when the rules ofbehavior arerevised/updated.

PL-4 1 Rules of Behavior

The organization includes inthe rules of behavior,explicit restrictions on theuse of socialmedia/networking sites andposting organizationalinformation on publicwebsites.

PL-8 0 a 1Information Security

Architecture

The organization: Developsan information securityarchitecture for theinformation system that:Describes the overallphilosophy, requirements,and approach to be takenwith regard to protecting theconfidentiality, integrity,and availability oforganizational information;


Architecture

The organization: Developsan information securityarchitecture for theinformation system thatDescribes how theinformation securityarchitecture is integratedinto and supports theenterprise architecture; and


Architecture

The organization: Developsan information securityarchitecture for theinformation system thatDescribes any informationsecurity assumptions about,and dependencies on,external services;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

114 of 266

Cntl.#

En

han

cem

ent

#




PL-8 0 bInformation Security

Architecture

The organization: Reviewsand updates the informationsecurity architecture[Assignment: organization-defined frequency] to reflectupdates in the enterprisearchitecture; and

PL-8 0 cInformation Security

Architecture

The organization: Ensuresthat planned informationsecurity architecturechanges are reflected in thesecurity plan, the securityConcept of Operations(CONOPS), andorganizationalprocurements/acquisitions.

PS-1 a 1Personnel Security


The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A personnel security policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance;and


PS-1 a 2Personnel Security


The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thepersonnel security policyandassociated personnelsecurity controls; and


PS-1 b 1Personnel Security


The organization: Reviewsand updates the current:Personnel security policy[Assignment: organization-defined frequency]; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

115 of 266

Cntl.#

En

han

cem

ent

#




PS-1 b 2Personnel Security


The organization: Reviewsand updates the current:Personnel securityprocedures [Assignment:organization-definedfrequency].


PS-2 a -Position

Categorization

The organization: Assigns arisk designation to allpositions;

PS-2 b -Position

Categorization

The organization:Establishes screeningcriteria for individualsfilling those positions; and

PS-2 c -Position

Categorization

The organization: Reviewsand revises position riskdesignations [Assignment:organization-definedfrequency].

Annually or when newpositions are developed

PS-3 a - Personnel Screening

The organization: Screensindividuals prior toauthorizing access to theinformation system; and

PS-3 b - Personnel Screening

The organization:Rescreens individualsaccording to [Assignment:organization-defined list ofconditions requiringrescreening and, where re-screening is so indicated,the frequency of suchrescreening].

The risk categorizationbut no less than every60 months or any timethe manager feels the

individual’s risk factorshave changed in

accordance with HSPD12 and HR

PS-4 a - Personnel Termination

The organization, upontermination of individualemployment: Disablesinformation system access,within [Assignment:organization-defined timeperiod];

PS-4 b - Personnel Termination

The organizationtermination of individualemployment:Terminates/revokes anyauthenticators/credentialsassociated with theindividual;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

116 of 266

Cntl.#

En

han

cem

ent

#




PS-4 c - Personnel Termination

The organizationtermination of individualemployment: Conducts exitinterviews that include adiscussion of [Assignment:organization-definedinformation security topics];

PS-4 d - Personnel Termination

The organization, upontermination of individualemployment: Retrieves allsecurity-relatedorganizational informationsystem-related property;

PS-4 e - Personnel Termination

The organization, upontermination of individualemployment: Retainsaccess to organizationalinformation and informationsystems formerly controlledby terminated individual;and

PS-4 f - Personnel Termination

The organization, upontermination of individualemployment: Notifies[Assignment: organization-defined personnel or roles]within [Assignment:organization-defined timeperiod].

PS-5 a - Personnel Transfer

The organization: Reviewsand confirms ongoingoperational need for currentlogical and physical accessauthorizations toinformationsystems/facilities whenindividuals are reassigned ortransferredto other positions within theorganization;

PS-5 b - Personnel Transfer

The organization: Initiates[Assignment: organization-defined transfer orreassignment actions] within[Assignment: organization-defined time periodfollowing the formaltransfer action];

A review to ensure allindividual access is

modified appropriate tothe new position within

30 days of a transferaction

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

117 of 266

Cntl.#

En

han

cem

ent

#




PS-5 c - Personnel Transfer

The organization: Modifiesaccess authorization asneeded to correspond withany changes in operationalneed due to reassignment ortransfer; and

PS-5 d - Personnel Transfer

The organization: Notifies[Assignment: organization-defined personnel or roles]within [Assignment:organization-defined timeperiod].

PS-6 a - Access Agreements

The organization developsand documents accessagreements fororganizational informationsystems;

Access agreements include,for example, nondisclosureagreements, acceptable useagreements, rules ofbehavior, and conflict-of-interest agreements.

PS-6 b - Access Agreements

The organizationreviews/updates the accessagreements [Assignment:organization-definedfrequency].

Annually

PS-6 c 1 Access Agreements

The organization ensuresthat individuals requiringaccess to organizationalinformation and informationsystems sign appropriateaccess agreements prior tobeing granted access: and

PS-6 c 2 Access Agreements

The organization ensuresthat individuals requiringaccess to organizationalinformation and informationsystems Re-sign accessagreements to maintainaccess to organizationalinformation systemswhen access agreementshave been updated or[Assignment: organization-defined frequency].

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

118 of 266

Cntl.#

En

han

cem

ent

#




PS-7 a -Third-Party Personnel

Security

The organization establishespersonnel securityrequirements includingsecurity roles andresponsibilities for third-party providers.

Third-party providersinclude, for example, servicebureaus, contractors, andother organizations providinginformation systemdevelopment, informationtechnology services,outsourced applications, andnetwork and securitymanagement.

PS-7 b -Third-Party Personnel

Security

The organization requiresthird-party providers tocomply with personnelsecurity policies andprocedures established bythe organization.

PS-7 c -Third-Party Personnel

Security

The organization documentspersonnel securityrequirements

PS-7 d -Third-Party Personnel

Security

The organization requiresthird-party providers tonotify [Assignment:organization-definedpersonnel or roles] of anypersonnel transfers orterminations of third-partypersonnel who possessorganizational credentialsand/or badges, or who haveinformation systemprivileges within[Assignment: organization-defined time period]; and

PS-7 e -Third-Party Personnel

SecurityThe organization monitorsprovider compliance.

PS-8 a - Personnel Sanctions

The organization employs aformal sanctions process forpersonnel failing to complywith established informationsecurity policies andprocedures and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

119 of 266

Cntl.#

En

han

cem

ent

#




PS-8 b - Personnel Sanctions

The organization notifies[Assignment: organization-defined personnel or roles]within [Assignment:organization-defined timeperiod] when a formalemployee sanctions processis initiated, identifying theindividual sanctioned andthe reason for the sanction.

RA-1

a -Risk Assessment


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A risk assessment policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


RA-1

a -Risk Assessment


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of the riskassessment policy andassociated risk assessmentcontrols; and


RA-1

b -Risk Assessment


The organization: Reviewsand updates the current:Risk assessment policy[Assignment: organization-defined frequency]; and


RA-1

b -Risk Assessment


The organization: Reviewsand updates the current:Risk assessment procedures[Assignment: organization-defined frequency].


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

120 of 266

Cntl.#

En

han

cem

ent

#




RA-2

aSecurity

Categorization

The organization:Categorizes information andthe information system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance;

RA-2

bSecurity

Categorization

The organization:Documents the securitycategorization results(including supportingrationale) in the securityplan for the informationsystem; and

RA-2

cSecurity

Categorization

The organization: Ensuresthe security categorizationdecision is reviewed andapproved by the authorizingofficial or authorizingofficial designatedrepresentative.

RA-3

a Risk Assessment

The organization: Conductsan assessment of risk,including the likelihood andmagnitude of harm, from theunauthorized access, use,disclosure, disruption,modification, or destructionof the information systemand the information itprocesses, stores, ortransmits;

RA-3

b Risk Assessment

The organization:Documents risk assessmentresults in [Selection:security plan; riskassessment report;[Assignment: organization-defined document]];

A risk assessmentreport or securityassessment report

RA-3

c Risk Assessment

The organization: Reviewsrisk assessment results[Assignment: organization-defined frequency]; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

121 of 266

Cntl.#

En

han

cem

ent

#




RA-3

d Risk Assessment

The organization:Disseminates riskassessment results to[Assignment: organization-defined personnel or roles];and

RA-3

e Risk Assessment

The organization: Updatesthe risk assessment[Assignment: organization-defined frequency] orwhenever there aresignificant changes to theinformation system orenvironment of operation(including the identificationof new threats andvulnerabilities), or otherconditions that may impactthe security state of thesystem.

RA-5

aVulnerability

Scanning

The organization: Scans forvulnerabilities in theinformation system andhosted applications[Assignment: organization-defined frequency and/orrandomly in accordancewith organization-definedprocess] and when newvulnerabilities potentiallyaffecting thesystem/applications areidentified and reported;

Quarterly

RA-5

b 1Vulnerability

Scanning

The organization: Employsvulnerability scanning toolsand techniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: Enumerating platforms,software flaws, andimproper configurations;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

122 of 266

Cntl.#

En

han

cem

ent

#




RA-5

b 2Vulnerability

Scanning

The organization: Employsvulnerability scanning toolsand techniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: Formatting and makingtransparent, checklists andtest procedures; and

RA-5

b 3Vulnerability

Scanning

The organization: Employsvulnerability scanning toolsand techniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: Measuringvulnerability impact;

RA-5

cVulnerability

Scanning

The organization: Analyzesvulnerability scan reportsand results from securitycontrol assessments;

RA-5

dVulnerability

Scanning

The organization:Remediates legitimatevulnerabilities [Assignment:organization-definedresponse times] inaccordance with anorganizational assessment ofrisk; and

Within 60 days for highand 30 days for critical

vulnerabilities

RA-5

eVulnerability

Scanning

The organization: Sharesinformation obtained fromthe vulnerability scanningprocess and security controlassessments with designatedpersonnel throughout theorganization to helpeliminate similarvulnerabilities in otherinformation systems (i.e.,systemic weaknesses ordeficiencies).

RA-5

1Vulnerability

Scanning

The organization employsvulnerability scanning toolsthat include the capability toreadily update the list ofinformation systemvulnerabilities scanned.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

123 of 266

Cntl.#

En

han

cem

ent

#




RA-5

2Vulnerability

Scanning

The organization updatesthe information systemvulnerabilities scanned[Selection (one or more):[Assignment: organization-defined frequency]; prior toa new scan; when newvulnerabilities are identifiedand reported].

RA-5

5Vulnerability

Scanning

The information systemimplements privilegedaccess authorization to[Assignment: organizationidentified informationsystem components] forselected [Assignment:organization-definedvulnerability scanningactivities].

SA-1 0 a 1System Services

Acquisition Policy andProcedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system and servicesacquisition policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


SA-1 0 a 2System Services


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem and servicesacquisition policy andassociated system andservices acquisitioncontrols; and


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

124 of 266

Cntl.#

En

han

cem

ent

#




SA-1 0 b 1System Services


The organization Reviewsand updates the current:System and servicesacquisition policy[Assignment: organization-defined frequency]; and


SA-1 0 b 2System Services


The organization Reviewsand updates the current:System and servicesacquisition procedures[Assignment: organization-defined frequency].


SA-2 0 aAllocation of

Resources

The organization:Determines informationsecurity requirements for theinformation system orinformation system servicein mission/business processplanning;

SA-2 0 bAllocation of

Resources

The organization:Determines, documents, andallocates the resourcesrequired to protect theinformation system orinformation system serviceas part of its capitalplanning and investmentcontrol process; and

SA-2 0 cAllocation of

Resources

The organization:Establishes a discrete lineitem for informationsecurity in organizationalprogramming and budgetingdocumentation.

SA-3 0 aSystem Development

Life Cycle

The organization: Managesthe information systemusing [Assignment:organization-defined systemdevelopment life cycle] thatincorporates informationsecurity considerations;

SA-3 0 bSystem Development

Life Cycle

The organization: Definesand documents informationsecurity roles andresponsibilities throughoutthe system development lifecycle;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

125 of 266

Cntl.#

En

han

cem

ent

#




SA-3 0 cSystem Development

Life Cycle

The organization: Identifiesindividuals havinginformation security rolesand responsibilities; and

SA-3 0 dSystem Development

Life Cycle

The organization: Integratesthe organizationalinformation security riskmanagement process intosystem development lifecycle activities.

SA-4 0 a Acquisition Process

The organization includesthe following requirements,descriptions, and criteria,explicitly or by reference, inthe acquisition contract forthe information system,system component, orinformation system servicein accordance withapplicable federal laws,Executive Orders,directives, policies,regulations, standards,guidelines, andorganizationalmission/business needs:Security functionalrequirements; Securityfunctional requirements,

SA-4 0 b Acquisition ProcessSecurity strengthrequirements,

SA-4 0 c Acquisition ProcessSecurity assurancerequirements,

SA-4 0 d Acquisition ProcessSecurity-relateddocumentationrequirements,

SA-4 0 e Acquisition ProcessRequirements for protectingsecurity-relateddocumentation,

SA-4 0 f Acquisition Process

Description of theinformation systemdevelopment environmentand environment in whichthe system is intended tooperate, and

SA-4 0 g Acquisition ProcessAcceptance criteria

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

126 of 266

Cntl.#

En

han

cem

ent

#




SA-4 1 Acquisition Process

The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to provide adescription of the functionalproperties of the securitycontrols to be employed.


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to providedesign and implementationinformation for the securitycontrols to be employed thatincludes: [Selection (one ormore): security-relevantexternal system interfaces;high-level design; low-leveldesign; source code orhardware schematics;[Assignment: organization-defineddesign/implementationinformation]] at[Assignment: organization-defined level of detail].


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to identifyearly in the systemdevelopment life cycle, thefunctions, ports, protocols,and services intended fororganizational use.


The organization employsonly information technologyproducts on the FIPS 201-approved products list forPersonal IdentityVerification (PIV)capability implementedwithin organizationalinformation systems.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

127 of 266

Cntl.#

En

han

cem

ent

#




SA-5 0 a 1Information System

Documentation

The organization: Obtainsadministrator documentationfor the information system,system component, orinformation system servicethat describes: Secureconfiguration, installation,and operation of the system,component, or service;


Documentation

The organization: Obtainsadministrator documentationfor the information system,system component, orinformation system servicethat describes: Effective useand maintenance of securityfunctions/mechanisms; and


Documentation

The organization: Obtainsadministrator documentationfor the information system,system component, orinformation system servicethat describes: Knownvulnerabilities regardingconfiguration and use ofadministrative (i.e.,privileged) functions;

SA-5 0 b 1Information System

Documentation

The organization: Obtainsuser documentation for theinformation system, systemcomponent, or informationsystem service thatdescribes: User-accessiblesecurityfunctions/mechanisms andhow to effectively use thosesecurityfunctions/mechanisms


Documentation

The organization: Obtainsuser documentation for theinformation system, systemcomponent, or informationsystem service thatdescribes: Methods for userinteraction, which enablesindividuals to use thesystem, component, orservice in a more securemanner; and

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

128 of 266

Cntl.#

En

han

cem

ent

#





Documentation

The organization: Obtainsuser documentation for theinformation system, systemcomponent, or informationsystem service thatdescribes: Userresponsibilities inmaintaining the security ofthe system, component, orservice;

SA-5 0 cInformation System

Documentation

The organization:Documents attempts toobtain information system,system component, orinformation system servicedocumentation when suchdocumentation is eitherunavailable or nonexistentand [Assignment:organization-definedactions] in response;

SA-5 0 dInformation System

Documentation

The organization: Protectsdocumentation as required,in accordance with the riskmanagement strategy; and

SA-5 0 eInformation System

Documentation

The organization:Distributes documentationto [Assignment:organization-definedpersonnel or roles].

SA-8 0Security Engineering

Principles

The organization appliesinformation system securityengineering principles in thespecification, design,development,implementation, andmodification of theinformation system.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

129 of 266

Cntl.#

En

han

cem

ent

#




SA-9 0 aExternal Information

System Services

The organization: Requiresthat providers of externalinformation system servicescomply with organizationalinformation securityrequirements and employ[Assignment: organization-defined security controls] inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance;

An external informationsystem service is a servicethat is implemented outsideof the authorization boundaryof the organizationalinformation system. Theresponsibility for adequatelymitigating risks arising fromthe use of externalinformation system servicesremains with the authorizingofficial.

SA-9 0 bExternal Information

System Services

The organization: Definesand documents governmentoversight and user roles andresponsibilities with regardto external informationsystem services; and

SA-9 0 cExternal Information

System Services

The organization: Employs[Assignment: organization-defined processes, methods,and techniques] to monitorsecurity control complianceby external serviceproviders on an ongoingbasis.

SA-9 2External Information

System Services

The organization requiresproviders of [Assignment:organization-definedexternal information systemservices] to identify thefunctions, ports, protocols,and other services requiredfor the use of such services.

SA-10

0 aDeveloper

ConfigurationManagement

The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Performconfiguration managementduring system, component,or service [Selection (one ormore): design;development;implementation; operation];

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

130 of 266

Cntl.#

En

han

cem

ent

#




SA-10

0 bDeveloper


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Document, manage, andcontrol the integrity ofchanges to [Assignment:organization-definedconfiguration items underconfiguration management];

SA-10

0 cDeveloper


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Implement onlyorganization-approvedchanges to the system,component, or service;

SA-10

0 dDeveloper


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Document approvedchanges to the system,component, or service andthe potential securityimpacts of such changes;and

SA-10

0 eDeveloper


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Tracksecurity flaws and flawresolution within thesystem, component, orservice and report findingsto [Assignment:organization-definedpersonnel].

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

131 of 266

Cntl.#

En

han

cem

ent

#




SA-11

0 aDeveloper Security

Testing andEvaluation

The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Createand implement a securityassessment plan;

SA-11

0 bDeveloper Security


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Perform[Selection (one or more):unit; integration; system;regression]testing/evaluation at[Assignment: organization-defined depth andcoverage];

SA-11

0 cDeveloper Security


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Produceevidence of the execution ofthe security assessment planand the results of thesecurity testing/evaluation;

SA-11

0 dDeveloper Security


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Implement a verifiable flawremediation process; and

SA-11

0 eDeveloper Security


The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Correctflaws identified duringsecurity testing/evaluation.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

132 of 266

Cntl.#

En

han

cem

ent

#




SC-1 a 1System

CommunicationsPolicy and Procedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system andcommunications protectionpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


SC-1 a 2System


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem and communicationsprotectionpolicy and associatedsystem and communicationsprotection controls; and


SC-1 b 1System


The organization: Reviewsand updates the current:System and communicationsprotection policy[Assignment: organization-defined frequency]; and


SC-1 b 2System


The organization: Reviewsand updates the current:System and communicationsprotection procedures[Assignment: organization-defined frequency].


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

133 of 266

Cntl.#

En

han

cem

ent

#




SC-2ApplicationPartitioning

The information systemseparates user functionality(including user interfaceservices) from informationsystem managementfunctionality.

The separation of userfunctionality frominformation systemmanagement functionality iseither physical or logical andis accomplished by usingdifferent computers, differentcentral processing units,different instances of theoperating system, differentnetwork addresses,combinations of thesemethods, or other methods asappropriate.

SC-4Information in Shared

Resources

The information systemprevents unauthorized andunintended informationtransfer via shared systemresources.

The purpose of this control isto prevent information,including encryptedrepresentations ofinformation, produced by theactions of a prior user/role (orthe actions of a processacting on behalf of a prioruser/role) from beingavailable to any currentuser/role (or current process)that obtains access to ashared system resource (e.g.,registers, main memory,secondary storage) after thatresource has been releasedback to the informationsystem.

SC-5Denial of Service

Protection

The information systemprotects against or limits theeffects of the followingtypes of denial of serviceattacks: [Assignment:organization-defined typesof denial of service attacksor reference to source forsuch information] byemploying [Assignment:organization-definedsecurity safeguards].

ICMP flood, Teardropattack, Peer-to-peerattacks, Permanentdenial-ofservice

attacks, Applicationlevel floods, Nuke,Distributed attack,

Reflected attack, andUnintentional attack

A variety of technologiesexist to limit, or in somecases, eliminate the effects ofdenial of service attacks. Forexample, boundary protectiondevices can filter certaintypes of packets to protectdevices on an organization’sinternal network from beingdirectly affected by denial ofservice attacks.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

134 of 266

Cntl.#

En

han

cem

ent

#




SC-7 a Boundary Protection

The information system:Monitors and controlscommunications at theexternal boundary of thesystem and at key internalboundaries within thesystem; and

Restricting external webtraffic only to organizationalweb servers within managedinterfaces and prohibitingexternal traffic that appears tobe spoofing an internaladdress as the source areexamples of restricting andprohibiting communications.Managed interfacesemploying boundaryprotection devices include,for example, proxies,gateways, routers, firewalls,guards, or encrypted tunnelsarranged in an effectivesecurity architecture (e.g.,routers protecting firewallsand application gatewaysresiding on a protectedsubnetwork commonlyreferred to as a demilitarizedzone or DMZ). The EMenterprise full packet capturesatisfies part of thisrequirement.

SC-7 b Boundary Protection

The information system:Implements sub networksfor publicly accessiblesystem components that are[Selection: physically;logically] separated frominternal organizationalnetworks; and

SC-7 c Boundary Protection

The information system:Connects to externalnetworks or informationsystems only throughmanaged interfacesconsisting of boundaryprotection devices arrangedin accordance with anorganizational securityarchitecture.

SC-7 3 Boundary Protection

The organization limits thenumber of external networkconnections to theinformation system

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

135 of 266

Cntl.#

En

han

cem

ent

#




SC-7 4 a Boundary Protection

The organization:Implements a managedinterface for each externaltelecommunication service;

SC-7 4 b Boundary Protection

The organization:Establishes a traffic flowpolicy for each managedinterface;

SC-7 4 c Boundary Protection

The organization: Protectsthe confidentiality andintegrity of the informationbeing transmitted acrosseach interface;

SC-7 4 d Boundary Protection

The organization:Documents each exceptionto the traffic flow policywith a supportingmission/business need andduration of that need;

SC-7 4 e Boundary Protection

The organization: Reviewsexceptions to the trafficflow policy [Assignment:organization-definedfrequency] and removesexceptions that are nolonger supported by anexplicit mission/businessneed.

Annually


The information system atmanaged interfaces, deniesnetwork traffic by defaultand allows network trafficby exception (i.e., deny all,permit by exception).

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

136 of 266

Cntl.#

En

han

cem

ent

#





The information system, inconjunction with a remotedevice, prevents the devicefrom simultaneouslyestablishing non-remoteconnections with the systemand communicating viasome other connection toresources in externalnetworks.

This control enhancement isimplemented within theremote device (e.g.,notebook/laptop computer)via configuration settings thatare not configurable by theuser of that device. Anexample of a non-remotecommunications path from aremote device is a virtualprivate network. When a non-remote connection isestablished using a virtualprivate network, theconfiguration settings preventsplit-tunneling.

SC-8Transmission Integrity

and Confidentiality

The information systemprotects the [Selection (oneor more): confidentiality;integrity] of transmittedinformation.

This control applies tocommunications acrossinternal and externalnetworks.

SC-8 1Transmission Integrity

and Confidentiality

The information systemimplements cryptographicmechanisms to [Selection(one or more): preventunauthorized disclosure ofinformation; detect changesto information] duringtransmission unlessotherwise protected by[Assignment: organization-defined alternative physicalsafeguards].

SC-10

Network Disconnect

The information systemterminates the networkconnection associated with acommunications session atthe end of the session orafter [Assignment:organization-defined timeperiod] of inactivity.

30 minutes of inactivity

This control applies to bothinternal and externalnetworks. Terminatingnetwork connectionsassociated withcommunications sessionsinclude, for example, de-allocating associated TCP/IPaddress/port pairs at theoperating-system level, or de-allocating networkingassignments at theapplication level if multipleapplication sessions are usinga single, operating system-level network connection.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

137 of 266

Cntl.#

En

han

cem

ent

#




SC-12

Cryptographic KeyEstablishment and

Management

The organization establishesand manages cryptographickeys for requiredcryptography employedwithin the informationsystem in accordance with[Assignment: organization-defined requirements forkey generation, distribution,storage, access, anddestruction].

SC-13

Use of Cryptography

The information systemimplements [Assignment:organization-definedcryptographic uses and typeof cryptography required foreach use] in accordancewith applicable federal laws,Executive Orders,directives, policies,regulations, and standards.

SC-15

aCollaborative

Computing Devices

The information system:Prohibits remote activationof collaborative computingdevices with the followingexceptions: [Assignment:organization-definedexceptions where remoteactivation is to be allowed];and

None

Collaborative computingdevices include, for example,networked VTCs, whiteboards, cameras, andmicrophones. Explicitindication of use includes, forexample, signals to userswhen collaborativecomputing devices areactivated.

SC-15

bCollaborative

Computing Devices

The information system:Provides an explicitindication of use to usersphysically present at thedevices.

SC-17

Public KeyInfrastructureCertificates

The organization issuespublic key certificates underan [Assignment:organization definedcertificate policy] or obtainspublic key certificates froman approved serviceprovider.

SC-18

a Mobile Code

The organization: Definesacceptable and unacceptablemobile code and mobilecode technologies;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

138 of 266

Cntl.#

En

han

cem

ent

#




SC-18

b Mobile Code

The organization:Establishes usagerestrictions andimplementation guidancefor acceptable mobile codeand mobile codetechnologies; and

SC-18

c Mobile Code

The organization:Authorizes, monitors, andcontrols the use of mobilecode within the informationsystem.

SC-19

aVoice Over Internet

Protocol

The organization:Establishes usagerestrictions andimplementation guidancefor Voice over InternetProtocol (VoIP)technologies based on thepotential to cause damage tothe information system ifused maliciously; and

SC-19

bVoice Over Internet

Protocol

The organization:Authorizes, monitors, andcontrols the use of VoIPwithin the informationsystem.

SC-20

aSecure Name/Address

Resolution Service(Authoritative Source)

The information system:Provides additional dataorigin and integrity artifactsalong with the authoritativename resolution data thesystem returns in responseto external name/addressresolution queries; and

This control enables remoteclients to obtain originauthentication and integrityverification assurances forthe host/service name tonetwork address resolutioninformation obtained throughthe service. A domain namesystem (DNS) server is anexample of an informationsystem that providesname/address resolutionservice. Digital signaturesand cryptographic keys areexamples of additionalartifacts.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

139 of 266

Cntl.#

En

han

cem

ent

#




SC-20

bSecure Name/Address

Resolution Service(Authoritative Source)

The information system:Provides the means toindicate the security statusof child zones and (if thechild supports secureresolution services) toenable verification of achain of trust among parentand childdomains, when operating aspart of a distributed,hierarchical namespace.

SC-21

Secure Name/AddressResolution Service

(Recursive or CachingResolver)

The information systemrequests and performs dataorigin authentication anddata integrity verification onthe name/address resolutionresponses the systemreceives from authoritativesources

SC-22

Architecture andProvisioning forName/Address

Resolution Service

The information systemsthat collectively providename/address resolutionservice for an organizationare fault-tolerant andimplement internal/externalrole separation.

A domain name system(DNS) server is an exampleof an information system thatprovides name/addressresolution service. Toeliminate single points offailure and to enhanceredundancy, there aretypically at least twoauthoritative domain namesystem (DNS) servers, oneconfigured as primary andthe other as secondary.

SC-23

Session Authenticity

The information systemprovides mechanisms toprotect the authenticity ofcommunications sessions.

This control focuses oncommunications protection atthe session, versus packet,level. The intent of thiscontrol is to establishgrounds for confidence ateach end of acommunications session inthe ongoing identity of theother party and in the validityof the information beingtransmitted.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

140 of 266

Cntl.#

En

han

cem

ent

#




SC-28

Protection ofInformation at Rest

The information systemprotects the [Selection (oneor more): confidentiality;integrity] of [Assignment:organization-definedinformation at rest].

This control is intended toaddress the confidentialityand integrity of informationat rest in nonmobile devicesand covers user informationand system information.

SC-39

Process Isolation

The information systemmaintains a separateexecution domain for eachexecuting process.

SI-1 0 a 1System and

Information IntegrityPolicy and Procedures

The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system and informationintegrity policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and


SI-1 0 a 2System and


The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem and informationintegrity policy andassociated system andinformation integritycontrols; and


SI-1 0 b 1System and


The organization: Reviewsand updates the current:System and informationintegrity policy[Assignment: organization-defined frequency]; and


SI-1 0 b 2System and


The organization: Reviewsand updates the current:System and informationintegrity procedures[Assignment: organization-defined frequency].


________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

141 of 266

Cntl.#

En

han

cem

ent

#




SI-2 0 a Flaw RemediationThe organization: Identifies,reports, and correctsinformation system flaws;

SI-2 0 b Flaw Remediation

The organization: Testssoftware and firmwareupdates related to flawremediation foreffectiveness and potentialside effects beforeinstallation;

SI-2 0 c Flaw Remediation

The organization: Installssecurity-relevant softwareand firmware updates within[Assignment: organizationdefined time period] of therelease of the updates; and

5 days for criticalupdates and 10 days for

high and moderate.

Vulnerability scans should berun shortly after patching toensure all patches wereimplemented successfully.All exceptions should beinvestigated.

SI-2 0 d Flaw Remediation

The organization:Incorporates flawremediation into theorganizational configurationmanagement process.

SI-2 2 Flaw Remediation

The organization employsautomated mechanisms[Assignment: organization-defined frequency] todetermine the state ofinformation systemcomponents with regard toflaw remediation.

Weekly

SI-3 0 aMalicious Code

Protection

The organization: Employsmalicious code protectionmechanisms at informationsystem entry and exit pointsto detect and eradicatemalicious code;

The EM enterprise fullpacket capture is part of theEM sites malicious codeprotection.

SI-3 0 bMalicious Code

Protection

The organization: Updatesmalicious code protectionmechanisms whenever newreleases are available inaccordance withorganizational configurationmanagement policy andprocedures;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

142 of 266

Cntl.#

En

han

cem

ent

#




SI-3 0 c 1Malicious Code

Protection

The organization:Configures malicious codeprotection mechanisms to:Perform periodic scans ofthe information system[Assignment: organization-defined frequency] and real-time scans of files fromexternal sources at[Selection (one or more);endpoint; network entry/exitpoints] as the files aredownloaded, opened, orexecuted in accordance withorganizational securitypolicy; and

Daily

SI-3 0 c 2Malicious Code

Protection

The organization:Configures malicious codeprotection mechanisms to:[Selection (one or more):block malicious code;quarantine malicious code;send alert to administrator;[Assignment: organization-defined action]] in responseto malicious code detection;and

Block/quarantinemalicious code thensend an alert to the

administrators

SI-3 0 dMalicious Code

Protection

The organization: Addressesthe receipt of false positivesduring malicious codedetection and eradicationand the resulting potentialimpact on the availability ofthe information system.

SI-3 1Malicious Code

Protection

The organization centrallymanages malicious codeprotection mechanisms.

SI-3 2Malicious Code

Protection

The information systemautomatically updatesmalicious code protectionmechanisms.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

143 of 266

Cntl.#

En

han

cem

ent

#




SI-4 0 a 1Information System

Monitoring

The organization: Monitorsthe information system todetect: Attacks andindicators of potentialattacks in accordance with[Assignment: organizationdefined monitoringobjectives]; and

Network monitoringand incident

identification section ofthe incident response

plan

Information systemmonitoring includes externaland internal monitoring.External monitoring includesthe observation of eventsoccurring at the systemboundary (i.e., part ofperimeter defense andboundary protection).Internal monitoring includesthe observation of eventsoccurring within the system(e.g., within internalorganizational networks andsystem components).

SI-4 0 a 2Information System

Monitoring

The organization: Monitorsthe information system todetect: Unauthorized local,network, and remoteconnections;

SI-4 0 bInformation System

Monitoring

The organization: Identifiesunauthorized use of theinformation system through[Assignment: organizationdefined techniques andmethods];

SI-4 0 cInformation System

Monitoring

The organization: Deploysmonitoring devices: (i)strategically within theinformation system tocollect organization-determined essentialinformation; and (ii) at adhoc locations within thesystem to track specifictypes of transactions ofinterest to the organization;

SI-4 0 dInformation System

Monitoring

The organization: Protectsinformation obtained fromintrusion-monitoring toolsfrom unauthorized access,modification, and deletion;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

144 of 266

Cntl.#

En

han

cem

ent

#




SI-4 0 eInformation System

Monitoring

The organization: Heightensthe level of informationsystem monitoring activitywhenever there is anindication of increased riskto organizational operationsand assets, individuals,other organizations, or theNation based on lawenforcement information,intelligence information, orother credible sources ofinformation;

SI-4 0 fInformation System

Monitoring

The organization: Obtainslegal opinion with regard toinformation systemmonitoring activities inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,or regulations; and

SI-4 0 gInformation System

Monitoring

The organization: Provides[Assignment: organization-defined information systemmonitoring information] to[Assignment: organization-defined personnel or roles][Selection (one or more): asneeded; [Assignment:organization-definedfrequency]].

SI-4 2Information System

Monitoring

The organization employsautomated tools to supportnear real-time analysis ofevents.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

145 of 266

Cntl.#

En

han

cem

ent

#





Monitoring

The information systemmonitors inbound andoutbound communicationstraffic [Assignment:organization-definedfrequency] for unusual orunauthorized activities orconditions.

Unusual/unauthorizedactivities or conditionsinclude, for example, internaltraffic that indicates thepresence of malicious codewithin an information systemor propagating among systemcomponents, theunauthorized export ofinformation, or beaconing toan external informationsystem. Evidence ofmalicious code is used toidentify potentiallycompromised informationsystems or informationsystem components.


Monitoring

The information systemalerts [Assignment:organization-definedpersonnel or roles] when thefollowing indications ofcompromise or potentialcompromise occur:[Assignment: organizationdefined compromiseindicators].

SI-5 0 aSecurity Alerts,Advisories, and

Directives

The organization: Receivesinformation system securityalerts, advisories, anddirectives from[Assignment: organization-defined externalorganizations] on anongoing basis;

JC3 and EM MIPP

SI-5 0 bSecurity Alerts,Advisories, and

Directives

The organization: Generatesinternal security alerts,advisories, and directives asdeemed necessary;

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

146 of 266

Cntl.#

En

han

cem

ent

#




SI-5 0 cSecurity Alerts,Advisories, and

Directives

The organization:Disseminates security alerts,advisories, and directives to:[Selection (one or more):[Assignment: organization-defined personnel or roles];[Assignment: organization-defined elements within theorganization]; [Assignment:organization-definedexternal organizations]]; and

SI-5 0 dSecurity Alerts,Advisories, and

Directives

The organization:Implements securitydirectives in accordancewith established timeframes, or notifies theissuing organization of thedegree of noncompliance.

SI-7 0Software and

Information Integrity

The organization employsintegrity verification tools todetect unauthorized changesto [Assignment:organization-definedsoftware, firmware, andinformation].

SI-7 1Software and


The information systemperforms an integrity checkof [Assignment:organization-definedsoftware, firmware, andinformation] [Selection (oneor more): at startup; at[Assignment: organization-defined transitional states orsecurity-relevant events];[Assignment: organizationdefined frequency]].

Quarterly

The site employs integrityverification applications onkey information systems(e.g., servers that process andstore CUI) to look forevidence of informationtampering, errors, andomissions. The site employsgood software engineeringpractices with regard tocommercial off-the-shelfintegrity mechanisms (e.g.,parity checks, cyclicalredundancy checks,cryptographic hashes) anduses tools to automaticallymonitor the integrity of theinformation system and theapplications it hosts.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

147 of 266

Cntl.#

En

han

cem

ent

#




SI-7 7Software and


The organizationincorporates the detection ofunauthorized [Assignment:organization-definedsecurity-relevant changes tothe information system] intothe organizational incidentresponse capability.

SI-8 0 a Spam Protection

The organization: Employsspam protectionmechanisms at informationsystem entry and exit pointsto detect and take action onunsolicited messages; and

SI-8 0 b Spam Protection

The organization: Updatesspam protectionmechanisms when newreleases are available inaccordance withorganizational configurationmanagement policy andprocedures.

SI-8 1 Spam ProtectionThe organization centrallymanages spam protectionmechanisms.

SI-8 2 Spam ProtectionThe information systemautomatically updates spamprotection mechanisms.

SI-10

0Information Input

Validation

The information systemchecks the validity of[Assignment: organization-defined information inputs].

Rules for checking the validsyntax and semantics ofinformation system inputs(e.g., character set, length,numerical range, acceptablevalues) are in place to verifythat inputs match specifieddefinitions for format andcontent. Inputs passed tointerpreters are prescreenedto prevent the content frombeing unintentionallyinterpreted as commands.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP

148 of 266

Cntl.#

En

han

cem

ent

#




SI-11

0 a Error Handling

The information system:Generates error messagesthat provide informationnecessary for correctiveactions without revealinginformation that could beexploited by adversaries;and

The structure and content oferror messages are carefullyconsidered by theorganization. The extent towhich the information systemis able to identify and handleerror conditions is guided byorganizational policy andoperational requirements.Error messages should bemade available to systemadministrators and not besent to the user or potentialattacker.

SI-11

0 b Error Handling

The information system:Reveals error messages onlyto [Assignment:organization-definedpersonnel or roles].

SI-12

0Information Handling

and Retention

The organization handlesand retains informationwithin the informationsystem and informationoutput from the system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andoperational requirements.

The output handling andretention requirements coverthe full life cycle of theinformation, in some casesextending beyond thedisposal of the informationsystem.

SI-16

0 Memory Protection

The information systemimplements [Assignment:organization-definedsecurity safeguards] toprotect its memory fromunauthorized codeexecution.

________________________________________________________________________

________________________________________________________________________DOE EM RMAIP Version 5.1

149 of 266

Appendix B – NSS Security Controls

Based on early assessments on NSS Security Controls using CNSS 1253 and NIST SP800-53 Rev 3 controls, EM has determined that most systems will be categorized as a C= M, I = M, and A = M, or C = M, I = M, and A = L, or C = M, I = L and A = L. Beloware the controls that should be addressed for each categorization and configuration, (e.g.,networked or stand-alone). “No” in the column for either a stand-alone or networkconfiguration means that it does not apply and does not have to be implemented. “Yes”means that it should be addressed and a justification given if the control is tailored out. Asite may decide to deploy a control that does not apply depending on its risk managementstrategy. Contracting Officers are not to require that each and every control listed in thistable be implemented.

Cntl #: Lists the NIST control abbreviationControl Name: Lists the name of the controls requirementCIA (LMH) Lists each CNSSI control requirement by Confidentiality (C),

Integrity (I), and Availability (A) and Low (L), Moderate (M), andHigh (H)

NNN (LMH) Lists the NIST 800-53 Low (L), Moderate (M), and High (H)control selections associated with the CNSSI controls

NSS Stand Alone Lists if the control is applicable to a NSS Stand-Alone PCNSS Network Lists if the control is applicable to a NSS Networked PC(s)Priority Lists the NIST control priorityNIST Control Req Lists the NIST control requirement

C C C I I I A A A N N N

Cntl # Control Name L M H L M H L M H L M HNSS

StandAlone

NSSNetwork

Priority NIST Control Requirement

AC-1Access Control

Policy AndProcedures

X X X X X X X X X X X X Yes Yes P1

The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented accesscontrol policy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the access control policyand associated accesscontrols.

________________________________________________________________________


150 of 266



StandAlone

NSSNetwork


AC-2Account

ManagementX X X X X X X Yes Yes P1

The organization managesinformation systemaccounts, including: a)Identifying account types(i.e., individual, group,system, application,guest/anonymous, andtemporary); b) Establishingconditions for groupmembership; c) Identifyingauthorized users of theinformation system andspecifying access privileges;d) Requiring appropriateapprovals for requests toestablish accounts; e)Establishing, activating,modifying, disabling, andremoving accounts; f)Specifically authorizing andmonitoring the use ofguest/anonymous andtemporary accounts; g)Notifying account managerswhen temporary accountsare no longer required andwhen information systemusers are terminated,transferred, or informationsystem usage or need-to-know/need-to-sharechanges; h) Deactivating: (i)temporary accounts that areno longer required; and (ii)accounts of terminated ortransferred users; i)Granting access to thesystem based on: (i) a validaccess authorization; (ii)intended system usage; and(iii) other attributes asrequired by the organizationor associatedmissions/businessfunctions; and j) Reviewingaccounts [Assignment:organization-definedfrequency].

AC-2(1)Account

ManagementX X X X X X X X Yes Yes P1

The organization employsautomated mechanisms tosupport the management ofinformation systemaccounts.

AC-2(2)Account


The information systemautomatically terminatestemporary and emergencyaccounts after [Assignment:organization-defined timeperiod for each type ofaccount].

AC-2(3)Account


The information systemautomatically disablesinactive accounts after[Assignment: organization-defined time period].

________________________________________________________________________


151 of 266



StandAlone

NSSNetwork


AC-2(4)Account


The information systemautomatically audits accountcreation, modification,disabling, and terminationactions and notifies, asrequired, appropriateindividuals.

AC-2(5)Account

ManagementYes Yes PO

The organization: a)Requires that users log outwhen [Assignment:organization defined time-period of expected inactivityand/or description of whento log out]; b) Determinesnormal time-of-day andduration usage forinformation systemaccounts; c) Monitors foratypical usage ofinformation systemaccounts; and d) Reportsatypical usage to designatedorganizational officials.

AC-2(6)Account

Management

The information systemdynamically manages userprivileges and associatedaccess authorizations.

AC-2(7)Account

ManagementX X X X X X No Yes P1

The organization: a)Establishes and administersprivileged user accounts inaccordance with a role-based access scheme thatorganizes informationsystem and networkprivileges into roles; and b)Tracks and monitorsprivileged role assignments.

AC-3 Access Enforcement X X X X X X X X X Yes Yes P1

The information systemenforces approvedauthorizations for logicalaccess to the system inaccordance with applicablepolicy.

AC 3(1) Access Enforcement - - - - - - - - - withdrawn

AC-3(2) Access Enforcement

The information systemenforces dual authorization,based on organizationalpolicies and procedures for[Assignment: organization-defined privilegedcommands].

________________________________________________________________________


152 of 266



StandAlone

NSSNetwork



The information systemenforces [Assignment:organization-definednondiscretionary accesscontrol policies] over[Assignment: organization-defined set of users andresources] where the policyrule set for each policyspecifies: a) Access controlinformation (i.e., attributes)employed by the policy ruleset (e.g., position,nationality, age, project,time of day); and b)Required relationshipsamong the access controlinformation to permitaccess.

AC-3(4) Access Enforcement X X X X X X Yes Yes PO

The information systemenforces a DiscretionaryAccess Control (DAC) policythat: a) Allows users tospecify and control sharingby named individuals orgroups of individuals, or byboth; b) Limits propagationof access rights; and c)Includes or excludes accessto the granularity of a singleuser.


The information systemprevents access to[Assignment: organization-defined security-relevantinformation] except duringsecure, nonoperable systemstates.

AC-3(6) Access Enforcement X Yes Yes P1

The organization encrypts orstores off-line in a securelocation [Assignment:organization-defined userand/or system information].

AC-4Information Flow

EnforcementX X X X X X X X No No P1

The information systemenforces approvedauthorizations for controllingthe flow of informationwithin the system andbetween interconnectedsystems in accordance withapplicable policy.

AC-4(1)Information Flow

Enforcement

The information systemenforces information flowcontrol using explicit securityattributes on information,source, and destinationobjects as a basis for flowcontrol decisions.


Enforcement

The information systemenforces information flowcontrol using protectedprocessing domains (e.g.,domain type-enforcement)as a basis for flow controldecisions.

________________________________________________________________________


153 of 266



StandAlone

NSSNetwork



Enforcement

The information systemenforces dynamicinformation flow controlbased on policy that allowsor disallows informationflows based on changingconditions or operationalconsiderations.


Enforcement

The information systemprevents encrypted datafrom bypassing content-checking mechanisms.


Enforcement

The information systemenforces [Assignment:organization-definedlimitations on theembedding of data typeswithin other data types].


Enforcement

The information systemenforces information flowcontrol on metadata.


Enforcement

The information systemenforces [Assignment:organization-defined one-way flows] using hardwaremechanisms.


Enforcement

The information systemenforces information flowcontrol using [Assignment:organization-definedsecurity policy filters] as abasis for flow controldecisions.


Enforcement

The information systemenforces the use of humanreview for [Assignment:organization-definedsecurity policy filters] whenthe system is not capable ofmaking an information flowcontrol decision.


Enforcement

The information systemprovides the capability for aprivileged administrator toenable/disable [Assignment:organization-definedsecurity policy filters].


Enforcement

The information systemprovides the capability for aprivileged administrator toconfigure [Assignment:organization-definedsecurity policy filters] tosupport different securitypolicies.


Enforcement

The information system,when transferringinformation betweendifferent security domains,identifies information flowsby data type specificationand usage.

________________________________________________________________________


154 of 266



StandAlone

NSSNetwork



Enforcement

The information system,when transferringinformation betweendifferent security domains,decomposes informationinto policy-relevantsubcomponents forsubmission to policyenforcement mechanisms.


Enforcement

The information system,when transferringinformation betweendifferent security domains,implements policy filtersthat constrain data structureand content to [Assignment:organization-definedinformation security policyrequirements].


Enforcement

The information system,when transferringinformation betweendifferent security domains,detects unsanctionedinformation and prohibitsthe transfer of suchinformation in accordancewith the security policy.


Enforcement

The information systemenforces security policiesregarding information oninterconnected systems.


Enforcement

The information system: a)Uniquely identifies andauthenticates source anddestination domains forinformation transfer; b)Binds security attributes toinformation to facilitateinformation flow policyenforcement; and c) Tracksproblems associated withthe security attribute bindingand information transfer.

AC-5Separation Of

DutiesX X X X X X X X Yes Yes P1

The organization: a)Separates duties ofindividuals as necessary, toprevent malevolent activitywithout collusion; b)Documents separation ofduties; and c) Implementsseparation of duties throughassigned information systemaccess authorizations.

AC-6 Least Privilege X X X X X X X X Yes Yes P1

The organization employsthe concept of leastprivilege, allowing onlyauthorized accesses forusers (and processes actingon behalf of users) whichare necessary to accomplishassigned tasks inaccordance withorganizational missions andbusiness functions.

________________________________________________________________________


155 of 266



StandAlone

NSSNetwork


AC-6(1) Least Privilege X X X X X X X X Yes Yes P1

The organization explicitlyauthorizes access to[Assignment: organization-defined list of securityfunctions (deployed inhardware, software, andfirmware) and security-relevant information].

AC-6(2) Least Privilege X X X X X X X X Yes Yes P1

The organization requiresthat users of informationsystem accounts, or roles,with access to [Assignment:organization-defined list ofsecurity functions orsecurity-relevantinformation], use non-privileged accounts, or roles,when accessing othersystem functions, and iffeasible, audits any use ofprivileged accounts, or roles,for such functions.

AC-6(3) Least Privilege

The organization authorizesnetwork access to[Assignment: organization-defined privilegedcommands] only forcompelling operationalneeds and documents therationale for such access inthe security plan for theinformation system.

AC-6(4) Least Privilege

The information systemprovides separateprocessing domains toenable finer-grainedallocation of user privileges.

AC-6(5) Least Privilege X X X X X X Yes Yes PO

The organization limitsauthorization to super useraccounts on the informationsystem to designatedsystem administrationpersonnel.

AC-6(6) Least Privilege X X Yes Yes PO

The organization prohibitsprivileged access to theinformation system by non-organizational users.

________________________________________________________________________


156 of 266



StandAlone

NSSNetwork


AC-7Unsuccessful Login

AttemptsX X X X X X X X X X X X Yes Yes P2

The information system: a)Enforces a limit of[Assignment: organization-defined number]consecutive invalid loginattempts by a user during a[Assignment: organization-defined time period]; and b)Automatically [Selection:locks the account/node foran [Assignment:organization-defined timeperiod]; locks theaccount/node until releasedby an administrator; delaysnext login prompt accordingto [Assignment:organization-defined delayalgorithm]] when themaximum number ofunsuccessful attempts isexceeded. The controlapplies regardless ofwhether the login occurs viaa local or networkconnection.

AC-7(1)Unsuccessful Login

AttemptsX X X X Yes Yes PO

The information systemautomatically locks theaccount/node until releasedby an administrator whenthe maximum number ofunsuccessful attempts isexceeded.

AC-7(2)Unsuccessful Login

Attempts

The information systemprovides additionalprotection for mobiledevices accessed via loginby purging information fromthe device after[Assignment: organization-defined number]consecutive, unsuccessfullogin attempts to the device.

________________________________________________________________________


157 of 266



StandAlone

NSSNetwork


AC-8System UseNotification

X X X X X X X X X Yes Yes P1

The information system: a)Displays an approvedsystem use notificationmessage or banner beforegranting access to thesystem that provides privacyand security noticesconsistent with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance and states that: (i)users are accessing a U.S.Government informationsystem; (ii) system usagemay be monitored, recorded,and subject to audit; (iii)unauthorized use of thesystem is prohibited andsubject to criminal and civilpenalties; and (iv) use of thesystem indicates consent tomonitoring and recording; b)Retains the notificationmessage or banner on thescreen until users takeexplicit actions to log on toor further access theinformation system; and c)For publicly accessiblesystems: (i) displays thesystem use informationwhen appropriate, beforegranting further access; (ii)displays references, if any,to monitoring, recording, orauditing that are consistentwith privacyaccommodations for suchsystems that generallyprohibit those activities; and(iii) includes in the noticegiven to public users of theinformation system, adescription of the authorizeduses of the system.

AC-9Previous Logon

(Access) NotificationX X No No P0

The information systemnotifies the user, uponsuccessful logon (access), ofthe date and time of the lastlogon (access).

AC-10Concurrent Session

ControlX X X X X Yes Yes P2

The information systemlimits the number ofconcurrent sessions foreach system account to[Assignment: organization-defined number].

________________________________________________________________________


158 of 266



StandAlone

NSSNetwork


AC-11 Session Lock X X X X X X X X Yes Yes P3

The information system: a)Prevents further access tothe system by initiating asession lock after[Assignment: organization-defined time period] ofinactivity or upon receiving arequest from a user; and b)Retains the session lockuntil the user reestablishesaccess using establishedidentification andauthentication procedures.

AC-11(1) Session Lock X X X Yes Yes PO

The information systemsession lock mechanism,when activated on a devicewith a display screen, placesa publicly viewable patternonto the associated display,hiding what was previouslyvisible on the screen.

AC-14

Permitted ActionsWithout

Identification OrAuthentication


The organization: a)Identifies specific useractions that can beperformed on theinformation system withoutidentification orauthentication; and b)Documents and providessupporting rationale in thesecurity plan for theinformation system, useractions not requiringidentification andauthentication.

AC-14(1)

Permitted ActionsWithout

Identification OrAuthentication

X X X X X X Yes Yes P1

The organization permitsactions to be performedwithout identification andauthentication only to theextent necessary toaccomplishmission/businessobjectives.

AC-17 Remote Access X X X X X X X X X Yes Yes P1

The organization: a)Documents allowedmethods of remote accessto the information system; b)Establishes usagerestrictions andimplementation guidance foreach allowed remote accessmethod; c) Monitors forunauthorized remote accessto the information system; d)Authorizes remote access tothe information system priorto connection; and e)Enforces requirements forremote connections to theinformation system.

AC-17(1) Remote Access X X X X X X X X Yes Yes P1

The organization employsautomated mechanisms tofacilitate the monitoring andcontrol of remote accessmethods.

________________________________________________________________________


159 of 266



StandAlone

NSSNetwork



The organization usescryptography to protect theconfidentiality and integrityof remote access sessions.


The information systemroutes all remote accessesthrough a limited number ofmanaged access controlpoints.


The organization authorizesthe execution of privilegedcommands and access tosecurity-relevant informationvia remote access only forcompelling operationalneeds and documents therationale for such access inthe security plan for theinformation system.


The organization monitorsfor unauthorized remoteconnections to theinformation system[Assignment: organization-defined frequency], andtakes appropriate action ifan unauthorized connectionis discovered.

AC-17(6) Remote Access X X X Yes Yes PO

The organization ensuresthat users protectinformation about remoteaccess mechanisms fromunauthorized use anddisclosure.


The organization ensuresthat remote sessions foraccessing [Assignment:organization-defined list ofsecurity functions andsecurity-relevantinformation] employ[Assignment: organization-defined additional securitymeasures] and are audited.


The organization disables[Assignment: organization-defined networkingprotocols within theinformation system deemedto be nonsecure] except forexplicitly identifiedcomponents in support ofspecific operationalrequirements.

________________________________________________________________________


160 of 266



StandAlone

NSSNetwork


AC-18Wireless Access

RestrictionsX X X X X X X X X No No P1

The organization: a)Establishes usagerestrictions andimplementation guidance forwireless access; b) Monitorsfor unauthorized wirelessaccess to the informationsystem; c) Authorizeswireless access to theinformation system prior toconnection; and e) Enforcesrequirements for wirelessconnections to theinformation system.

AC-18(1)Wireless Access

RestrictionsX X X X X X X X No No P1

The information systemprotects wireless access tothe system usingauthentication andencryption.


RestrictionsX X X X X X X No No PO

The organization monitorsfor unauthorized wirelessconnections to theinformation system,including scanning forunauthorized wirelessaccess points [Assignment:organization-definedfrequency], and takesappropriate action if anunauthorized connection isdiscovered.


RestrictionsX X X X X X No No PO

The organization disables,when not intended for use,wireless networkingcapabilities internallyembedded withininformation systemcomponents prior toissuance and deployment.



The organization does notallow users to independentlyconfigure wirelessnetworking capabilities.



The organization confineswireless communications toorganization-controlledboundaries.

________________________________________________________________________


161 of 266



StandAlone

NSSNetwork


AC-19Access Control For

Mobile DevicesX X X X X X X X X Yes Yes P1

The organization: a)Establishes usagerestrictions andimplementation guidance fororganization-controlledmobile devices; b)Authorizes connection ofmobile devices meetingorganizational usagerestrictions andimplementation guidance toorganizational informationsystems; c) Monitors forunauthorized connections ofmobile devices toorganizational informationsystems; d) Enforcesrequirements for theconnection of mobiledevices to organizationalinformation systems; e)Disables information systemfunctionality that providesthe capability for automaticexecution of code on mobiledevices without userdirection; f) Issues speciallyconfigured mobile devices toindividuals traveling tolocations that theorganization deems to be ofsignificant risk inaccordance withorganizational policies andprocedures; and g) Applies[Assignment: organization-defined inspection andpreventative measures] tomobile devices returningfrom locations that theorganization deems to be ofsignificant risk inaccordance withorganizational policies andprocedures.

AC-19(1)Access Control For

Mobile DevicesX X X X X Yes Yes P1

The organization restrictsthe use of writable,removable media inorganizational informationsystems.


Mobile DevicesX X X X X X X X Yes Yes P1

The organization prohibitsthe use of personally owned,removable media inorganizational informationsystems.


Mobile DevicesX X X X X X X X Yes Yes P1

The organization prohibitsthe use of removable mediain organizational informationsystems when the mediahas no identifiable owner.

________________________________________________________________________


162 of 266



StandAlone

NSSNetwork



Mobile DevicesX X X Yes Yes PO

The organization: a)Prohibits the use ofunclassified mobile devicesin facilities containinginformation systemsprocessing, storing, ortransmitting classifiedinformation unlessspecifically permitted by theappropriate authorizingofficial(s); and b) Enforcesthe following restrictions onindividuals permitted to usemobile devices in facilitiescontaining informationsystems processing, storing,or transmitting classifiedinformation: 1) - Connectionof unclassified mobiledevices to classifiedinformation systems isprohibited; 2) - Connectionof unclassified mobiledevices to unclassifiedinformation systemsrequires approval from theappropriate authorizingofficial(s); 3) - Use of internalor external modems orwireless interfaces withinthe mobile devices isprohibited; and 4) - Mobiledevices and the informationstored on those devices aresubject to randomreviews/inspections by[Assignment: organization-defined security officials],and if classified informationis found, the incidenthandling policy is followed.

AC-20Use Of External

Information SystemsX X X X X X X X X No Yes P1

The organization establishesterms and conditions,consistent with any trustrelationships establishedwith other organizationsowning, operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: a) Access theinformation system from theexternal informationsystems; and b) Process,store, and/or transmitorganization-controlledinformation using theexternal informationsystems.

________________________________________________________________________


163 of 266



StandAlone

NSSNetwork


AC-20(1)Use Of External

Information SystemsX X X X X X X X No No P1

The organization permitsauthorized individuals to usean external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: a) Can verifythe implementation ofrequired security controls onthe external system asspecified in theorganization’s informationsecurity policy and securityplan; or b) Has approvedinformation systemconnection or processingagreements with theorganizational entity hostingthe external informationsystem.

AC-20(2)Use Of External

Information SystemsX X X X X No No P1

The organization limits theuse of organization-controlled portable storagemedia by authorizedindividuals on externalinformation systems.

AC-22Publicly Accessible

ContentX X X X X X No No P2

The organization: a)Designates individualsauthorized to postinformation onto anorganizational informationsystem that is publiclyaccessible; b) Trainsauthorized individuals toensure that publiclyaccessible information doesnot contain nonpublicinformation; c) Reviews theproposed content of publiclyaccessible information fornonpublic information priorto posting onto theorganizational informationsystem; d) Reviews thecontent on the publiclyaccessible organizationalinformation system fornonpublic information[Assignment: organization-defined frequency]; and e)Removes nonpublicinformation from the publiclyaccessible organizationalinformation system, ifdiscovered.

________________________________________________________________________


164 of 266



StandAlone

NSSNetwork


AT-1Security AwarenessAnd Training Policy

And ProceduresX X X X X X X X X X X X Yes Yes P1

The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented securityawareness and trainingpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the security awarenessand training policy andassociated securityawareness and trainingcontrols.

AT-2 Security Awareness X X X X X X X X X X X X Yes Yes P1

The organization providesbasic security awarenesstraining to all informationsystem users (includingmanagers, seniorexecutives, and contractors)as part of initial training fornew users, when required bysystem changes, and[Assignment: organization-defined frequency]thereafter.

AT-3 Security Training X X X X X X X X X X X X Yes Yes P1

The organization providesrole-based security-relatedtraining: (i) beforeauthorizing access to thesystem or performingassigned duties; (ii) whenrequired by system changes;and (iii) [Assignment:organization-definedfrequency] thereafter.

AT-3(2) Security Training X X X X X X X X X Yes Yes PO

The organization providesemployees with initial and[Assignment: organization-defined frequency] trainingin the employment andoperation of physicalsecurity controls.

AT-4Security Training

RecordsX X X X X X X X X X X X Yes Yes P3

The organization: a)Documents and monitorsindividual informationsystem security trainingactivities including basicsecurity awareness trainingand specific informationsystem security training; andb) Retains individual trainingrecords for [Assignment:organization-defined timeperiod].

________________________________________________________________________


165 of 266



StandAlone

NSSNetwork


AT-5Contacts With

Security Groups AndAssociations


The organization establishesand institutionalizes contactwith selected groups andassociations within thesecurity community: a) - Tofacilitate ongoing securityeducation and training fororganizational personnel; b)- To stay up to date with thelatest recommendedsecurity practices,techniques, andtechnologies; and c) - Toshare current security-related information includingthreats, vulnerabilities, andincidents.

AU-1Audit And

Accountability PolicyAnd Procedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented auditand accountability policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the audit andaccountability policy andassociated audit andaccountability controls.

________________________________________________________________________


166 of 266



StandAlone

NSSNetwork


AU-2 Auditable Events X X X X X X X X X Yes Yes P1

The organization: a)Determines, based on a riskassessment andmission/business needs,that the information systemmust be capable of auditingthe following events:[Assignment: organization-defined list of auditableevents]; b) Coordinates thesecurity audit function withother organizational entitiesrequiring audit-relatedinformation to enhancemutual support and to helpguide the selection ofauditable events; c) Providesa rationale for why the list ofauditable events aredeemed to be adequate tosupport after-the-factinvestigations of securityincidents; and d)Determines, based oncurrent threat informationand ongoing assessment ofrisk, that the followingevents are to be auditedwithin the informationsystem: [Assignment:organization-defined subsetof the auditable eventsdefined in AU-2 a. to beaudited along with thefrequency of (or situationrequiring) auditing for eachidentified event].

AU-2(3) Auditable Events X X X X X X X X Yes Yes P1

The organization reviewsand updates the list ofauditable events[Assignment: organization-defined frequency].

AU-2(4) Auditable Events X X X X X X X X Yes Yes P1

The organization includesexecution of privilegedfunctions in the list of eventsto be audited by theinformation system.

AU-3Content Of Audit

RecordsX X X X X X X X X Yes Yes P1

The information systemproduces audit records thatcontain sufficientinformation to, at aminimum, establish whattype of event occurred,when (date and time) theevent occurred, where theevent occurred, the sourceof the event, the outcome(success or failure) of theevent, and the identity ofany user/subject associatedwith the event.

________________________________________________________________________


167 of 266



StandAlone

NSSNetwork


AU-3(1)Content Of Audit

RecordsX X X X X X X X Yes Yes P1

The information systemincludes [Assignment:organization-definedadditional, more detailedinformation] in the auditrecords for audit eventsidentified by type, location,or subject.

AU-3(2)Content Of Audit

RecordsX X X X X X X Yes Yes PO

The organization centrallymanages the content ofaudit records generated by[Assignment: organization-defined information systemcomponents].

AU-4Audit Storage

CapacityX X X X X X Yes Yes P1

The organization allocatesaudit record storagecapacity and configuresauditing to reduce thelikelihood of such capacitybeing exceeded.

AU-5Response To AuditProcessing Failures

X X X X X X No Yes P1

The information system: a)Alerts designatedorganizational officials in theevent of an audit processingfailure; and b) Takes thefollowing additional actions:[Assignment: organization-defined actions to be taken(e.g., shut down informationsystem, overwrite oldestaudit records, stopgenerating audit records)].

AU-5(1)Response To AuditProcessing Failures

X X X X No Yes P1

The information systemprovides a warning whenallocated audit recordstorage volume reaches[Assignment: organization-defined percentage] ofmaximum audit recordstorage capacity.

AU-5(2)Response To AuditProcessing Failures

X X X No Yes P1

The information systemprovides a real-time alertwhen the following auditfailure events occur:[Assignment: organization-defined audit failure eventsrequiring real-time alerts].

________________________________________________________________________


168 of 266



StandAlone

NSSNetwork


AU-6Audit Review,Analysis, And

ReportingX X X X X X X X X Yes Yes P1

The organization: a) Reviewsand analyzes informationsystem audit records[Assignment: organization-defined frequency] forindications of inappropriateor unusual activity, andreport's findings todesignated organizationalofficials; and b) Adjusts thelevel of audit review,analysis, and reportingwithin the informationsystem when there is achange in risk toorganizational operations,organizational assets,individuals, otherorganizations, or the Nationbased on law enforcementinformation, intelligenceinformation, or othercredible sources ofinformation.

AU-6(1)Audit Review,Analysis, And

ReportingX X X X X No No P1

The information systemintegrates audit review,analysis, and reportingprocesses to supportorganizational processes forinvestigation and responseto suspicious activities.

AU 6(2)Audit Review,Analysis, And

Reporting- - - - - - - - -

[Withdrawn: Incorporatedinto SI-4].

AU-6(3)Audit Review,Analysis, And

ReportingX X X X X X No Yes P1

The organization analyzesand correlates audit recordsacross different repositoriesto gain organization-widesituational awareness.

AU-7Audit Reduction AndReport Generation

X X X X X X No No P2

The information systemprovides an audit reductionand report generationcapability

AU-7(1)Audit Reduction AndReport Generation


The information systemprovides the capability toautomatically process auditrecords for events of interestbased on selectable eventcriteria.

AU-8 Time Stamps X X X X X X Yes Yes P1

The information system usesinternal system clocks togenerate time stamps foraudit records.

AU-8(1) Time Stamps X X X X X No No P1

The information systemsynchronizes internalinformation system clocks[Assignment: organization-defined frequency] with[Assignment: organization-defined authoritative timesource].

________________________________________________________________________


169 of 266



StandAlone

NSSNetwork


AU-9Protection Of Audit

InformationX X X X X X X X X No Yes P1

The information systemprotects audit informationand audit tools fromunauthorized access,modification, and deletion.

AU-9(1)Protection Of Audit

Information

The information systemproduces audit records onhardware-enforced, write-once media.


InformationX X No Yes PO

The information systembacks up audit records[Assignment: organization-defined frequency] onto adifferent system or mediathan the system beingaudited.


InformationX No Yes P1

The information system usescryptographic mechanismsto protect the integrity ofaudit information and audittools.


InformationX X X No Yes PO

The organization: a)Authorizes access tomanagement of auditfunctionality to only a limitedsubset of privileged users;and b) Protects the auditrecords of non-localaccesses to privilegedaccounts and the executionof privileged functions.

AU-10 Non-Repudiation X X X No Yes P1

The information systemprotects against anindividual falsely denyinghaving performed aparticular action.

AU-10(5) Non-Repudiation X X No No P1

The organization employs[Selection: FIPS-validated;NSA-approved] cryptographyto implement digitalsignatures.

AU-11Audit Record

RetentionX X X X X X Yes Yes P3

The organization retainsaudit records for[Assignment: organization-defined time periodconsistent with recordsretention policy] to providesupport for after-the-factinvestigations of securityincidents and to meetregulatory andorganizational informationretention requirements.

________________________________________________________________________


170 of 266



StandAlone

NSSNetwork


AU-12 Audit Generation X X X X X X X X X X X X Yes Yes P1

The information system: a)Provides audit recordgeneration capability for thelist of auditable eventsdefined in AU-2 at[Assignment: organization-defined information systemcomponents]; b) Allowsdesignated organizationalpersonnel to select whichauditable events are to beaudited by specificcomponents of the system;and c) Generates auditrecords for the list ofaudited events defined inAU-2 with the content asdefined in AU-3.

AU-12(1) Audit Generation X X Yes Yes P1

The information systemcompiles audit records from[Assignment: organization-defined information systemcomponents] into a system-wide (logical or physical)audit trail that is time-correlated to within[Assignment: organization-defined level of tolerance forrelationship between timestamps of individual recordsin the audit trail].

AU-13Monitoring For

InformationDisclosure

The organization monitorsopen source information forevidence of unauthorizedexfiltration or disclosure oforganizational information[Assignment: organization-defined frequency].

CA-1

Security AssessmentAnd Authorization

Policies AndProcedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a)Formal, documentedsecurity assessment andauthorization policies thataddress purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the security assessmentand authorization policiesand associated securityassessment andauthorization controls.

________________________________________________________________________


171 of 266



StandAlone

NSSNetwork


CA-2Security

AssessmentsX X X X X X X X X X X X Yes Yes P2

The organization: a)Develops a securityassessment plan thatdescribes the scope of theassessment including: 1)Security controls and controlenhancements underassessment; 2) Assessmentprocedures to be used todetermine security controleffectiveness; and 3)Assessment environment,assessment team, andassessment roles andresponsibilities; b) Assessesthe security controls in theinformation system[Assignment: organization-defined frequency] todetermine the extent towhich the controls areimplemented correctly,operating as intended, andproducing the desiredoutcome with respect tomeeting the securityrequirements for the system;c) Produces a securityassessment report thatdocuments the results of theassessment; and d) Providesthe results of the securitycontrol assessment, inwriting, to the authorizingofficial or authorizing officialdesignated representative.

CA-2(1)Security

AssessmentsX X X X X X X X X X X Yes Yes P2

The organization employs anindependent assessor orassessment team toconduct an assessment ofthe security controls in theinformation system.

CA-2(2)Security

AssessmentsX X X X Yes Yes P2

The organization includes aspart of security controlassessments, [Assignment:organization-definedfrequency], [Selection:announced; unannounced],[Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises;[Assignment: organization-defined other forms ofsecurity testing]].

________________________________________________________________________


172 of 266



StandAlone

NSSNetwork


CA-3Information System

ConnectionsX X X X X X X X X No Yes P1

The organization: a)Authorizes connections fromthe information system toother information systemsoutside of the authorizationboundary through the use ofInterconnection SecurityAgreements; b) Documents,for each connection, theinterface characteristics,security requirements, andthe nature of theinformation communicated;and c) Monitors theinformation systemconnections on an ongoingbasis verifying enforcementof security requirements.

CA-3(1)Information System

ConnectionsX X X No Yes P1

The organization prohibitsthe direct connection of anunclassified, nationalsecurity system to anexternal network.

CA-3(2)Information System

ConnectionsX X No Yes P1

The organization prohibitsthe direct connection of aclassified, national securitysystem to an externalnetwork.

CA-5Plan Of Action And

MilestonesX X X X X X X X X X X X Yes Yes P3

The organization: a)Develops a plan of actionand milestones for theinformation system todocument the organization’splanned remedial actions tocorrect weaknesses ordeficiencies noted duringthe assessment of thesecurity controls and toreduce or eliminate knownvulnerabilities in the system;and b) Updates existing planof action and milestones[Assignment: organization-defined frequency] based onthe findings from securitycontrols assessments,security impact analyses,and continuous monitoringactivities.

CA-6Security

AuthorizationX X X X X X X X X X X X Yes Yes P3

The organization: a) Assignsa senior-level executive ormanager to the role ofauthorizing official for theinformation system; b)Ensures that the authorizingofficial authorizes theinformation system forprocessing beforecommencing operations;and c) Updates the securityauthorization [Assignment:organization-definedfrequency].

________________________________________________________________________


173 of 266



StandAlone

NSSNetwork


CA-7ContinuousMonitoring


The organization establishesa continuous monitoringstrategy and implements acontinuous monitoringprogram that includes: a) Aconfiguration managementprocess for the informationsystem and its constituentcomponents; b) Adetermination of the securityimpact of changes to theinformation system andenvironment of operation; c)Ongoing security controlassessments in accordancewith the organizationalcontinuous monitoringstrategy; and d) Reportingthe security state of theinformation system toappropriate organizationalofficials [Assignment:organization-definedfrequency].

CA-7(1)ContinuousMonitoring


The organization employs anindependent assessor orassessment team to monitorthe security controls in theinformation system on anongoing basis.

CA-7(2)ContinuousMonitoring


The organization plans,schedules, and conductsassessments [Assignment:organization-definedfrequency], [Selection:announced; unannounced],[Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises;[Assignment: organization-defined other forms ofsecurity assessment]] toensure compliance with allvulnerability mitigationprocedures.

________________________________________________________________________


174 of 266



StandAlone

NSSNetwork


CM-1Configuration

Management PolicyAnd Procedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedconfiguration managementpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the configurationmanagement policy andassociated configurationmanagement controls.

CM-2Baseline

ConfigurationX X X X X X Yes Yes P1

The organization develops,documents, and maintainsunder configuration control,a current baselineconfiguration of theinformation system.

CM-2(1)Baseline

ConfigurationX X X X X Yes Yes P1

The organization reviewsand updates the baselineconfiguration of theinformation system: a)[Assignment: organization-defined frequency]; b) Whenrequired due to [Assignmentorganization-definedcircumstances]; and c) Asan integral part ofinformation systemcomponent installations andupgrades.

CM-2(2)Baseline

ConfigurationX X Yes no P1

The organization employsautomated mechanisms tomaintain an up-to-date,complete, accurate, andreadily available baselineconfiguration of theinformation system.

CM-2(3)Baseline

ConfigurationX X X X Yes Yes P1

The organization retainsolder versions of baselineconfigurations as deemednecessary to supportrollback.

CM-2(4)Baseline

ConfigurationX X

The organization: a)Develops and maintains[Assignment: organization-defined list of softwareprograms not authorized toexecute on the informationsystem]; and b) Employs anallow-all, deny-by-exceptionauthorization policy toidentify software allowed toexecute on the informationsystem.

________________________________________________________________________


175 of 266



StandAlone

NSSNetwork


CM-2(5)Baseline

ConfigurationX X X X Yes Yes P1

The organization: a)Develops and maintains[Assignment: organization-defined list of softwareprograms authorized toexecute on the informationsystem]; and b) Employs adeny-all, permit-by-exceptionauthorization policy toidentify software allowed toexecute on the informationsystem.

CM-2(6)Baseline

ConfigurationX Yes Yes P1

The organization maintainsa baseline configuration fordevelopment and testenvironments that ismanaged separately fromthe operational baselineconfiguration.

CM-3Configuration

Change ControlX X X X X Yes Yes P1

The organization: a)Determines the types ofchanges to the informationsystem that areconfiguration controlled; b)Approves configuration-controlled changes to thesystem with explicitconsideration for securityimpact analyses; c)Documents approvedconfiguration-controlledchanges to the system; d)Retains and reviews recordsof configuration-controlledchanges to the system; e)Audits activities associatedwith configuration-controlledchanges to the system; andf) Coordinates and providesoversight for configurationchange control activitiesthrough [Assignment:organization-definedconfiguration change controlelement (e.g., committee,board] that convenes[Selection: (one or more):[Assignment: organization-defined frequency];[Assignment: organization-defined configurationchange conditions]].

________________________________________________________________________


176 of 266



StandAlone

NSSNetwork


CM-3(1)Configuration

Change ControlX X No No P1

The organization employsautomated mechanisms to:a) Document proposedchanges to the informationsystem; b) Notify designatedapproval authorities; c)Highlight approvals thathave not been received by[Assignment: organization-defined time period]; d)Inhibit change untildesignated approvals arereceived; and e) Documentcompleted changes to theinformation system.


Change ControlX X X X Yes Yes P1

The organization tests,validates, and documentschanges to the informationsystem before implementingthe changes on theoperational system.


Change Control

The organization employsautomated mechanisms toimplement changes to thecurrent information systembaseline and deploys theupdated baseline across theinstalled base.


Change ControlX X X Yes Yes P1

The organization requires aninformation securityrepresentative to be amember of the [Assignment:organization-definedconfiguration change controlelement (e.g., committee,board)].

CM-4Security Impact

AnalysisX X X X X X Yes Yes P2

The organization analyzeschanges to the informationsystem to determinepotential security impactsprior to changeimplementation.

CM-4(1)Security Impact

AnalysisX X X Yes Yes P2

The organization analyzesnew software in a separatetest environment beforeinstallation in an operationalenvironment, looking forsecurity impacts due toflaws, weaknesses,incompatibility, orintentional malice.

CM-4(2)Security Impact

AnalysisX X X Yes Yes P2

The organization, after theinformation system ischanged, checks thesecurity functions to verifythat the functions areimplemented correctly,operating as intended, andproducing the desiredoutcome with regard tomeeting the securityrequirements for the system.

________________________________________________________________________


177 of 266



StandAlone

NSSNetwork


CM-5Access Restrictions

For ChangeX X X X X Yes Yes P1

The organization defines,documents, approves, andenforces physical and logicalaccess restrictionsassociated with changes tothe information system.

CM-5(1)Access Restrictions

For ChangeX Yes Yes P1

The organization employsautomated mechanisms toenforce access restrictionsand support auditing of theenforcement actions.


For ChangeX X X X Yes Yes P1

The organization conductsaudits of information systemchanges [Assignment:organization-definedfrequency] and whenindications so warrant todetermine whetherunauthorized changes haveoccurred.


For ChangeX X No No P1

The information systemprevents the installation of[Assignment: organization-defined critical softwareprograms] that are notsigned with a certificate thatis recognized and approvedby the organization.


For ChangeX X X No Yes P1

The organization: a) Limitsinformation systemdeveloper/integratorprivileges to changehardware, software, andfirmware components andsystem information directlywithin a productionenvironment; and b)Reviews and reevaluatesinformation systemdeveloper/integratorprivileges [Assignment:organization-definedfrequency].


For ChangeX X X Yes Yes P1

The organization limitsprivileges to changesoftware resident withinsoftware libraries (includingprivileged programs).

________________________________________________________________________


178 of 266



StandAlone

NSSNetwork


CM-6Configuration

SettingsX X X X X X Yes Yes P1

The organization: a)Establishes and documentsmandatory configurationsettings for informationtechnology productsemployed within theinformation system using[Assignment: organization-defined securityconfiguration checklists]that reflect the mostrestrictive mode consistentwith operationalrequirements; b)Implements theconfiguration settings; c)Identifies, documents, andapproves exceptions fromthe mandatory configurationsettings for individualcomponents within theinformation system basedon explicit operationalrequirements; and d)Monitors and controlschanges to the configurationsettings in accordance withorganizational policies andprocedures.


SettingsX X X No Yes P1

The organization employsautomated mechanisms tocentrally manage, apply, andverify configuration settings.


SettingsX X No Yes P1

The organization employsautomated mechanisms torespond to unauthorizedchanges to [Assignment:organization-definedconfiguration settings].


SettingsX X X X X Yes Yes P1

The organizationincorporates detection ofunauthorized, security-relevant configurationchanges into theorganization’s incidentresponse capability toensure that such detectedevents are tracked,monitored, corrected, andavailable for historicalpurposes.

CM-7 Least Functionality X X X X X X X X X Yes Yes P1

The organization configuresthe information system toprovide only essentialcapabilities and specificallyprohibits or restricts the useof the following functions,ports, protocols, and/orservices: [Assignment:organization-defined list ofprohibited or restrictedfunctions, ports, protocols,and/or services].

________________________________________________________________________


179 of 266



StandAlone

NSSNetwork


CM-7(1) Least Functionality X X X X X X X X Yes Yes P1

The organization reviews theinformation system[Assignment: organization-defined frequency] toidentify and eliminateunnecessary functions,ports, protocols, and/orservices.

CM-7(2) Least Functionality X X X X X Yes Yes P1

The organization employsautomated mechanisms toprevent program executionin accordance with[Selection (one or more): listof authorized softwareprograms; list ofunauthorized softwareprograms; rules authorizingthe terms and conditions ofsoftware program usage].

CM-7(3) Least Functionality X X X X X X Yes Yes P1

The organization ensurescompliance with[Assignment: organization-defined registrationrequirements for ports,protocols, and services].

CM-8Information System

ComponentInventory


The organization develops,documents, and maintainsan inventory of informationsystem components that: a)Accurately reflects thecurrent information system;b) Is consistent with theauthorization boundary ofthe information system; c) Isat the level of granularitydeemed necessary fortracking and reporting; d)Includes [Assignment:organization-definedinformation deemednecessary to achieveeffective propertyaccountability]; and e) Isavailable for review andaudit by designatedorganizational officials.

CM-8(1)Information System

ComponentInventory

X X X X X Yes Yes P1

The organization updatesthe inventory of informationsystem components as anintegral part of componentinstallations, removals, andinformation system updates.


ComponentInventory

X X Yes Yes P1

The organization employsautomated mechanisms tohelp maintain an up-to-date,complete, accurate, andreadily available inventory ofinformation systemcomponents.

________________________________________________________________________


180 of 266



StandAlone

NSSNetwork



ComponentInventory

X X Yes Yes P1

The organization: a) Employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe addition of unauthorizedcomponents/devices intothe information system; andb) Disables network accessby suchcomponents/devices ornotifies designatedorganizational officials.


ComponentInventory

X X X X Yes Yes P1

The organization includes inproperty accountabilityinformation for informationsystem components, ameans for identifying by[Selection (one or more):name; position; role]individuals responsible foradministering thosecomponents.


ComponentInventory


The organization verifiesthat all components withinthe authorization boundaryof the information systemare either inventoried as apart of the system orrecognized by anothersystem as a componentwithin that system.

CM-9Configuration

Management PlanX X X X X Yes Yes P1

The organization develops,documents, and implementsa configurationmanagement plan for theinformation system that: a)Addresses roles,responsibilities, andconfiguration managementprocesses and procedures;b) Defines the configurationitems for the informationsystem and when in thesystem development lifecycle the configuration itemsare placed underconfiguration management;and c) Establishes themeans for identifyingconfiguration itemsthroughout the systemdevelopment life cycle and aprocess for managing theconfiguration of theconfiguration items.

________________________________________________________________________


181 of 266



StandAlone

NSSNetwork


CP-1Contingency

Planning Policy AndProcedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedcontingency planning policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the contingency planningpolicy and associatedcontingency planningcontrols.

________________________________________________________________________


182 of 266



StandAlone

NSSNetwork


CP-2 Contingency Plan X X X X X X Yes Yes P1

The organization: a)Develops a contingency planfor the information systemthat: 1) - Identifies essentialmissions and businessfunctions and associatedcontingency requirements;2) - Provides recoveryobjectives, restorationpriorities, and metrics; 3) -Addresses contingencyroles, responsibilities,assigned individuals withcontact information; 4) -Addresses maintainingessential missions andbusiness functions despitean information systemdisruption, compromise, orfailure; 5) - Addresseseventual, full informationsystem restoration withoutdeterioration of the securitymeasures originally plannedand implemented; and 6) - Isreviewed and approved bydesignated officials withinthe organization; b)Distributes copies of thecontingency plan to[Assignment: organization-defined list of keycontingency personnel(identified by name and/orby role) and organizationalelements]; c) Coordinatescontingency planningactivities with incidenthandling activities; d)Reviews the contingencyplan for the informationsystem [Assignment:organization-definedfrequency]; e) Revises thecontingency plan to addresschanges to the organization,information system, orenvironment of operationand problems encounteredduring contingency planimplementation, execution,or testing; and f)Communicates contingencyplan changes to[Assignment: organization-defined list of keycontingency personnel(identified by name and/orby role) and organizationalelements].

________________________________________________________________________


183 of 266



StandAlone

NSSNetwork


CP-2(1) Contingency Plan X X X X No Yes P1

The organizationcoordinates contingencyplan development withorganizational elementsresponsible for relatedplans.

CP-2(2) Contingency Plan X X X No Yes P1

The organization conductscapacity planning so thatnecessary capacity forinformation processing,telecommunications, andenvironmental supportexists during contingencyoperations.

CP-2(3) Contingency Plan X X X No Yes P1

The organization plans forthe resumption of essentialmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency plan activation.

CP-2(4) Contingency Plan X X No Yes P1

The organization plans forthe full resumption ofmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency plan activation.

CP-2(5) Contingency Plan X No Yes P1

The organization plans forthe continuance of essentialmissions and businessfunctions with little or noloss of operational continuityand sustains that continuityuntil full information systemrestoration at primaryprocessing and/or storagesites.

CP-2(6) Contingency Plan X No Yes P1

The organization providesfor the transfer of allessential missions andbusiness functions toalternate processing and/orstorage sites with little or noloss of operational continuityand sustains that continuitythrough restoration toprimary processing and/orstorage sites.

CP-3Contingency

TrainingX X X X X X Yes Yes P2

The organization trainspersonnel in theircontingency roles andresponsibilities with respectto the information systemand provides refreshertraining [Assignment:organization-definedfrequency].

CP-3(1)Contingency

TrainingX X No No P2

The organizationincorporates simulatedevents into contingencytraining to facilitate effectiveresponse by personnel incrisis situations.

________________________________________________________________________


184 of 266



StandAlone

NSSNetwork


CP-4Contingency Plan

Testing AndExercises


The organization: a) Testsand/or exercises thecontingency plan for theinformation system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine theplan’s effectiveness and theorganization’s readiness toexecute the plan; and b)Reviews the contingencyplan test/exercise resultsand initiates correctiveactions.

CP-4(1)Contingency Plan


X X X X Yes Yes P2

The organizationcoordinates contingencyplan testing and/orexercises with organizationalelements responsible forrelated plans.



X X No No P2

The organizationtests/exercises thecontingency plan at thealternate processing site tofamiliarize contingencypersonnel with the facilityand available resources andto evaluate the site’scapabilities to supportcontingency operations.



X Yes Yes P2

The organization includes afull recovery andreconstitution of theinformation system to aknown state as part ofcontingency plan testing.

CP-6Alternate Storage

SiteX X X X No No P1

The organization establishesan alternate storage siteincluding necessaryagreements to permit thestorage and recovery ofinformation system backupinformation.

CP-6(1)Alternate Storage


The organization identifiesan alternate storage sitethat is separated from theprimary storage site so asnot to be susceptible to thesame hazards.


SiteX X No No P1

The organization configuresthe alternate storage site tofacilitate recoveryoperations in accordancewith recovery time andrecovery point objectives.



The organization identifiespotential accessibilityproblems to the alternatestorage site in the event ofan area-wide disruption ordisaster and outlines explicitmitigation actions.

________________________________________________________________________


185 of 266



StandAlone

NSSNetwork


CP-7Alternate Processing


The organization: a)Establishes an alternateprocessing site includingnecessary agreements topermit the resumption ofinformation systemoperations for essentialmissions and businessfunctions within[Assignment: organization-defined time periodconsistent with recoverytime objectives] when theprimary processingcapabilities are unavailable;and b) Ensures thatequipment and suppliesrequired to resumeoperations are available atthe alternate site orcontracts are in place tosupport delivery to the sitein time to support theorganization-defined timeperiod for resumption.

CP-7(1)Alternate Processing


The organization identifiesan alternate processing sitethat is separated from theprimary processing site soas not to be susceptible tothe same hazards.



The organization identifiespotential accessibilityproblems to the alternateprocessing site in the eventof an area-wide disruption ordisaster and outlines explicitmitigation actions.



The organization developsalternate processing siteagreements that containpriority-of-service provisionsin accordance with theorganization’s availabilityrequirements.


SiteX X X No No P1

The organization configuresthe alternate processing siteso that it is ready to be usedas the operational sitesupporting essentialmissions and businessfunctions.


SiteX X X X X X X X No No P1

The organization ensuresthat the alternateprocessing site providesinformation securitymeasures equivalent to thatof the primary site.

________________________________________________________________________


186 of 266



StandAlone

NSSNetwork


CP-8Telecommunications

ServicesX X X X No No P1

The organization establishesalternatetelecommunicationsservices including necessaryagreements to permit theresumption of informationsystem operations foressential missions andbusiness functions within[Assignment: organization-defined time period] whenthe primarytelecommunicationscapabilities are unavailable.

CP-8(1)Telecommunications


The organization: a)Develops primary andalternatetelecommunications serviceagreements that containpriority of-service provisionsin accordance with theorganization’s availabilityrequirements; and b)RequestsTelecommunications ServicePriority for alltelecommunicationsservices used for nationalsecurity emergencypreparedness in the eventthat the primary and/oralternatetelecommunicationsservices are provided by acommon carrier.



The organization obtainsalternatetelecommunicationsservices with considerationfor reducing the likelihood ofsharing a single point offailure with primarytelecommunicationsservices.


ServicesX X No No P1

The organization obtainsalternatetelecommunications serviceproviders that are separatedfrom primary serviceproviders so as not to besusceptible to the samehazards.


ServicesX X No No P1

The organization requiresprimary and alternatetelecommunications serviceproviders to havecontingency plans.

________________________________________________________________________


187 of 266



StandAlone

NSSNetwork


CP-9Information System

BackupX X X X X X X X X X X X Yes Yes P1

The organization: a)Conducts backups of user-level information containedin the information system[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; b) Conductsbackups of system-levelinformation contained in theinformation system[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; c) Conductsbackups of informationsystem documentationincluding security-relateddocumentation [Assignment:organization-definedfrequency consistent withrecovery time and recoverypoint objectives]; and d)Protects the confidentialityand integrity of backupinformation at the storagelocation.

CP-9(1)Information System

BackupX X X X X X X X No Yes P1

The organization testsbackup information[Assignment: organization-defined frequency] to verifymedia reliability andinformation integrity.


BackupX X X No Yes P1

The organization uses asample of backupinformation in therestoration of selectedinformation systemfunctions as part ofcontingency plan testing.


BackupX X No Yes P1

The organization storesbackup copies of theoperating system and othercritical information systemsoftware, as well as copiesof the information systeminventory (includinghardware, software, andfirmware components) in aseparate facility or in a fire-rated container that is notcollocated with theoperational system.

CP 9(4)Information System

Backup- - - - - - - - -

[Withdrawn: Incorporatedinto CP-9].

________________________________________________________________________


188 of 266



StandAlone

NSSNetwork



BackupX X No Yes P1

The organization transfersinformation system backupinformation to the alternatestorage site [Assignment:organization-defined timeperiod and transfer rateconsistent with the recoverytime and recovery pointobjectives].

CP-10Information System

Recovery AndReconstitution


The organization providesfor the recovery andreconstitution of theinformation system to aknown state after adisruption, compromise, orfailure.



- - - - - - - - -[Withdrawn: Incorporatedinto CP-4].



X X X X X X X X No No P1

The information systemimplements transactionrecovery for systems thatare transaction-based.



X X

The organization providescompensating securitycontrols for [Assignment:organization-definedcircumstances that caninhibit recovery andreconstitution to a knownstate].



X No yes

The organization providesthe capability to reimageinformation systemcomponents within[Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected disk imagesrepresenting a secure,operational state for thecomponents.

IA-1

Identification AndAuthentication



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedidentification andauthentication policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the identification andauthentication policy andassociated identificationand authentication controls.

________________________________________________________________________


189 of 266



StandAlone

NSSNetwork


IA-2

Identification AndAuthentication(Organizational

Users)


The information systemuniquely identifies andauthenticates organizationalusers (or processes actingon behalf of organizationalusers).

IA-2(1)


Users)

X X X X X X X X X No Yes P1

The information system usesmultifactor authenticationfor network access toprivileged accounts.

IA-2(2)


Users)


The information system usesmultifactor authenticationfor network access to non-privileged accounts.

IA-2(3)


Users)


The information system usesmultifactor authenticationfor local access to privilegedaccounts.

IA-2(4)


Users)

X X X X X No No P1

The information system usesmultifactor authenticationfor local access to non-privileged accounts.

IA-2(5)


Users)


The organization: a) Allowsthe use of groupauthenticators only whenused in conjunction with anindividual/uniqueauthenticator; and b)Requires individuals to beauthenticated with anindividual authenticatorprior to using a groupauthenticator.

IA-2(8)


Users)


The information system uses[Assignment: organization-defined replay-resistantauthentication mechanisms]for network access toprivileged accounts.

IA-2(9)


Users)

X X X X X No No P1

The information system uses[Assignment: organization-defined replay-resistantauthentication mechanisms]for network access to non-privileged accounts.

IA-3Device IdentificationAnd Authentication


The information systemuniquely identifies andauthenticates [Assignment:organization-defined list ofspecific and/or types ofdevices] before establishinga connection.

IA-3(1)Device IdentificationAnd Authentication


The information systemauthenticates devicesbefore establishing remoteand wireless networkconnections usingbidirectional authenticationbetween devices that iscryptographically based.

________________________________________________________________________


190 of 266



StandAlone

NSSNetwork




The information systemauthenticates devicesbefore establishing networkconnections usingbidirectional authenticationbetween devices that iscryptographically based.



The organizationstandardizes, with regard todynamic address allocation,Dynamic Host ControlProtocol (DHCP) leaseinformation and the timeassigned to devices, andaudits lease informationwhen assigned to a device.

IA-4Identifier

ManagementX X X X X X X X X Yes Yes P1

The organization managesinformation systemidentifiers for users anddevices by: a) Receivingauthorization from adesignated organizationalofficial to assign a user ordevice identifier; b)Selecting an identifier thatuniquely identifies anindividual or device; c)Assigning the user identifierto the intended party or thedevice identifier to theintended device; d)Preventing reuse of user ordevice identifiers for[Assignment: organization-defined time period]; and e)Disabling the user identifierafter [Assignment:organization-defined timeperiod of inactivity].

IA-4(4)Identifier

ManagementX X X X X X Yes Yes P1

The organization managesuser identifiers by uniquelyidentifying the user as[Assignment: organization-defined characteristicidentifying user status].

________________________________________________________________________


191 of 266



StandAlone

NSSNetwork


IA-5AuthenticatorManagement


The organization managesinformation systemauthenticators for users anddevices by: a) Verifying, aspart of the initialauthenticator distribution,the identity of the individualand/or device receiving theauthenticator; b)Establishing initialauthenticator content forauthenticators defined bythe organization; c) Ensuringthat authenticators havesufficient strength ofmechanism for theirintended use; d)Establishing andimplementing administrativeprocedures for initialauthenticator distribution,for lost/compromised ordamaged authenticators,and for revokingauthenticators; e) Changingdefault content ofauthenticators uponinformation systeminstallation; f) Establishingminimum and maximumlifetime restrictions andreuse conditions forauthenticators (ifappropriate); g)Changing/refreshingauthenticators [Assignment:organization-defined timeperiod by authenticatortype]; h) Protectingauthenticator content fromunauthorized disclosure andmodification; and i)Requiringusers to take, and havingdevices implement, specificmeasures to safeguardauthenticators.

________________________________________________________________________


192 of 266



StandAlone

NSSNetwork


IA-5(1)AuthenticatorManagement


The information system, forpassword-basedauthentication: a) Enforcesminimum passwordcomplexity of [Assignment:organization-definedrequirements for casesensitivity, number ofcharacters, mix of upper-case letters, lower-caseletters, numbers, andspecial characters, includingminimum requirements foreach type]; b) Enforces atleast a [Assignment:organization-definednumber of changedcharacters] when newpasswords are created; c)Encrypts passwords instorage and in transmission;d) Enforces passwordminimum and maximumlifetime restrictions of[Assignment: organization-defined numbers for lifetimeminimum, lifetimemaximum]; and e) Prohibitspassword reuse for[Assignment: organization-defined number]generations.


X X X X X No Yes P1

The information system, forPKI-based authentication: a)Validates certificates byconstructing a certificationpath with status informationto an accepted trust anchor;b) Enforces authorizedaccess to the correspondingprivate key; and c) Maps theauthenticated identity to theuser account.



The organization requiresthat the registration processto receive [Assignment:organization-defined typesof and/or specificauthenticators] be carriedout in person before adesignated registrationauthority with authorizationby a designatedorganizational official (e.g., asupervisor).



The organization employsautomated tools todetermine if authenticatorsare sufficiently strong toresist attacks intended todiscover or otherwisecompromise theauthenticators.

________________________________________________________________________


193 of 266



StandAlone

NSSNetwork



X X X X X X

The organization protectsauthenticatorscommensurate with theclassification or sensitivity ofthe information accessed.


X X X No Yes P2

The organization ensuresthat unencrypted staticauthenticators are notembedded in applications oraccess scripts or stored onfunction keys.



The organization takes[Assignment: organization-defined measures] tomanage the risk ofcompromise due toindividuals having accountson multiple informationsystems.

IA-6Authenticator

FeedbackX X X X X X Yes Yes P1

The information systemobscures feedback ofauthentication informationduring the authenticationprocess to protect theinformation from possibleexploitation/use byunauthorized individuals.

IA-7Cryptographic

ModuleAuthentication

X X X X X X X X X No No P1

The information system usesmechanisms forauthentication to acryptographic module thatmeet the requirements ofapplicable federal laws,Executive Orders, directives,policies, regulations,standards, and guidance forsuch authentication.

IA-8

Identification AndAuthentication (Non-

OrganizationalUsers)


The information systemuniquely identifies andauthenticates non-organizational users (orprocesses acting on behalfof non-organizational users).

IR-1Incident Response



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented incidentresponse policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the incident responsepolicy and associatedincident response controls.

________________________________________________________________________


194 of 266



StandAlone

NSSNetwork



TrainingX X X X X X X X X X X X Yes Yes P2

The organization: a) Trainspersonnel in their incidentresponse roles andresponsibilities with respectto the information system;and b) Provides refreshertraining [Assignment:organization-definedfrequency].

IR-2(1)Incident Response

TrainingX X X X Yes Yes P2

The organizationincorporates simulatedevents into incidentresponse training tofacilitate effective responseby personnel in crisissituations.


TrainingX X X No No P2

The organization employsautomated mechanisms toprovide a more thoroughand realistic trainingenvironment.



X X X X X X X X X X X Yes Yes P2

The organization testsand/or exercises theincident response capabilityfor the information system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine theincident responseeffectiveness anddocuments the results.



X No No P2

The organization employsautomated mechanisms tomore thoroughly andeffectively test/exercise theincident response capability.

IR-4 Incident Handling X X X X X X X X X X X X Yes Yes P1

The organization: a)Implements an incidenthandling capability forsecurity incidents thatincludes preparation,detection and analysis,containment, eradication,and recovery; b) Coordinatesincident handling activitieswith contingency planningactivities; and c)Incorporates lessonslearned from ongoingincident handling activitiesinto incident responseprocedures, training, andtesting/exercises, andimplements the resultingchanges accordingly

IR-4(1) Incident Handling X X X X X X X X X X X No No P1

The organization employsautomated mechanisms tosupport the incidenthandling process.

________________________________________________________________________


195 of 266



StandAlone

NSSNetwork


IR-4(3) Incident Handling X X X X X X X X X Yes Yes P1

The organization identifiesclasses of incidents anddefines appropriate actionsto take in response toensure continuation oforganizational missions andbusiness functions.

IR-4(4) Incident Handling X X X X X X X X X Yes Yes P1

The organization correlatesincident information andindividual incidentresponses to achieve anorganization-wideperspective on incidentawareness and response.

IR-5 Incident Monitoring X X X X X X X X X X X X Yes Yes P1The organization tracks anddocuments informationsystem security incidents.

IR-5(1) Incident Monitoring X X X No No P1

The organization employsautomated mechanisms toassist in the tracking ofsecurity incidents and in thecollection and analysis ofincident information.

IR-6 Incident Reporting X X X X X X X X X X X X Yes Yes P1

The organization: a)Requires personnel to reportsuspected security incidentsto the organizationalincident response capabilitywithin [Assignment:organization-defined time-period]; and b) Reportssecurity incident informationto designated authorities.

IR-6(1) Incident Reporting X X X X X X X X X X X Yes Yes P1

The organization employsautomated mechanisms toassist in the reporting ofsecurity incidents.

IR-6(2) Incident Reporting X X X X X X X X X Yes Yes P1

The organization reportsinformation systemweaknesses, deficiencies,and/or vulnerabilitiesassociated with reportedsecurity incidents toappropriate organizationalofficials.


AssistanceX X X X X X X X X X X X Yes Yes P3

The organization provides anincident response supportresource, integral to theorganizational incidentresponse capability thatoffers advice and assistanceto users of the informationsystem for the handling andreporting of securityincidents.


AssistanceX X X X X X X X X X X No No P3

The organization employsautomated mechanisms toincrease the availability ofincident response-relatedinformation and support.

________________________________________________________________________


196 of 266



StandAlone

NSSNetwork



AssistanceX X X X X X X X X Yes Yes P3

The organization: a)Establishes a direct,cooperative relationshipbetween its incidentresponse capability andexternal providers ofinformation systemprotection capability; and b)Identifies organizationalincident response teammembers to the externalproviders.

________________________________________________________________________


197 of 266



StandAlone

NSSNetwork



PlanX X X X X X X X X X X X Yes Yes P1

The organization: a)Develops an incidentresponse plan that:1) -Provides the organizationwith a roadmap forimplementing its incidentresponse capability; 2) -Describes the structure andorganization of the incidentresponse capability; 3)Provides a high-levelapproach for how theincident response capabilityfits into the overallorganization; 4) - Meets theunique requirements of theorganization, which relate tomission, size, structure, andfunctions; 5) - Definesreportable incidents; 6) -Provides metrics formeasuring the incidentresponse capability withinthe organization. 7) -Defines the resources andmanagement supportneeded to effectivelymaintain and mature anincident response capability;and 9) - Is reviewed andapproved by designatedofficials within theorganization; b) Distributescopies of the incidentresponse plan to[Assignment: organization-defined list of incidentresponse personnel(identified by name and/orby role) and organizationalelements]; c) Reviews theincident response plan[Assignment: organization-defined frequency]; d)Revises the incidentresponse plan to addresssystem/organizationalchanges or problemsencountered during planimplementation, execution,or testing; and e)Communicates incidentresponse plan changes to[Assignment: organization-defined list of incidentresponse personnel(identified by name and/orby role) and organizationalelements].

________________________________________________________________________


198 of 266



StandAlone

NSSNetwork


MA-1System

Maintenance PolicyAnd Procedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedinformation systemmaintenance policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the information systemmaintenance policy andassociated systemmaintenance controls

MA-2Controlled

MaintenanceX X X X X X X X X X X X Yes Yes P2

The organization: a)Schedules, performs,documents, and reviewsrecords of maintenance andrepairs on informationsystem components inaccordance withmanufacturer or vendorspecifications and/ororganizational requirements;b) Controls all maintenanceactivities, whetherperformed on site orremotely and whether theequipment is serviced onsite or removed to anotherlocation; c) Requires that adesignated official explicitlyapprove the removal of theinformation system orsystem components fromorganizational facilities foroff-site maintenance orrepairs; d) Sanitizesequipment to remove allinformation from associatedmedia prior to removal fromorganizational facilities foroff-site maintenance orrepairs; and e) Checks allpotentially impacted securitycontrols to verify that thecontrols are still functioningproperly followingmaintenance or repairactions.

________________________________________________________________________


199 of 266



StandAlone

NSSNetwork


MA-2(1)Controlled

MaintenanceX X X X X X X X X X X Yes Yes P2

The organization maintainsmaintenance records for theinformation system thatinclude: a) Date and time ofmaintenance; b) Name ofthe individual performing themaintenance; c) Name ofescort, if necessary; d) Adescription of themaintenance performed;and e) A list of equipmentremoved or replaced(including identificationnumbers, if applicable).

MA-2(2)Controlled

MaintenanceX X X No No P2

The organization employsautomated mechanisms toschedule, conduct, anddocument maintenance andrepairs as required,producing up-to date,accurate, complete, andavailable records of allmaintenance and repairactions, needed, in process,and completed.

MA-3 Maintenance Tools X X X X X X X X Yes Yes P2

The organization approves,controls, monitors the useof, and maintains on anongoing basis, informationsystem maintenance tools.

MA-3(1) Maintenance Tools X X X X X X Yes Yes P2

The organization inspects allmaintenance tools carriedinto a facility bymaintenance personnel forobvious impropermodifications.

MA-3(2) Maintenance Tools X X X X X X X X Yes Yes P2

The organization checks allmedia containing diagnosticand test programs formalicious code before themedia are used in theinformation system.

MA-3(3) Maintenance Tools X X X X Yes Yes P2

The organization preventsthe unauthorized removal ofmaintenance equipment byone of the following: (i)verifying that there is noorganizational informationcontained on theequipment; (ii) sanitizing ordestroying the equipment;(iii) retaining the equipmentwithin the facility; or (iv)obtaining an exemption froma designated organizationofficial explicitly authorizingremoval of the equipmentfrom the facility.

________________________________________________________________________


200 of 266



StandAlone

NSSNetwork


MA-4Non-Local

MaintenanceX X X X X X No No P1

The organization: a)Authorizes, monitors, andcontrols non-localmaintenance and diagnosticactivities; b) Allows the useof non-local maintenanceand diagnostic tools only asconsistent withorganizational policy anddocumented in the securityplan for the informationsystem; c) Employs strongidentification andauthentication techniques inthe establishment of non-local maintenance anddiagnostic sessions; d)Maintains records for non-local maintenance anddiagnostic activities; and e)Terminates all sessions andnetwork connections whennon-local maintenance iscompleted.

MA-4(1)Non-Local

MaintenanceX X

The organization audits non-local maintenance anddiagnostic sessions anddesignated organizationalpersonnel review themaintenance records of thesessions.

MA-4(2)Non-Local

MaintenanceX X X X X No No P1

The organizationdocuments, in the securityplan for the informationsystem, the installation anduse of non-localmaintenance and diagnosticconnections.

________________________________________________________________________


201 of 266



StandAlone

NSSNetwork


MA-4(3)Non-Local

MaintenanceX X X X X X X X X X No No P1

The organization: a)Requires that non-localmaintenance and diagnosticservices be performed froman information system thatimplements a level ofsecurity at least as high asthat implemented on thesystem being serviced; or b)Removes the component tobe serviced from theinformation system and priorto non-local maintenance ordiagnostic services,sanitizes the component(with regard toorganizational information)before removal fromorganizational facilities, andafter the service isperformed, inspects andsanitizes the component(with regard to potentiallymalicious software andsurreptitious implants)before reconnecting thecomponent to theinformation system.

MA-4(5)Non-Local


The organization requiresthat: a) Maintenancepersonnel notify[Assignment: organization-defined personnel] whennon-local maintenance isplanned (i.e., date/time);and b) A designatedorganizational official withspecific informationsecurity/information systemknowledge approves thenon-local maintenance.

MA-4(6)Non-Local

MaintenanceX X X X X X No No P1

The organization employscryptographic mechanismsto protect the integrity andconfidentiality of non-localmaintenance and diagnosticcommunications.

MA-4(7)Non-Local


The organization employsremote disconnectverification at thetermination of non-localmaintenance and diagnosticsessions.

________________________________________________________________________


202 of 266



StandAlone

NSSNetwork


MA-5Maintenance

PersonnelX X X X X X X X X X X X Yes Yes P1

The organization a)Establishes a process formaintenance personnelauthorization and maintainsa current list of authorizedmaintenance organizationsor personnel; and b) Ensuresthat personnel performingmaintenance on theinformation system haverequired accessauthorizations or designatesorganizational personnelwith required accessauthorizations and technicalcompetence deemednecessary to superviseinformation systemmaintenance whenmaintenance personnel donot possess the requiredaccess authorizations.

MA-5(1)Maintenance

PersonnelX X X X X X X X X Yes Yes P1

The organization maintainsprocedures for the use ofmaintenance personnel thatlack appropriate securityclearances or are not U.S.citizens, that include thefollowing requirements: a)Maintenance personnel whodo not have needed accessauthorizations, clearances,or formal access approvalsare escorted and supervisedduring the performance ofmaintenance and diagnosticactivities on the informationsystem by approvedorganizational personnelwho are fully cleared, haveappropriate accessauthorizations, and aretechnically qualified; b) Priorto initiating maintenance ordiagnostic activities bypersonnel who do not haveneeded accessauthorizations, clearancesor formal access approvals,all volatile informationstorage components withinthe information system aresanitized and all nonvolatilestorage media are removedor physically disconnectedfrom the system andsecured; and c) In the eventan information systemcomponent cannot besanitized, the procedurescontained in the securityplan for the system areenforced.

________________________________________________________________________


203 of 266



StandAlone

NSSNetwork


MA-5(2)Maintenance

PersonnelYes Yes

The organization ensuresthat personnel performingmaintenance and diagnosticactivities on an informationsystem processing, storing,or transmitting classifiedinformation are cleared (i.e.,possess appropriate securityclearances) for the highestlevel of information on thesystem.

MA-5(3)Maintenance

PersonnelYes Yes

The organization ensuresthat personnel performingmaintenance and diagnosticactivities on an informationsystem processing, storing,or transmitting classifiedinformation are U.S. citizens.

MA-6 Timely Maintenance X X X X Yes Yes P1

The organization obtainsmaintenance supportand/or spare parts for[Assignment: organization-defined list of security-critical information systemcomponents and/or keyinformation technologycomponents] within[Assignment: organization-defined time period] offailure.

MP-1Media Protection



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented mediaprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the media protectionpolicy and associated mediaprotection controls.

MP-2 Media Access X X X X X X Yes Yes P1

The organization restrictsaccess to [Assignment:organization-defined typesof digital and non-digitalmedia] to [Assignment:organization-defined list ofauthorized individuals] using[Assignment: organization-defined security measures].

MP-2(1) Media Access X X Yes Yes

The organization employsautomated mechanisms torestrict access to mediastorage areas and to auditaccess attempts and accessgranted.

________________________________________________________________________


204 of 266



StandAlone

NSSNetwork


MP-2(2) Media Access X X X X Yes Yes P1

The information system usescryptographic mechanismsto protect and restrictaccess to information onportable digital media

MP-3 Media Marking X X X X X Yes Yes P1

The organization: a) Marks,in accordance withorganizational policies andprocedures, removableinformation system mediaand information systemoutput indicating thedistribution limitations,handling caveats, andapplicable security markings(if any) of the information;and b) Exempts[Assignment: organization-defined list of removablemedia types] from markingas long as the exempteditems remain within[Assignment: organization-defined controlled areas].

MP-4 Media Storage X X X X X Yes Yes P1

The organization: a)Physically controls andsecurely stores [Assignment:organization-defined typesof digital and non-digitalmedia] within [Assignment:organization-definedcontrolled areas] using[Assignment: organization-defined security measures];b) Protects informationsystem media until themedia are destroyed orsanitized using approvedequipment, techniques, andprocedures.

MP-4(1) Media Storage X No No P1

The organization employscryptographic mechanismsto protect information instorage.

MP-5 Media Transport X X X X X X X X Yes Yes P1

The organization: a) Protectsand controls [Assignment:organization-defined typesof digital and non-digitalmedia] during transportoutside of controlled areasusing [Assignment:organization-definedsecurity measures]; b)Maintains accountability forinformation system mediaduring transport outside ofcontrolled areas; and c)Restricts the activitiesassociated with transport ofsuch media to authorizedpersonnel.

MP-5(2) Media Transport X X X X X X X X Yes Yes P1

The organization documentsactivities associated with thetransport of informationsystem media.

________________________________________________________________________


205 of 266



StandAlone

NSSNetwork


MP-5(3) Media Transport X Yes Yes P1

The organization employs anidentified custodianthroughout the transport ofinformation system media.

MP-5(4) Media Transport X X X X X X yes Yes P1

The organization employscryptographic mechanismsto protect the confidentialityand integrity of informationstored on digital mediaduring transport outside ofcontrolled areas.

MP-6 Media Sanitization X X X X X X Yes Yes P1

The organization: a)Sanitizes information systemmedia, both digital and non-digital, prior to disposal,release out of organizationalcontrol, or release for reuse;and b) Employs sanitizationmechanisms with strengthand integrity commensuratewith the classification orsensitivity of theinformation.

MP-6(1) Media Sanitization X X X Yes Yes P1

The organization tracks,documents, and verifiesmedia sanitization anddisposal actions.

MP-6(2) Media Sanitization X X X X Yes Yes P1

The organization testssanitization equipment andprocedures to verify correctperformance [Assignment:organization-definedfrequency].

MP-6(3) Media Sanitization X X X X Yes Yes P1

The organization sanitizesportable, removable storagedevices prior to connectingsuch devices to theinformation system underthe following circumstances:[Assignment: organization-defined list ofcircumstances requiringsanitization of portable,removable storage devices].


The organization sanitizesinformation system mediacontaining ControlledUnclassified Information(CUI) or other sensitiveinformation in accordancewith applicableorganizational and/orfederal standards andpolicies.


The organization sanitizesinformation system mediacontaining classifiedinformation in accordancewith NSA standards andpolicies.

MP-6(6) Media Sanitization X X X Yes Yes P1The organization destroysinformation system mediathat cannot be sanitized.

________________________________________________________________________


206 of 266



StandAlone

NSSNetwork


PE-1

Physical AndEnvironmental

Protection PolicyAnd Procedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedphysical and environmentalprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the physical andenvironmental protectionpolicy and associatedphysical and environmentalprotection controls.

PE-2Physical AccessAuthorizations


The organization: a)Develops and keeps currenta list of personnel withauthorized access to thefacility where theinformation system resides(except for those areaswithin the facility officiallydesignated as publiclyaccessible); b) Issuesauthorization credentials; c)Reviews and approves theaccess list and authorizationcredentials [Assignment:organization-definedfrequency], removing fromthe access list personnel nolonger requiring access.

PE-2(1)Physical AccessAuthorizations


The organization authorizesphysical access to thefacility where theinformation system residesbased on position or role.

PE-2(3)Physical AccessAuthorizations

X X X Yes Yes P1

The organization restrictsphysical access to thefacility containing aninformation system thatprocesses classifiedinformation to authorizedpersonnel with appropriateclearances and accessauthorizations.

________________________________________________________________________


207 of 266



StandAlone

NSSNetwork


PE-3Physical Access

ControlX X X X X X X X X X X X Yes Yes P1

The organization: a)Enforces physical accessauthorizations for allphysical access points(including designatedentry/exit points) to thefacility where theinformation system resides(excluding those areaswithin the facility officiallydesignated as publiclyaccessible); b) Verifiesindividual accessauthorizations beforegranting access to thefacility; c) Controls entry tothe facility containing theinformation system usingphysical access devicesand/or guards; d) Controlsaccess to areas officiallydesignated as publiclyaccessible in accordancewith the organization’sassessment of risk; e)Secures keys, combinations,and other physical accessdevices; f) Inventoriesphysical access devices[Assignment: organization-defined frequency]; and g)Changes combinations andkeys [Assignment:organization-definedfrequency] and when keysare lost, combinations arecompromised, or individualsare transferred orterminated.

PE-3(1)Physical Access

ControlX X X Yes Yes P1

The organization enforcesphysical accessauthorizations to theinformation systemindependent of the physicalaccess controls for thefacility.


ControlX X X Yes Yes P1

The organization performssecurity checks at thephysical boundary of thefacility or information systemfor unauthorized exfiltrationof information or informationsystem components.


ControlX X X X X X Yes Yes P1

The organization guards,alarms, and monitors everyphysical access point to thefacility where theinformation system resides24 hours per day, 7 days perweek.

________________________________________________________________________


208 of 266



StandAlone

NSSNetwork



ControlX X Yes Yes P1

The organization useslockable physical casings toprotect [Assignment:organization-definedinformation systemcomponents] fromunauthorized physicalaccess.


ControlX Yes Yes P1

The organization employs apenetration testing processthat includes [Assignment:organization-definedfrequency], unannouncedattempts to bypass orcircumvent security controlsassociated with physicalaccess points to the facility.

PE-4Access Control For

TransmissionMedium


The organization controlsphysical access toinformation systemdistribution andtransmission lines withinorganizational facilities.

PE-5Access Control For

Output DevicesX X X X X Yes Yes P1

The organization controlsphysical access toinformation system outputdevices to preventunauthorized individualsfrom obtaining the output.

PE-6Monitoring Physical

AccessX X X X X X X X X X X X Yes Yes P1

The organization: a)Monitors physical access tothe information system todetect and respond tophysical security incidents;b) Reviews physical accesslogs [Assignment:organization-definedfrequency]; and c)Coordinates results ofreviews and investigationswith the organization’sincident response capability.

PE-6(1)Monitoring Physical

AccessX X X X Yes Yes P1

The organization monitorsreal-time physical intrusionalarms and surveillanceequipment.

PE-6(2)Monitoring Physical

AccessX No No P1

The organization employsautomated mechanisms torecognize potentialintrusions and initiatedesignated responseactions.

PE-7 Visitor Control X X X X X X X X X Yes Yes P1

The organization controlsphysical access to theinformation system byauthenticating visitorsbefore authorizing access tothe facility where theinformation system residesother than areas designatedas publicly accessible.

PE-7(1) Visitor Control X X X X X X X X Yes Yes P1The organization escortsvisitors and monitors visitoractivity, when required.

________________________________________________________________________


209 of 266



StandAlone

NSSNetwork


PE-8 Access Records X X X X X X X X X Yes Yes P3

The organization: a)Maintains visitor accessrecords to the facility wherethe information systemresides (except for thoseareas within the facilityofficially designated aspublicly accessible); and b)Reviews visitor accessrecords [Assignment:organization-definedfrequency].

PE-8(1) Access Records X No No P3

The organization employsautomated mechanisms tofacilitate the maintenanceand review of accessrecords.

PE-8(2) Access Records X X Yes Yes P3

The organization maintainsa record of all physicalaccess, both visitor andauthorized individuals.

PE-9Power EquipmentAnd Power Cabling

X X X X X No No P1

The organization protectspower equipment and powercabling for the informationsystem from damage anddestruction.

PE-9(2)Power EquipmentAnd Power Cabling

X X No Yes P1

The organization employsautomatic voltage controlsfor [Assignment:organization-defined list ofcritical information systemcomponents].

PE-10 Emergency Shutoff X X X X X No No P1

The organization: a)Provides the capability ofshutting off power to theinformation system orindividual systemcomponents in emergencysituations; b) Placesemergency shutoff switchesor devices in [Assignment:organization-definedlocation by informationsystem or systemcomponent] to facilitate safeand easy access forpersonnel; and c) Protectsemergency power shutoffcapability from unauthorizedactivation.

PE-11 Emergency Power X X X X No No P1

The organization provides ashort-term uninterruptiblepower supply to facilitate anorderly shutdown of theinformation system in theevent of a primary powersource loss.

________________________________________________________________________


210 of 266



StandAlone

NSSNetwork


PE-11(1) Emergency Power X X No No P1

The organization provides along-term alternate powersupply for the informationsystem that is capable ofmaintaining minimallyrequired operationalcapability in the event of anextended loss of the primarypower source.

PE-11(2) Emergency Power X No Yes P1

The organization provides along-term alternate powersupply for the informationsystem that is self-containedand not reliant on externalpower generation.

PE-12 Emergency Lighting X X X X X X No No P1

The organization employsand maintains automaticemergency lighting for theinformation system thatactivates in the event of apower outage or disruptionand that covers emergencyexits and evacuation routeswithin the facility.

PE-12(1) Emergency Lighting X X No No P1

The organization providesemergency lighting for allareas within the facilitysupporting essentialmissions and businessfunctions.

PE-13 Fire Protection X X X X X X No No P1

The organization employsand maintains firesuppression and detectiondevices/systems for theinformation system that aresupported by anindependent energy source.

PE-13(1) Fire Protection X X X No No P1

The organization employsfire detectiondevices/systems for theinformation system thatactivate automatically andnotify the organization andemergency responders inthe event of a fire.


The organization employsfire suppressiondevices/systems for theinformation system thatprovide automaticnotification of any activationto the organization andemergency responders.


The organization employs anautomatic fire suppressioncapability for the informationsystem when the facility isnot staffed on a continuousbasis.

________________________________________________________________________


211 of 266



StandAlone

NSSNetwork


PE-13(4) Fire Protection X No Yes P1

The organization ensuresthat the facility undergoes[Assignment: organization-defined frequency] firemarshal inspections andpromptly resolves identifieddeficiencies.

PE-14Temperature AndHumidity Controls


The organization: a)Maintains temperature andhumidity levels within thefacility where theinformation system residesat [Assignment:organization-definedacceptable levels]; and b)Monitors temperature andhumidity levels [Assignment:organization-definedfrequency].

PE-14(1)Temperature AndHumidity Controls

X X No Yes P1

The organization employsautomatic temperature andhumidity controls in thefacility to preventfluctuations potentiallyharmful to the informationsystem.

PE-14(2)Temperature AndHumidity Controls

X X No Yes P1

The organization employstemperature and humiditymonitoring that provides analarm or notification ofchanges potentially harmfulto personnel or equipment.

PE-15Water Damage

ProtectionX X X X X X No No P1

The organization protectsthe information system fromdamage resulting from waterleakage by providing mastershutoff valves that areaccessible, working properly,and known to key personnel.

PE-15(1)Water Damage

ProtectionX No No P1

The organization employsmechanisms that, withoutthe need for manualintervention, protect theinformation system fromwater damage in the eventof a water leak.

PE-16Delivery And

RemovalX X X X X X X X X No No P1

The organization authorizes,monitors, and controls[Assignment: organization-defined types of informationsystem components]entering and exiting thefacility and maintainsrecords of those items.

________________________________________________________________________


212 of 266



StandAlone

NSSNetwork


PE-17 Alternate Work Site X X X X X X X X No No P1

The organization: a) Employs[Assignment: organization-defined management,operational, and technicalinformation system securitycontrols] at alternate worksites; b) Assesses asfeasible, the effectiveness ofsecurity controls at alternatework sites; and c) Provides ameans for employees tocommunicate withinformation securitypersonnel in case of securityincidents or problems.

PE-18Location Of

Information SystemComponents

X X

The organization positionsinformation systemcomponents within thefacility to minimize potentialdamage from physical andenvironmental hazards andto minimize the opportunityfor unauthorized access.

PE-18(1)Location Of

Information SystemComponents

X

The organization plans thelocation or site of the facilitywhere the informationsystem resides with regardto physical andenvironmental hazards andfor existing facilities,considers the physical andenvironmental hazards in itsrisk mitigation strategy.

PE-19 Information Leakage X X X X Yes Yes PO

The organization protectsthe information system frominformation leakage due toelectromagnetic signalsemanations.

PE-19(1) Information Leakage X X X X Yes Yes PO

The organization ensuresthat information systemcomponents, associateddata communications, andnetworks are protected inaccordance with: (i) nationalemissions and TEMPESTpolicies and procedures;and (ii) the sensitivity of theinformation beingtransmitted.

________________________________________________________________________


213 of 266



StandAlone

NSSNetwork


PL-1Security Planning



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented securityplanning policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the security planningpolicy and associatedsecurity planning controls.

PL-2System Security

PlanX X X X X X X X X X X X Yes Yes P1

The organization: a)Develops a security plan forthe information system that:1) - Is consistent with theorganization’s enterprisearchitecture; 2) - Explicitlydefines the authorizationboundary for the system; 3) -Describes the operationalcontext of the informationsystem in terms of missionsand business processes; 4) -Provides the securitycategorization of theinformation system includingsupporting rationale; 5) -Describes the operationalenvironment for theinformation system; 6) -Describes relationships withor connections to otherinformation systems; 7)Provides an overview of thesecurity requirements forthe system; 8) - Describesthe security controls in placeor planned for meetingthose requirementsincluding a rationale for thetailoring andsupplementation decisions;and 9) - Is reviewed andapproved by the authorizingofficial or designatedrepresentative prior to planimplementation; b) Reviewsthe security plan for theinformation system[Assignment: organization-defined frequency]; and c)Updates the plan to addresschanges to the informationsystem/environment ofoperation or problemsidentified during planimplementation or securitycontrol assessments.

________________________________________________________________________


214 of 266



StandAlone

NSSNetwork


PL-2(1)System Security

PlanX X X X X X X X X Yes Yes P1

The organization: a)Develops a security Conceptof Operations (CONOPS) forthe information systemcontaining, at a minimum: (i)the purpose of the system;(ii) a description of thesystem architecture; (iii) thesecurity authorizationschedule; and (iv) thesecurity categorization andassociated factorsconsidered in determiningthe categorization; and b)Reviews and updates theCONOPS [Assignment:organization-definedfrequency].

PL-2(2)System Security

PlanX X X X X X X X X Yes Yes P1

The organization develops afunctional architecture forthe information system thatidentifies and maintains: a)External interfaces, theinformation beingexchanged across theinterfaces, and theprotection mechanismsassociated with eachinterface; b) User roles andthe access privilegesassigned to each role; c)Unique securityrequirements; d) Types ofinformation processed,stored, or transmitted by theinformation system and anyspecific protection needs inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance; and e)Restoration priority ofinformation or informationsystem services.

PL-4 Rules Of Behavior X X X X X X X X X X X X Yes Yes P1

The organization: a)Establishes and makesreadily available to allinformation system users,the rules that describe theirresponsibilities andexpected behavior withregard to information andinformation system usage;and b) Receives signedacknowledgment from usersindicating that they haveread, understand, and agreeto abide by the rules ofbehavior, before authorizingaccess to information andthe information system.

________________________________________________________________________


215 of 266



StandAlone

NSSNetwork


PL-5Privacy Impact

AssessmentX X X X X X No No P1

The organization conducts aprivacy impact assessmenton the information system inaccordance with OMB policy.

PL-6Security-RelatedActivity Planning

X X X X X X X X X X X No No P3

The organization plans andcoordinates security-relatedactivities affecting theinformation system beforeconducting such activities inorder to reduce the impacton organizational operations(i.e., mission, functions,image, and reputation),organizational assets, andindividuals.

PS-1Personnel Security



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedpersonnel security policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the personnel securitypolicy and associatedpersonnel security controls.

PS-2Position

CategorizationX X X X X X X X X X X X Yes Yes P1

The organization: a) Assignsa risk designation to allpositions; b) Establishesscreening criteria forindividuals filling thosepositions; and c) Reviewsand revises position riskdesignations [Assignment:organization-definedfrequency].

PS-3 Personnel Screening X X X X X X X X X Yes Yes P1

The organization: a) Screensindividuals prior toauthorizing access to theinformation system; and b)Rescreens individualsaccording to [Assignment:organization-defined list ofconditions requiringrescreening and, where re-screening is so indicated,the frequency of suchrescreening].

PS-3(1) Personnel Screening X X X Yes Yes P1

The organization ensuresthat every user accessing aninformation systemprocessing, storing, ortransmitting classifiedinformation is cleared andindoctrinated to the highestclassification level of theinformation on the system.

________________________________________________________________________


216 of 266



StandAlone

NSSNetwork


PS-3(2) Personnel Screening X X X Yes Yes P1

The organization ensuresthat every user accessing aninformation systemprocessing, storing, ortransmitting types ofclassified information whichrequire formalindoctrination, is formallyindoctrinated for all of therelevant types of informationon the system.

PS-4Personnel

TerminationX X X X X X X X X X X X Yes Yes P2

The organization, upontermination of individualemployment: a) Terminatesinformation system access;b) Conducts exit interviews;c) Retrieves all security-related organizationalinformation system-relatedproperty; and d) Retainsaccess to organizationalinformation and informationsystems formerly controlledby terminated individual.

PS-5 Personnel Transfer X X X X X X X X X X X X Yes Yes P2

The organization reviewslogical and physical accessauthorizations toinformationsystems/facilities whenpersonnel are reassigned ortransferred to otherpositions within theorganization and initiates[Assignment: organization-defined transfer orreassignment actions]within [Assignment:organization-defined timeperiod following the formaltransfer action].

PS-6 Access Agreements X X X X X X X X X Yes Yes P3

The organization: a)Ensures that individualsrequiring access toorganizational informationand information systemssign appropriate accessagreements prior to beinggranted access; and b)Reviews/updates the accessagreements [Assignment:organization-definedfrequency].

PS-6(1) Access Agreements X X X X X X Yes Yes P3

The organization ensuresthat access to informationwith special protectionmeasures is granted only toindividuals who: a) Have avalid access authorizationthat is demonstrated byassigned official governmentduties; and b) Satisfyassociated personnelsecurity criteria.

________________________________________________________________________


217 of 266



StandAlone

NSSNetwork


PS-6(2) Access Agreements X X X Yes Yes P3

The organization ensuresthat access to classifiedinformation with specialprotection measures isgranted only to individualswho: a) Have a valid accessauthorization that isdemonstrated by assignedofficial government duties;b) Satisfy associatedpersonnel security criteria;and c) Have read,understand, and signed anondisclosure agreement.

PS-7Third-Party

Personnel SecurityX X X X X X X X X Yes Yes P1

The organization: a)Establishes personnelsecurity requirementsincluding security roles andresponsibilities for third-party providers; b)Documents personnelsecurity requirements; andc) Monitors providercompliance.

PS-8 Personnel Sanctions X X X X X X X X X X X X Yes Yes P3

The organization employs aformal sanctions process forpersonnel failing to complywith established informationsecurity policies andprocedures.

RA-1Risk Assessment



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented riskassessment policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the risk assessmentpolicy and associated riskassessment controls.

________________________________________________________________________


218 of 266



StandAlone

NSSNetwork


RA-2Security

CategorizationX X X X X X X X X X X X Yes Yes P1

The organization: a)Categorizes information andthe information system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance; b) Documents thesecurity categorizationresults (including supportingrationale) in the securityplan for the informationsystem; and c) Ensures thesecurity categorizationdecision is reviewed andapproved by the authorizingofficial or authorizing officialdesignated representative.

RA-3 Risk Assessment X X X X X X X X X X X X Yes Yes P1

The organization: a)Conducts an assessment ofrisk, including the likelihoodand magnitude of harm,from the unauthorizedaccess, use, disclosure,disruption, modification, ordestruction of theinformation system and theinformation it processes,stores, or transmits; b)Documents risk assessmentresults in [Selection: securityplan; risk assessmentreport; [Assignment:organization-defineddocument]]; c) Reviews riskassessment results[Assignment: organization-defined frequency]; and d)Updates the riskassessment [Assignment:organization-definedfrequency] or wheneverthere are significantchanges to the informationsystem or environment ofoperation (including theidentification of new threatsand vulnerabilities), or otherconditions that may impactthe security state of thesystem.

________________________________________________________________________


219 of 266



StandAlone

NSSNetwork


RA-5Vulnerability

ScanningX X X X X X X X X X X X No No P1

The organization: a) Scansfor vulnerabilities in theinformation system andhosted applications[Assignment: organization-defined frequency and/orrandomly in accordancewith organization-definedprocess] and when newvulnerabilities potentiallyaffecting thesystem/applications areidentified and reported; b)Employs vulnerabilityscanning tools andtechniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: 1) Enumeratingplatforms, software flaws,and improperconfigurations; 2)Formatting and makingtransparent, checklists andtest procedures; and 3)Measuring vulnerabilityimpact; c) Analyzesvulnerability scan reportsand results from securitycontrol assessments; d)Remediates legitimatevulnerabilities [Assignment:organization-definedresponse times] inaccordance with anorganizational assessmentof risk; and e) Sharesinformation obtained fromthe vulnerability scanningprocess and security controlassessments withdesignated personnelthroughout the organizationto help eliminate similarvulnerabilities in otherinformation systems (i.e.,systemic weaknesses ordeficiencies).

RA-5(1)Vulnerability

ScanningX X X X X X X X X X X No No P1

The organization employsvulnerability scanning toolsthat include the capability toreadily update the list ofinformation systemvulnerabilities scanned.


ScanningX X X X X X X X X X No No P1

The organization updatesthe list of informationsystem vulnerabilitiesscanned [Assignment:organization-definedfrequency] or when newvulnerabilities are identifiedand reported.

________________________________________________________________________


220 of 266



StandAlone

NSSNetwork



ScanningX

The organization employsvulnerability scanningprocedures that candemonstrate the breadthand depth of coverage (i.e.,information systemcomponents scanned andvulnerabilities checked).



The organization attempts todiscern what informationabout the informationsystem is discoverable byadversaries.



The organization includesprivileged accessauthorization to[Assignment: organization-identified informationsystem components] forselected vulnerabilityscanning activities tofacilitate more thoroughscanning.



The organization employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe presence ofunauthorized software onorganizational informationsystems and notifydesignated organizationalofficials.


ScanningX No No P1

The organization employs anindependent penetrationagent or penetration teamto: a) Conduct a vulnerabilityanalysis on the informationsystem; and b) Performpenetration testing on theinformation system basedon the vulnerability analysisto determine theexploitability of identifiedvulnerabilities.

________________________________________________________________________


221 of 266



StandAlone

NSSNetwork


SA-1

System AndServices Acquisition



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand services acquisitionpolicy that includesinformation securityconsiderations and thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the system and servicesacquisition policy andassociated system andservices acquisitioncontrols.

SA-2Allocation OfResources


The organization: a)Includes a determination ofinformation securityrequirements for theinformation system inmission/business processplanning; b) Determines,documents, and allocatesthe resources required toprotect the informationsystem as part of its capitalplanning and investmentcontrol process; and c)Establishes a discrete lineitem for information securityin organizationalprogramming and budgetingdocumentation.

SA-3 Life Cycle Support X X X X X X Yes Yes P1

The organization: a)Manages the informationsystem using a systemdevelopment life cyclemethodology that includesinformation securityconsiderations; b) Definesand documents informationsystem security roles andresponsibilities throughoutthe system development lifecycle; and c) Identifiesindividuals havinginformation system securityroles and responsibilities.

________________________________________________________________________


222 of 266



StandAlone

NSSNetwork


SA-4 Acquisitions X X X X X X No No P1

The organization includesthe following requirementsand/or specifications,explicitly or by reference, ininformation systemacquisition contracts basedon an assessment of riskand in accordance withapplicable federal laws,Executive Orders, directives,policies, regulations, andstandards: a) Securityfunctionalrequirements/specifications;b) Security-relateddocumentationrequirements; and c)Developmental andevaluation-relatedassurance requirements.

SA-4(1) Acquisitions X X X X No No P1

The organization requires inacquisition documents thatvendors/contractors provideinformation describing thefunctional properties of thesecurity controls to beemployed within theinformation system,information systemcomponents, or informationsystem services in sufficientdetail to permit analysis andtesting of the controls.

SA-4(2) Acquisitions X X No No P1

The organization requires inacquisition documents thatvendors/contractors provideinformation describing thedesign and implementationdetails of the securitycontrols to be employedwithin the informationsystem, information systemcomponents, or informationsystem services (includingfunctional interfaces amongcontrol components) insufficient detail to permitanalysis and testing of thecontrols.

SA-4(3) Acquisitions X

The organization requiressoftwarevendors/manufacturers todemonstrate that theirsoftware developmentprocesses employ state-of-the-practice software andsecurity engineeringmethods, quality controlprocesses, and validationtechniques to minimizeflawed or malformedsoftware.

________________________________________________________________________


223 of 266



StandAlone

NSSNetwork


SA-4(4) Acquisitions X X No No P1

The organization ensuresthat each informationsystem component acquiredis explicitly assigned to aninformation system, and thatthe owner of the systemacknowledges thisassignment.

SA-4(5) Acquisitions X No No P1

The organization requires inacquisition documents, thatinformation systemcomponents are delivered ina secure, documentedconfiguration, and that thesecure configuration is thedefault configuration for anysoftware reinstalls orupgrades.

SA-4(6) Acquisitions X X X No No P1

The organization: a) Employsonly government off-the-shelf (GOTS) or commercialoff-the-shelf (COTS)information assurance (IA)and IA-enabled informationtechnology products thatcomposes an NSA-approvedsolution to protect classifiedinformation when thenetworks used to transmitthe information are at alower classification levelthan the information beingtransmitted; and b) Ensuresthat these products havebeen evaluated and/orvalidated by the NSA or inaccordance with NSA-approved procedures.

________________________________________________________________________


224 of 266



StandAlone

NSSNetwork


SA-5Information System

DocumentationX X X X X X No No P2

The organization: a) Obtains,protects as required, andmakes available toauthorized personnel,administratordocumentation for theinformation system thatdescribes: 1) Secureconfiguration, installation,and operation of theinformation system; 2) -Effective use andmaintenance of securityfeatures/functions; and 3) -Known vulnerabilitiesregarding configuration anduse of administrative (i.e.,privileged) functions; and b)Obtains, protects asrequired, and makesavailable to authorizedpersonnel, userdocumentation for theinformation system thatdescribes: 1) - User-accessible securityfeatures/functions and howto effectively use thosesecurity features/functions;2) - Methods for userinteraction with theinformation system, whichenables individuals to usethe system in a more securemanner; and 3) - Userresponsibilities inmaintaining the security ofthe information andinformation system; and c)Documents attempts toobtain information systemdocumentation when suchdocumentation is eitherunavailable or nonexistent.

SA-5(1)Information System

DocumentationX X X X X No No P2

The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the functionalproperties of the securitycontrols employed within theinformation system withsufficient detail to permitanalysis and testing.

________________________________________________________________________


225 of 266



StandAlone

NSSNetwork



DocumentationX X X X No No P2

The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the security-relevant external interfacesto the information systemwith sufficient detail topermit analysis and testing.


DocumentationX X X X No No P2

The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the high-leveldesign of the informationsystem in terms ofsubsystems andimplementation details ofthe security controlsemployed within the systemwith sufficient detail topermit analysis and testing.


DocumentationX No No P2

The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the low-leveldesign of the informationsystem in terms of modulesand implementation detailsof the security controlsemployed within the systemwith sufficient detail topermit analysis and testing.

SA-6Software Usage

RestrictionsX X X X X X X X X No No P1

The organization: a) Usessoftware and associateddocumentation inaccordance with contractagreements and copyrightlaws; b) Employs trackingsystems for software andassociated documentationprotected by quantitylicenses to control copyingand distribution; and c)Controls and documents theuse of peer-to-peer filesharing technology toensure that this capability isnot used for theunauthorized distribution,display, performance, orreproduction of copyrightedwork.

SA-7User Installed

SoftwareX X X X X X Yes Yes P1

The organization enforcesexplicit rules governing theinstallation of software byusers.

________________________________________________________________________


226 of 266



StandAlone

NSSNetwork


SA-8Security Engineering

PrinciplesX X X X X Yes Yes P1

The organization appliesinformation system securityengineering principles in thespecification, design,development,implementation, andmodification of theinformation system.

SA-9External Information

System ServicesX X X X X X No No P1

The organization: a)Requires that providers ofexternal information systemservices comply withorganizational informationsecurity requirements andemploy appropriate securitycontrols in accordance withapplicable federal laws,Executive Orders, directives,policies, regulations,standards, and guidance; b)Defines and documentsgovernment oversight anduser roles andresponsibilities with regardto external informationsystem services; and c)Monitors security controlcompliance by externalservice providers.

SA-9(1)External Information

System ServicesX X X No No P1

The organization: a)Conducts an organizationalassessment of risk prior tothe acquisition oroutsourcing of dedicatedinformation securityservices; and b) Ensuresthat the acquisition oroutsourcing of dedicatedinformation security servicesis approved by [Assignment:organization-defined seniororganizational official].

SA-10Developer


X X X X X No Yes P1

The organization requiresthat information systemdevelopers/integrators: a)Perform configurationmanagement duringinformation system design,development,implementation, andoperation; b) Manage andcontrol changes to theinformation system; c)Implement onlyorganization-approvedchanges; d) Documentapproved changes to theinformation system; and e)Track security flaws and flawresolution.

________________________________________________________________________


227 of 266



StandAlone

NSSNetwork


SA-10(1)Developer


X X X No Yes P1

The organization requiresthat information systemdevelopers/integratorsprovide an integrity check ofsoftware to facilitateorganizational verification ofsoftware integrity afterdelivery

SA-11Developer Security

TestingX X X X X No Yes P2

The organization requiresthat information systemdevelopers/integrators, inconsultation with associatedsecurity personnel (includingsecurity engineers): a)Create and implement asecurity test and evaluationplan; b) Implement averifiable flaw remediationprocess to correctweaknesses anddeficiencies identified duringthe security testing andevaluation process; and c)Document the results of thesecurity testing/evaluationand flaw remediationprocesses.

SA-11(1)Developer Security

TestingX No Yes P2

The organization requiresthat information systemdevelopers/integratorsemploy code analysis toolsto examine software forcommon flaws anddocument the results of theanalysis.

SA-11(2)Developer Security

TestingX No Yes P2

The organization requiresthat information systemdevelopers/integratorsperform a vulnerabilityanalysis to documentvulnerabilities, exploitationpotential, and riskmitigations.

SA-12Supply Chain

ProtectionX X X X X X X X X X Yes Yes P1

The organization protectsagainst supply chain threatsby employing: [Assignment:organization-defined list ofmeasures to protect againstsupply chain threats] as partof a comprehensive,defense-in-breadthinformation securitystrategy.

SA-12(2)Supply Chain

ProtectionX X X X X X X X X Yes Yes P1

The organization conducts adue diligence review ofsuppliers prior to enteringinto contractual agreementsto acquire informationsystem hardware, software,firmware, or services.

SA-13 Trustworthiness X

The organization requiresthat the information systemmeets [Assignment:organization-defined level oftrustworthiness].

________________________________________________________________________


228 of 266



StandAlone

NSSNetwork


SC-1

System AndCommunicationsProtection PolicyAnd Procedures


The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand communicationsprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the system andcommunications protectionpolicy and associatedsystem and communicationsprotection controls.

SC-2ApplicationPartitioning

X X X X X X X X Yes Yes P1

The information systemseparates user functionality(including user interfaceservices) from informationsystem managementfunctionality.

SC-2(1)ApplicationPartitioning

X X X X X X

The information systemprevents the presentation ofinformation systemmanagement-relatedfunctionality at an interfacefor general (i.e., non-privileged) users.

SC-3Security Function

IsolationX X Yes Yes P1

The information systemisolates security functionsfrom nonsecurity functions.

SC-4Information In

Shared ResourcesX X X X X No No P1

The information systemprevents unauthorized andunintended informationtransfer via shared systemresources.

SC-5Denial Of Service

ProtectionX X X X X X No Yes P1

The information systemprotects against or limits theeffects of the following typesof denial of service attacks:[Assignment: organization-defined list of types of denialof service attacks orreference to source forcurrent list].

SC-5(1)Denial Of Service

ProtectionX X X No Yes P1

The information systemrestricts the ability of usersto launch denial of serviceattacks against otherinformation systems ornetworks.

SC-5(2)Denial Of Service

ProtectionX X No Yes P1

The information systemmanages excess capacity,bandwidth, or otherredundancy to limit theeffects of informationflooding types of denial ofservice attacks.

________________________________________________________________________


229 of 266



StandAlone

NSSNetwork


SC-6 Resource Priority X No No P0The information systemlimits the use of resourcesby priority.

SC-7 Boundary Protection X X X X X X X X X No No P1

The information system: a)Monitors and controlscommunications at theexternal boundary of thesystem and at key internalboundaries within thesystem; and b) Connects toexternal networks orinformation systems onlythrough managed interfacesconsisting of boundaryprotection devices arrangedin accordance with anorganizational securityarchitecture.

SC-7(1) Boundary Protection X X X X X X X X No No P1

The organization physicallyallocates publicly accessibleinformation systemcomponents to separate subnetworks with separatephysical network interfaces.


The information systemprevents public access intothe organization’s internalnetworks except asappropriately mediated bymanaged interfacesemploying boundaryprotection devices.


The organization limits thenumber of access points tothe information system toallow for morecomprehensive monitoringof inbound and outboundcommunications andnetwork traffic.


The organization: a)Implements a managedinterface for each externaltelecommunication service;b) Establishes a traffic flowpolicy for each managedinterface; c) Employssecurity controls as neededto protect the confidentialityand integrity of theinformation beingtransmitted; d) Documentseach exception to the trafficflow policy with a supportingmission/business need andduration of that need; e)Reviews exceptions to thetraffic flow policy[Assignment: organization-defined frequency]; and f)Removes traffic flow policyexceptions that are nolonger supported by anexplicit mission/businessneed.

________________________________________________________________________


230 of 266



StandAlone

NSSNetwork



The information system atmanaged interfaces, deniesnetwork traffic by defaultand allows network traffic byexception (i.e., deny all,permit by exception).

SC-7(6) Boundary Protection X

The organization preventsthe unauthorized release ofinformation outside of theinformation systemboundary or anyunauthorizedcommunication through theinformation systemboundary when there is anoperational failure of theboundary protectionmechanisms.


The information systemprevents remote devicesthat have established a non-remote connection with thesystem from communicatingoutside of thatcommunications path withresources in externalnetworks.

SC-7(8) Boundary Protection X X X X X X X No No P1

The information systemroutes [Assignment:organization-definedinternal communicationstraffic] to [Assignment:organization-definedexternal networks] throughauthenticated proxy serverswithin the managedinterfaces of boundaryprotection devices.

SC-7(11) Boundary Protection X X X No No P1

The information systemchecks incomingcommunications to ensurethat the communicationsare coming from anauthorized source androuted to an authorizeddestination.

SC-7(12) Boundary Protection X X X X X X X X X No No P1

The information systemimplements host-basedboundary protectionmechanisms for servers,workstations, and mobiledevices.

SC-7(13) Boundary Protection X X X X X X No No P1

The organization isolates[Assignment: organizationdefined key informationsecurity tools, mechanisms,and support components]from other internalinformation systemcomponents via physicallyseparate subnets withmanaged interfaces to otherportions of the system.

________________________________________________________________________


231 of 266



StandAlone

NSSNetwork


SC-7(14) Boundary Protection X X X X X X No No P1

The organization protectsagainst unauthorizedphysical connections acrossthe boundary protectionsimplemented at[Assignment: organization-defined list of managedinterfaces].

SC-7(18) Boundary Protection X X X X X X X X X No No P1

The information system failssecurely in the event of anoperational failure of aboundary protection device.

SC-8Transmission

IntegrityX X X X X No No P1

The information systemprotects the integrity oftransmitted information.

SC-8(1)Transmission

IntegrityX X X X No No P1

The organization employscryptographic mechanismsto recognize changes toinformation duringtransmission unlessotherwise protected byalternative physicalmeasures.

SC-8(2)Transmission

IntegrityX No No P1

The information systemmaintains the integrity ofinformation duringaggregation, packaging, andtransformation inpreparation fortransmission.

SC-9TransmissionConfidentiality

X X X X X No No P1The information systemprotects the confidentialityof transmitted information.

SC-9(1)TransmissionConfidentiality

X X X X X No No P1

The organization employscryptographic mechanismsto prevent unauthorizeddisclosure of informationduring transmission unlessotherwise protected by[Assignment: organization-defined alternative physicalmeasures].

SC-9(2)TransmissionConfidentiality

X X No No P1

The information systemmaintains the confidentialityof information duringaggregation, packaging, andtransformation inpreparation fortransmission.

SC-10 Network Disconnect X X X X X X X X No Yes P2

The information systemterminates the networkconnection associated witha communications sessionat the end of the session orafter [Assignment:organization-defined timeperiod] of inactivity.

________________________________________________________________________


232 of 266



StandAlone

NSSNetwork


SC-11 Trusted Path X X X No Yes P0

The information systemestablishes a trustedcommunications pathbetween the user and theFollowing security functionsof the system: [Assignment:organization-definedsecurity functions to includeat a minimum, informationsystem authentication andreauthentication].

SC-12Cryptographic KeyEstablishment And

ManagementX X X X X X X X X No No P1

The organization establishesand manages cryptographickeys for requiredcryptography employedwithin the informationsystem.

SC-12(1)Cryptographic KeyEstablishment And

ManagementX X X X No No P1

The organization maintainsavailability of information inthe event of the loss ofcryptographic keys by users.

SC-13 Use Of Cryptography X X X X X X X X X Yes Yes P1

The information systemimplements requiredcryptographic protectionsusing cryptographic modulesthat comply with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance.

SC-13(4) Use Of Cryptography X X Yes Yes P1

The organization employs[Selection: FIPS-validated;NSA-approved] cryptographyto implement digitalsignatures.

SC-14Public AccessProtections


The information systemprotects the integrity andavailability of publiclyavailable information andapplications.

SC-15Collaborative

Computing DevicesX X X X X X No Yes P1

The information system: a)Prohibits remote activationof collaborative computingdevices with the followingexceptions: [Assignment:organization-definedexceptions where remoteactivation is to be allowed];and b) Provides an explicitindication of use to usersphysically present at thedevices.

SC-15(1)Collaborative

Computing DevicesX X X No Yes P1

The information systemprovides physical disconnectof collaborative computingdevices in a manner thatsupports ease of use.



The information system orsupporting environmentblocks both inbound andoutbound traffic betweeninstant messaging clientsthat are independentlyconfigured by end users andexternal service providers.

________________________________________________________________________


233 of 266



StandAlone

NSSNetwork




The organization disables orremoves collaborativecomputing devices frominformation systems in[Assignment: organization-defined secure work areas].

SC-17Public Key

InfrastructureCertificates


The organization issuespublic key certificates underan [Assignment:organization-definedcertificate policy] or obtainspublic key certificates underan appropriate certificatepolicy from an approvedservice provider.

SC-18 Mobile Code X X X X X No Yes P1

The organization: a) Definesacceptable andunacceptable mobile codeand mobile codetechnologies; b) Establishesusage restrictions andimplementation guidance foracceptable mobile code andmobile code technologies;and c) Authorizes, monitors,and controls the use ofmobile code within theinformation system.

SC-18(1) Mobile Code X X X No Yes P1

The information systemimplements detection andinspection mechanisms toidentify unauthorized mobilecode and takes correctiveactions, when necessary.


The organization ensuresthe acquisition,development, and/or use ofmobile code to be deployedin information systemsmeets [Assignment:organization-defined mobilecode requirements].


The information systemprevents the download andexecution of prohibitedmobile code.


The information systemprevents the automaticexecution of mobile code in[Assignment: organization-defined softwareapplications] and requires[Assignment: organization-defined actions] prior toexecuting the code.

________________________________________________________________________


234 of 266



StandAlone

NSSNetwork


SC-19Voice Over Internet

ProtocolX X X X X X X X No No P1

The organization: a)Establishes usagerestrictions andimplementation guidance forVoice over Internet Protocol(VoIP) technologies basedon the potential to causedamage to the informationsystem if used maliciously;and b) Authorizes, monitors,and controls the use of VoIPwithin the informationsystem.

SC-20

SecureName/Address

Resolution Service(Authoritative

Source)


The information systemprovides additional dataorigin and integrity artifactsalong with the authoritativedata the system returns inresponse to name/addressresolution queries.

SC-20(1)

SecureName/Address

Resolution Service(Authoritative

Source)


The information system,when operating as part of adistributed, hierarchicalnamespace, provides themeans to indicate thesecurity status of childsubspaces and (if the childsupports secure resolutionservices) enable verificationof a chain of trust amongparent and child domains.

SC-21

SecureName/Address

Resolution Service(Recursive Or

Caching Resolver)

X X X X No Yes P1

The information systemperforms data originauthentication and dataintegrity verification on thename/address resolutionresponses the systemreceives from authoritativesources when requested byclient systems.

SC-21(1)

SecureName/Address

Resolution Service(Recursive Or

Caching Resolver)

X X X No Yes P1

The information systemperforms data originauthentication and dataintegrity verification on allresolution responseswhether or not local clientsexplicitly request thisservice.

SC-22

Architecture AndProvisioning ForName/Address

Resolution Service

X X X X X X X X X X X No Yes P1

The information systemsthat collectively providename/address resolutionservice for an organizationare fault-tolerant andimplement internal/externalrole separation.

SC-23 Session Authenticity X X X X X No Yes P1

The information systemprovides mechanisms toprotect the authenticity ofcommunications sessions.

SC-23(1) Session Authenticity X X X No Yes P1

The information systeminvalidates sessionidentifiers upon user logoutor other session termination.

________________________________________________________________________


235 of 266



StandAlone

NSSNetwork



The information systemprovides a readilyobservable logout capabilitywhenever authentication isused to gain access to webpages.


The information systemgenerates a unique sessionidentifier for each sessionand recognizes only sessionidentifiers that are system-generated.


The information systemgenerates unique sessionidentifiers with [Assignment:organization-definedrandomness requirements].

SC-24 Fail In Known State X X X X X X X yes Yes P1

The information system failsto a [Assignment:organization-defined known-state] for [Assignment:organization-defined typesof failures] preserving[Assignment: organization-defined system stateinformation] in failure.

SC-28Protection Of

Information At RestX X X X X X X X Yes Yes P1

The information systemprotects the confidentialityand integrity of informationat rest.

SC-28(1)Protection Of

Information At RestX X Yes Yes P1

The organization employscryptographic mechanismsto prevent unauthorizeddisclosure and modificationof information at rest unlessotherwise protected byalternative physicalmeasures.

SC-32Information System

PartitioningX X X X X X No No PO

The organization partitionsthe information system intocomponents residing inseparate physical domains(or environments) asdeemed necessary.

SC-33Transmission

Preparation IntegrityX No Yes PO

The information systemprotects the integrity ofinformation during theprocesses of dataaggregation, packaging, andtransformation inpreparation fortransmission.

________________________________________________________________________


236 of 266



StandAlone

NSSNetwork


SI-1

System AndInformation Integrity



The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand information integritypolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the system andinformation integrity policyand associated system andinformation integritycontrols.

SI-2 Flaw Remediation X X X X X X Yes Yes P1

The organization: a)Identifies, reports, andcorrects information systemflaws; b) Tests softwareupdates related to flawremediation foreffectiveness and potentialside effects onorganizational informationsystems before installation;and c) Incorporates flawremediation into theorganizational configurationmanagement process.

SI-2(1) Flaw Remediation X

The organization centrallymanages the flawremediation process andinstalls software updatesautomatically.

SI-2(2) Flaw Remediation X X X X No No P1

The organization employsautomated mechanisms[Assignment: organization-defined frequency] todetermine the state ofinformation systemcomponents with regard toflaw remediation.

SI-2(3) Flaw Remediation X X X No Yes P1

The organization measuresthe time between flawidentification and flawremediation, comparing with[Assignment: organization-defined benchmarks].

SI-2(4) Flaw Remediation X X X No Yes P1

The organization employsautomated patchmanagement tools tofacilitate flaw remediation to[Assignment: organization-defined information systemcomponents].

________________________________________________________________________


237 of 266



StandAlone

NSSNetwork


SI-3Malicious Code

ProtectionX X X X X X No No P1

The organization: a) Employsmalicious code protectionmechanisms at informationsystem entry and exit pointsand at workstations, servers,or mobile computing deviceson the network to detect anderadicate malicious code: 1)Transported by electronicmail, electronic mailattachments, web accesses,removable media, or othercommon means; or 2)Inserted through theexploitation of informationsystem vulnerabilities; b)Updates malicious codeprotection mechanisms(including signaturedefinitions) whenever newreleases are available inaccordance withorganizational configurationmanagement policy andprocedures; c) Configuresmalicious code protectionmechanisms to: 1) - Performperiodic scans of theinformation system[Assignment: organization-defined frequency] and real-time scans of files fromexternal sources as the filesare downloaded, opened, orexecuted in accordance withorganizational securitypolicy; and 2) [Selection(one or more): blockmalicious code; quarantinemalicious code; send alertto administrator;[Assignment: organization-defined action]] in responseto malicious code detection;and d) Addresses the receiptof false positives duringmalicious code detectionand eradication and theresulting potential impact onthe availability of theinformation system.

SI-3(1)Malicious Code

ProtectionX X X X X No No P1

The organization centrallymanages malicious codeprotection mechanisms.



The information systemautomatically updatesmalicious code protectionmechanisms (includingsignature definitions).



The information systemprevents non-privilegedusers from circumventingmalicious code protectioncapabilities.

________________________________________________________________________


238 of 266



StandAlone

NSSNetwork


SI-4Information System

MonitoringX X X X X No Yes P1

The organization: a)Monitors events on theinformation system inaccordance with[Assignment: organization-defined monitoringobjectives] and detectsinformation system attacks;b) Identifies unauthorizeduse of the informationsystem; c) Deploysmonitoring devices: (i)strategically within theinformation system tocollect organization-determined essentialinformation; and (ii) at adhoc locations within thesystem to track specifictypes of transactions ofinterest to the organization;d) Heightens the level ofinformation systemmonitoring activity wheneverthere is an indication ofincreased risk toorganizational operationsand assets, individuals,other organizations, or theNation based on lawenforcement information,intelligence information, orother credible sources ofinformation; and e) Obtainslegal opinion with regard toinformation systemmonitoring activities inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,or regulations.

SI-4(1)Information System

MonitoringX X X No No P1

The organizationinterconnects andconfigures individualintrusion detection tools intoa system wide intrusiondetection system usingcommon protocols.


MonitoringX X X X X No No P1

The organization employsautomated tools to supportnear real-time analysis ofevents.


MonitoringX X X X X X X X No No P1

The information systemmonitors inbound andoutbound communicationsfor unusual or unauthorizedactivities or conditions.



The information systemprovides near real-timealerts when the followingindications of compromiseor potential compromiseoccur: [Assignment:organization-defined list ofcompromise indicators].

________________________________________________________________________


239 of 266



StandAlone

NSSNetwork




The information systemprevents non-privilegedusers from circumventingintrusion detection andprevention capabilities.


MonitoringX X X X X X No Yes P1

The information systemnotifies [Assignment:organization-defined list ofincident response personnel(identified by name and/orby role)] of suspiciousevents and takes[Assignment: organization-defined list of least-disruptive actions toterminate suspiciousevents].


MonitoringX X X X X X X X X No No P1

The organization protectsinformation obtained fromintrusion-monitoring toolsfrom unauthorized access,modification, and deletion.


MonitoringX X X No Yes P1

The organizationtests/exercises intrusion-monitoring tools[Assignment: organization-defined time-period].


MonitoringX X X No No P1

The organization analyzesoutbound communicationstraffic at the externalboundary of the system (i.e.,system perimeter) and, asdeemed necessary, atselected interior pointswithin the system (e.g.,subnets, subsystems) todiscover anomalies.



The organization employsautomated mechanisms toalert security personnel ofthe following inappropriateor unusual activities withsecurity implications:[Assignment: organization-defined list of inappropriateor unusual activities thattrigger alerts].


MonitoringX X X X X X No No P1

The organization employs awireless intrusion detectionsystem to identify roguewireless devices and todetect attack attempts andpotentialcompromises/breaches tothe information system.


MonitoringX X X X X X No No P1

The organization employs anintrusion detection systemto monitor wirelesscommunications traffic asthe traffic passes fromwireless to wire linenetworks.

________________________________________________________________________


240 of 266



StandAlone

NSSNetwork



MonitoringX X X No Yes P1

The organization correlatesinformation from monitoringtools employed throughoutthe information system toachieve organization-widesituational awareness.



The organization correlatesresults from monitoringphysical, cyber, and supplychain activities to achieveintegrated situationalawareness.

SI-5Security Alerts,Advisories, And

DirectivesX X X X X X No No P1

The organization: a)Receives information systemsecurity alerts, advisories,and directives fromdesignated externalorganizations on an ongoingbasis; b) Generates internalsecurity alerts, advisories,and directives as deemednecessary; c) Disseminatessecurity alerts, advisories,and directives to[Assignment: organization-defined list of personnel(identified by name and/orby role)]; and d) Implementssecurity directives inaccordance with establishedtime frames, or notifies theissuing organization of thedegree of noncompliance.

SI-5(1)Security Alerts,Advisories, And

DirectivesX X X X No No P1

The organization employsautomated mechanisms tomake security alert andadvisory informationavailable throughout theorganization as needed.

SI-6Security

FunctionalityVerification

X X X X No Yes P1

The information systemverifies the correct operationof security functions[Selection (one or more):[Assignment: organization-defined system transitionalstates]; upon command byuser with appropriateprivilege; periodically every[Assignment: organization-defined time-period]] and[Selection (one or more):notifies systemadministrator; shuts thesystem down; restarts thesystem; [Assignment:organization-definedalternative action(s)]] whenanomalies are discovered.

SI-6(1)Security


X X X No Yes P1

The information systemprovides notification offailed automated securitytests.

________________________________________________________________________


241 of 266



StandAlone

NSSNetwork


SI-6(3)Security


X X X No Yes P1

The organization reports theresult of security functionverification to designatedorganizational officials withinformation securityresponsibilities.

SI-7Software And

Information IntegrityX X X No No P1

The information systemdetects unauthorizedchanges to software andinformation.

SI-7(1)Software And

Information IntegrityX X X No No P1

The organization reassessesthe integrity of software andinformation by performing[Assignment: organization-defined frequency] integrityscans of the informationsystem.

SI-7(2)Software And

Information IntegrityX X No No P1

The organization employsautomated tools thatprovide notification todesignated individuals upondiscovering discrepanciesduring integrity verification.

SI-8 Spam Protection X X X X X X X X No No P1

The organization: a) Employsspam protectionmechanisms at informationsystem entry and exit pointsand at workstations, servers,or mobile computing deviceson the network to detect andtake action on unsolicitedmessages transported byelectronic mail, electronicmail attachments, webaccesses, or other commonmeans; and b) Updatesspam protectionmechanisms (includingsignature definitions) whennew releases are availablein accordance withorganizational configurationmanagement policy andprocedures.

SI-8(1) Spam Protection X X X X X X X No No P1The organization centrallymanages spam protectionmechanisms.

SI-8(2) Spam Protection X X X X X X No No P1

The information systemautomatically updates spamprotection mechanisms(including signaturedefinitions).

SI-9Information Input

RestrictionsX X X X X Yes Yes P2

The organization restrictsthe capability to inputinformation to theinformation system toauthorized personnel.

SI-10Information Input

ValidationX X X X No No P1

The information systemchecks the validity ofinformation inputs.

________________________________________________________________________


242 of 266



StandAlone

NSSNetwork


SI-11 Error Handling X X X X X No No P2

The information system: a)Identifies potentiallysecurity-relevant errorconditions; b) Generateserror messages that provideinformation necessary forcorrective actions withoutrevealing [Assignment:organization-definedsensitive or potentiallyharmful information] in errorlogs and administrativemessages that could beexploited by adversaries;and c) Reveals errormessages only to authorizedpersonnel.

SI-12Information Output

Handling AndRetention


The organization handlesand retains both informationwithin and output from theinformation system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andoperational requirements.

SI-13Predictable Failure

PreventionX No Yes P0

The organization: a) Protectsthe information system fromharm by considering meantime to failure for[Assignment: organization-defined list of informationsystem components] inspecific environments ofoperation; and b) Providessubstitute informationsystem components, whenneeded, and a mechanismto exchange active andstandby roles of thecomponents.

Appendix C – NIST SP 800-53 Rev 4 Control Family Policies

EM sites may adopt the policies listed in this section or create their own policies toaddress the control policy requirements in NIST SP 800-53.

AC-1 Account Management

Purpose: The purpose of the AC control family is to ensure that only those that havebeen granted formal access to an IT system are able to access the system or information.Access controls also allow the sites to detect; record and block would be intruders.

Scope: The access control family must be implemented and monitored on DOE andcontractor systems. These security controls provide protection of data through the use of

________________________________________________________________________


243 of 266

access restrictions to local and remote systems, least privilege functionality, encryptionfor data in transit and data at rest, separation of duties, restrictions on the use of mobiledevices and session termination.

Roles: The Information System Security Officer (ISSO) and the System Administrators(SA) are key to the implementation of this control family and are tasked to ensure thatproper access controls are implemented based on the NIST categorization level.

Responsibilities: The ISSO is to ensure that the controls are implemented by the SAs,work as expected, and provide adequate protection for DOE EM and contractor systemsand data. (Refer to roles and responsibilities section of the RMAIP).

These controls are to be tested upon initial system authorization and then once everythree years by an independent assessor as part of a continuous monitoring program. Thecontrols should also be tested when any significant access procedures or changes aremade to the system.

Management Commitment: The site management must ensure that sufficient accesscontrols are in place to protect the system and information based on the categorizationlevel, potential of harm, and acceptable level of residual risk. The site management mustprovide the resources to implement and must actively support the implementation ofHSPD-12 compliant logical access by 2012.

Coordination: The ISSO and SAs must coordinate to ensure that the proper level ofaccess controls are in use throughout the site and are tested as part of the initialauthorization and continuous monitoring program.

Compliance: The sites must comply with DOE orders, this RMAIP, and NIST SpecialPublications (SP) 800-46, 800-77, 800-113, 800-114, 800-121, 800-94, 800-97, 800-114,and 800-124 (as modified).

AT-1 Awareness and Training

Purpose: This family of controls ensures that all personnel (users, administrators,security, and those with elevated privileges) are trained for security policies andprocedures of their relevant position. This control also means that no one should haveaccess to a DOE network prior to having attended security awareness training. Similarly,individuals with elevated privileges must have additional training sufficient for them tocarry out their security functions.

Scope: Training needs to extend from site management to user personnel within anorganization. Training must be done annually to educate all personnel on emergingsystem and user exploits, risky behaviors (web and phishing), reportingincidents/suspicious procedures, and coordination with other groups that can benefit bylessons learned.

________________________________________________________________________


244 of 266

Roles: Training must be accomplished by DOE EM and contractor sites and cover threelevels: (1) users, (2) SAs (system, database, and web), and (3) personnel with elevatedaccess privileges. The ISSM is responsible for making sure all personnel are sufficientlytrained. If the ISSO determines that training was not accomplished for the current year,the individual will be removed from access to DOE networks.

Responsibilities: The ISSO/ISSM must ensure that all individuals receive securitytraining as required by the site, annually. The ISSO must make sure that all individualsutilizing DOE EM and contractor network or systems processing EM data will receiveuser awareness training prior to being granted access to the network.

Management Commitment: The site management must provide sufficient direction andemphasis to ensure that all site personnel are trained at least annually. Management mustalso make certain that records are maintained on training and are kept current.

Coordination: The individual DOE EM sites must coordinate with the EM CyberSecurity Program Manager (CSPM) for review and guidance on their security AwarenessTraining depth and scope. In addition, the EM CSPM must be consulted on elevatedprivileged training.

Compliance: All sites must meet appropriate DOE policy and RMAIP guidance toensure sufficient and effective training of all personnel at all levels.

AU-1 Audit and Accountability

Purpose: Auditing is one of the critical methods to determine and document howeffective security controls are implemented, functioning as intended and producing theexpected results. Frequent audits ensure that security baselines are functioning correctly,being patched, have authorized CCB upgrades installed, and are sufficient to meet newand emerging security threats and vulnerabilities.

Scope: All DOE EM sites must conduct timely audits on security controls to determine ifthey meet NIST, DOE security requirements, federal laws, Executive orders, and/or localregulations or statutes.

Roles: The ISSO/ISSM are responsible for setting up, monitoring performance, andproviding guidance for corrective actions of audit findings. The ISSO/ISSM must keepthe AO/AODR informed on audits findings, the potential impact of the findings, and theoptions for addressing them.

Responsibilities: The ISSO is the principal individual to formulate, implement, andmonitor auditing reports. The ISSO is also the primary individual to establish the plan ofaction and milestones (POA&Ms) associated with corrective actions.

The ISSO and ISSM must define what is an auditable event, what information is to berecorded, how the events will be monitored and analyzed, where the information of the

________________________________________________________________________


245 of 266

events will be stored and for how long, what is the response/process to address auditfailures and how failures will be addressed.

The ISSO must ensure that policies, procedures and documents are updated annually toreflect audit weakness findings and corrective POA&Ms are put in place and followed.

Management Commitment: Site management must address any findings that could alterthe level of residual risk accepted by the AO during the authorization process.Management must provide the personnel, resources and funding to address the POA&Msproduced by audits.

Coordination: The ISSO and ISSM must coordinate with the AO/AODR on findings,potential security impacts, and recommended solutions.

Compliance: The sites auditing policies and procedures must meet NIST, DOE andRMAIP security requirements, and or local regulations or statutes.

CA-1 Security Assessment and Authorization

Purpose: Authorization is the process of evaluating the security policies and proceduresto protect an information system and the resulting level of acceptable risk (aftersafeguards have been applied to vulnerabilities). Authorization is an ongoing process tocontinually defend against emerging threats, system changes and inside personnelactions. This control addresses the state of a system at a defined time and configuration.

This set of security controls is used by the AO to determine the acceptable level ofresidual risk and if a system should have authority to operate (ATO).

Scope: Authorization is to be performed on all accreditation boundaries (systems orgroups of systems) providing services to DOE EM or contractor sites that process, store,or communicate DOE EM data. Authorizations can be performed on a three-year cycleprovided continuous monitoring is performed each year to cover all the NIST/DOEsecurity controls/requirements over the three-year period. The AO may elect to re-authorize each individual accreditation boundary after a yearly continuous monitoringassessment provided there is no significant increase in the acceptable level of risk.

Roles: Security authorization is the official management decision conveyed through theauthorization decision document, given by a senior organizational official or executive(i.e., authorizing official) to authorize operation of an information system and toexplicitly accept the risk to organizational operations and assets, individuals, otherorganizations, and the Nation based on the implementation of an agreed-upon set ofsecurity controls.

The ISSO/ISSM must provide the resources to prepare, assist in, and document the initialauthorization process, continuous monitoring assessments and re-authorizations.

________________________________________________________________________


246 of 266

Responsibilities: Only the AO can sign/authorize a system for operation. The AODR isresponsible for advising the AO on technical matters, providing recommendations andpreparing for assessments. The ISSO/ISSM must provide the resources to prepare,personnel to assist in assessments and document continuous monitoring assessments orre-authorizations.

Management Commitment: The AO must ensure that sufficient resources andmanagement guidance is provided to prepare, conduct, document, and remediate systemflaws throughout the system development life-cycle (SDLC). The AO must follow theDOE and NIST security requirements to provide protection commensurate with risk. TheAO must ensure that all systems have ATO prior to being connected to the network. TheAO must ensure that the Risk Management Framework (RMF) and Risk ManagementApproach (RMA) are followed and systems are in compliance with its provisions.

Coordination: The AO, AODR, ISSO, and ISSM must coordinate all authorizationprocesses and Continuous Monitoring activities with site personnel.

Compliance: The AO must ensure that the RMF and RMA are followed and systems arein compliance with their provisions.

CM-1 Configuration Management

Purpose: This control family is used to maintain the authorized system securityconfiguration at the same level of residual risk as when it was authorized. Configurationmanagement is necessary because of inevitable hardware and software change, approvedbaseline control modification, and organizational changes that occur throughout all thephases of the SDLC.

Scope: This control applies to all DOE EM or DOE EM contractor systems

Roles: The ISSO, SAs, system owner, and CCB have the primary roles in configurationmanagement.

Responsibilities: The ISSO must create security baselines configurations forworkstations, servers, switches, routers, firewalls, databases, IDS/IPS, mobile, wireless,and web systems.

The ISSO or system owner must create, maintain, and monitor an inventory controlsystem for system components.

The site organizations must establish and use a CCB to evaluate, test, and approve allmajor changes to the secure baseline configurations prior to implementing them on asystem. The CCB must establish what is considered a major change to the securitybaseline and assess the security impact of such changes.

________________________________________________________________________


247 of 266

The ISSO/SA must build system components to the latest approved baselineconfigurations and monitor systems compliance to these configurations on a regularbasis.

The site must monitor its approved security baseline configurations to determine anychanges or improper changes by inside or outside personnel.

The baseline configurations must provide the least functionality for the site personnel toaccomplish their mission.

The site must perform period risk assessments to determine if changes or emergingthreats have created vulnerabilities.

Management Commitment: The sites’ management must provide the resources forperiodic risk assessments, configuration control boards, configuration managementsoftware, and a current list of equipment, components, software, and approvedconfiguration changes to the security baselines for such equipment.

Coordination: The ISSO and ISSM must coordinate with the CCB, inventory control,procurement, and legal to ensure that security baseline specifications, federal checklists,approved CCB changes, patches and system authorization are performed prior to systemsbeing placed online or after significant changes occur within a system.

Compliance: The site must comply with federal baseline checklists, security baselinebuilds, approved CCB changes, procurement, and legal regulations.

CP-1 Contingency Planning

Purpose: The contingency planning controls are meant to establish policies andprocedures so that each site’s systems can accomplish their DOE EM mission within thetime periods specified by the business impact analysis (BIA). The organizations riskmanagement strategy is a key factor in the development of the contingency planpolicy/procedures.

Scope: The scope of this plan should address the minor to major incidents that disrupt,slow down, or halt the site’s DOE EM mission/business functions.

Roles: The Contingency Plan Manager and CP team (assessment, activation, recovery,alternate site) members are to be identified by name and position with contactinformation.

Responsibilities: The CP Manager must make the CP activation decision based oninformation from the analysis team as to the extent of the damage.

The team members must be trained and conduct bi-annual contingency exercises thatrealistically portray possible events.

________________________________________________________________________


248 of 266

Management Commitment: The site’s management must provide the resources to staff,train, and conduct CP exercises. The management must, as deemed necessary, providethe resources for an alternate operating site, if deemed necessary by a BIA, that mustmeet the maximum allowable downtimes specified in the BIA.

Coordination: The site must ensure that all the sites accreditation boundaries participatein staffing, conducting CP exercises and CP training.

Compliance: The sites must comply with the provisions of the RMAIP, NIST SP 800-34(as modified) and any state or local contingency requirements.

IA-1 Identification and Authentication

Purpose: This control is used to authenticate users or processes that are requesting accessto either local, networked, or remote networks. These controls must be accomplished bytwo-factor authenticators such as tokens, biometrics, or badge and pin.

Scope: These security controls are pertinent to DOE EM personnel, contractor or queststo DOE EM or contractor facilities. The sites must make provisions for HSPD-12implementation by 2012.

Roles: Site Management, Program Managers, ISSO, ISSM, and SAs must make sure thataccess by individuals or processes follow approved policies and procedure and areperiodically checked for current processing validity.

Responsibilities: The organizations’ Program Management must participate in ensuringthat individuals are assigned to the proper functional groups or have access to only thosefunctions that are required for their roles and responsibilities (least privilege). The ISSOand ISSM must be part of the process to assign, review and approve individuals or systemprocesses access levels. Guest Accounts must follow the same procedures and have alimited access and a defined termination date.

Management Commitment: Site Management must ensure that issuance of authenticatorand IDs follow approved process, and that IDs must be monitored and revoked upontermination, transfer, or organizational changes. Management is encouraged to performthese tasks by automated means.

Coordination: The Program Managers, ISSO, and SAs must coordinate their efforts toensure that authenticators are issued properly, needed, currently valid, terminated whennot required, and provide least functionality.

Compliance: The site needs to comply with NIST FIPS 201 and use the following asguidance: SP 800-63,800-73,800-76,800-78, and 800-100.

IR-1 Incident Response

________________________________________________________________________


249 of 266

Purpose: Incident Response controls are utilized to detect, analyze, prioritize, correct andrestore system functionality from unauthorized or nefarious actions by external orinternal personnel. These controls provide a process by which suspicious or actualunauthorized actions can be addressed to prevent further damage, infection of additionalsystems and centralized reporting mechanisms.

Scope: Incident Response can be by system, accreditation boundary, or site and mustaddress DOE and contractor systems. All significant incidents must be shared andcoordinated with other operating programs such as DOE JC3 and US-ComputerEmergency Response Team (CERT).

Roles: The organizations’ CIO, program managers, IT/DBMS technical support staff,SAs, ISSO, and ISSM are responsible for developing, monitoring, tracking incidents,conducting exercises and training for incidents.

Responsibilities: The appointed Computer Security Incident Response Team(s)(CSIRTs) and the ISSO/ISSM are responsible for creating policies and procedures thatwill detect, analyze, prioritize and restore system functions to normal.

Management Commitment: The organizations’ management must provide the resources,personnel, and necessary training and exercises to produce an effective incident responsecapability to meet DOE JC3 and US-CERT standards. These policies and procedureswill enable sites to meet their DOE mission parameters. They must coordinate incidentinformation to other operating groups (DOE JC3 and US-CERT) in a timely and correctlyformatted report.

Coordination: The organization must coordinate all confirmed incidents to their otheroperating groups such as DOE JC3 and US-CERT, as appropriate.

Compliance: The sites must comply with its define IR procedures, RMAIP, US-CERTand local law enforcement policies.

MA-1 Maintenance

Purpose: The purpose of this control is to prevent either the intentional or unintentionalchanges resulting from system maintenance/maintenance personnel that could open thesecure baselines, grant unauthorized access/changes, or cause damage to the systems.These controls also ensure that the systems are maintained at the current level of securitybaselines, repairs, patches, and approved CCB changes.

Scope: This control covers all DOE EM site contractor or vendor maintenance personnel.This control family also covers remote maintenance services whether DOE, sitecontractor, or vendor personnel.

Roles: The ISSO is primarily responsible for these procedures, in addition to monitoringand documenting.

________________________________________________________________________


250 of 266

Responsibilities: The ISSO must create policies and procedures to perform standardhardware and software maintenance, monitor system changes, perform oversight ofsite/remote maintenance processes, and document all results. The ISSO must test allsignificant changes to ensure they haven’t changed the systems security posture. Further,the ISSO must ensure that maintenance tools do not alter the systems security.

Management Commitment: The organizations’ management must provide sufficientresources to ensure that site hardware, software, and other electronic components areidentified, catalogued, monitored, maintained, and documented. These efforts will ensurethat the latest security baselines, patches, and equipment repairs do not alter or makevulnerable the secure state of the systems or electronic components.

Coordination: The ISSO must coordinate the schedule for equipment repairs, patching,baseline builds, security testing, and monitoring security impact of any and all changes.The ISSO must determine if site maintenance or vendor tools may be used on theequipment.

Compliance: The sites must comply with the RMAIP.

MP-1 Media Protection

Purpose: This control is used to secure the handling, processing, data at rest storagerequirements, and transport of sensitive information on both electronic and hard copyitems.

Scope: This control applies to all DOE EM site personnel, on site contractors, personalcomputers, telephonic, and videoconference services and site assessors. This controlapplies to all unclassified, NSS, PII and appropriate/designated contractor material.

Roles: The ISSO, information owner, and EM CSPM all share responsibility for thiscontrol.

Responsibilities: The ISSO must develop a list of sensitive materials, their sensitivitylevels, and the system location. The ISSO must put in place access controls, leastprivilege functions, access monitoring and alerting of inappropriate or unauthorizedaccess, processing, printing, or copying of such sensitive materials. Encryptiontechniques must be used on PII and above information. The ISSO must ensure thatsensitive information removed from the facility is logged, monitored, and encrypted. Thesite will institute measures to actively monitor the transfer or copying of sensitiveinformation onto mobile devices of any kind. The ISSO must ensure that after the mediais no longer needed for its appropriate use—end-of-life—it must be securely erased,verified clean, or destroyed.

Management Commitment: The organizations’ management must ensure that securityprocesses for handling and marking for electronic, hard copy, and removable media arein-place and enforced. Management must ensure that the necessary mechanisms to

________________________________________________________________________


251 of 266

inventory, track, mark, and monitor mobile or hardcopy sensitive data, including itsdestruction are in place.

Coordination: The ISSO must coordinate with the information owner to determine thesensitivity of information. The site must coordinate with all project groups to ensure themedia sensitive material safeguard policies, procedures, and notifications are followed.

Compliance: All media must be appropriately identified, marked, and handled inaccordance with DOE policies, this RMAIP, and NIST SP 800-88 (as modified),Guidelines for Media Sanitization..

PE-1 Physical and Environmental

Purpose: This security control is meant to provide the policies and procedures forprotective measures employed by physical and environmental safeguards at the site. Thecontrols address access, environmental safeguards for IT equipment, alternative worksites, and delivery/removal of equipment.

Scope: These controls apply to all DOE EM or contractor run sites. All accreditationboundaries within a site must provide these physical and environmental safeguards.

Roles: Human Resources, Security and IT personnel are involved in these controls.

Responsibilities: The organizations’ HR department is responsible for the processes thatinvolve personnel procedures to verify, issue, monitor, and revoke badge access. Theorganizations’ security personnel will be responsible for access and visitor controlincluding credential verification, recording, monitoring, and escort information. The ITstaff must provide secure access to IT rooms, environmental (HVAC and water)monitoring and cabling protection.

Management Commitment: Management will be responsible for coordinating thepolicies and processes to guarantee that personnel access controls, environmentalprotections, and IT controls are in place and operating.

Coordination: The ISSO and ISSM must coordinate with HR, IT, and Security staffs tomake sure that the controls are implemented, correct, and producing the required resultsin all the physical sites and accreditation boundaries.

Compliance: The site must ensure that they meet all appropriate DOE policy, RMAIP,and local laws and requirements for physical and environmental codices.

PL-1 Planning

Purpose: Security planning addresses the adequacy of security controls to provide risk-based levels of safeguards for the confidentiality, integrity, and availability of the sitespersonnel, mission data, PII and IT equipment. These controls encompass management,

________________________________________________________________________


252 of 266

operational, and technical safeguards to adequately meet the sites acceptable level of risk.This security planning information is captured in the system security plan (SSP).

Scope: Planning applies to all DOE EM sites and contractor sites. In general, anyaccreditation boundary that collects, generates, processes, stores, or communicates DOEEM data is subject to this control.

Roles: The ISSO, AODR and AO all share responsibility for this control.

Responsibilities: The ISSO is responsible for the creation, implementation, and update ofthe security controls planning document (SSP). The AO or AODR needs to review andapprove the SSP based on acceptable levels of risk, mission requirements, and the NISTRisk Management Framework.

Management Commitment: The sites’ management must ensure that each accreditationboundary has the requisite SSP. Management must also ensure that it meets the intent ofNIST’s Risk Management Framework and the Systems Development Life Cycle.Management must enforce policies and procedures required for security planning.

Coordination: The ISSO must coordinate with all site personnel, AODR, and AO in thecompilation, execution, update, and documentation of the SSP.

Compliance: The site needs to comply with all applicable DOE Orders, OMBMemorandum 03-22, and NIST SP 800-18 (as modified) requirements.

PS-1 Personnel Security

Purpose: This control family applies to the position categorization, backgroundscreening, clearances, termination, transfer and access agreements, and personnelsanctions. This control family is vital to preventing unwanted insider personnelviolations. It is also essential for personnel with elevated privileges.

Scope: This control applies to all DOE EM and contractor personnel that have access toDOE EM systems, networks, and data.

Roles: The ISSO, Program Mangers and HR all share responsibility for this control.

Responsibilities: The sites’ HR must create a position categorization that includes aposition description, tasking, level of access (least privilege), background investigationlevels, clearances, termination, and transfer checklists for all personnel. The ISSO mustcoordinate with the Program Managers and HR to validate all these functions are correctand complete prior to granting access to the network and DOE EM data. Any personneltransfers or terminations must be immediately reported to the ISSO.

________________________________________________________________________


253 of 266

Management Commitment: Site management must ensure that position descriptions,level of background investigations (screening), and personnel actions (terminations,transfer, and sanctions) are in compliance with the sites personnel security requirements.

Coordination: The sites’ HR, Program Managers, and the ISSO must coordinate to makesure that all these requirements are in place and met prior to granting access to anyindividual to DOE EM networks or data.

Compliance: The ISSO and ISSM must make sure that all the sites’ personnel proceduresare adhered to prior to granting access to DOE EM data or networks.

RA-1 Risk Assessment

Purpose: The purpose of a risk assessment is to ensure that in place security controls areimplemented correctly, operating as intended and producing the correct output to protectthe system, data and personnel. The risk assessments family of controls evaluatesvulnerabilities, threat sources, and security controls planned or in place to determine thelevel of residual risk (acceptable risk) posed to organizational operations and assets,individuals, and other organizations based on the operation of the information system.The in place controls selected must be commensurate with the risk, likelihood, andimpact of potential harm.

Scope: Risk assessments (either formal and informal) are to be conducted by all DOEEM sites or contractor-operated sites by using the DOE RMA and NISTT RMFincluding: information system categorization, security control selection, security controlimplementation, security control assessment, information system authorization, andsecurity control monitoring.

Roles: The AO, AODR, ISSO, ISSM, system owner, and information steward all shareresponsibility for this control.

Responsibilities: The ISSO and system owner must create a risk assessment strategy thattakes into consideration the magnitude of harm resulting from unauthorized access, use,disclosure, disruption, modification, or destruction of the information system and theinformation it processes, stores, or transmits. The ISSO must perform periodic riskassessments and scans to determine if components (hardware or software),organizational, environmental changes, or emerging threats have created newvulnerabilities.

The AO/AODR must review and approve the risk assessment strategy, testingmethodology, and risk assessment results (acceptable level of risk).

Management Commitment: The organizations’ management must make sure that riskassessments are conducted.

________________________________________________________________________


254 of 266

Coordination: The ISSO must coordinate with the system owner and information stewardon the sensitivity of data and the level of protection required.

Further, the ISSO must coordinate the risk strategy with all interconnected siteboundaries and sub-boundaries.

Compliance: The sites must comply with the provisions of appropriate DOE policy,RMAIP, and NIST 800-30 (as modified).

SA-1 System and Services Acquisition

Purpose: The purpose of this family of controls is to ensure that sufficient resources areallocated for the site to follow the SDLC (initiation through termination) systemcomponents, including: ensuring that security requirements are defined in procurementterms and conditions, that software licenses are not exceeded, that software developersincorporate security practices in developing programs, and that users are not alloweddesktop installation privileges.

Scope: This family applies to all DOE procurements for site or contractor purchases.

Roles: This is a collaborative effort between purchasing, contracts, and the ISSO.

Responsibilities: The ISSO and ISSM must ensure that any specific securityrequirements, enterprise architecture needs, checklist conformance certificates,documentation, and license conditions are incorporated in system componentprocurements.

Contracts and purchasing must create, document, and maintain the minimum terms andconditions for procurement of system components. These groups must coordinate withthe ISSO for review prior to issuing any system components.

Management Commitment: The site manager must ensure that sufficient funding isavailable to support the system accreditation boundary from initiation to shut down. Thisincludes a line item in the yearly budget for security operations. Site management mustensure that all operating groups follow the same procurement and security rules.

Coordination: The ISSO, contracts, and purchasing groups must coordinate on all systemcomponent purchases to make sure they meet the security specifications, terms andconditions, and conformance clauses.

Compliance: The site and individual operating groups must comply with all procurementand legal terms and conditions when procuring system or network components.

________________________________________________________________________


255 of 266

SC-1 System and Communication Protection

Purpose: This control family is meant to address system and network policies andprocedures. Its intent is to provide “defense in depth” for both systems and networks.This approach provides safeguards within safeguards to make unauthorized access, use ormodification of system or network operations more difficult.

Scope: The SC family of controls applies to all DOE EM and contractor systems thatcontain or have access to DOE EM networks or data.

Roles: The ISSO and SAs share responsibility for this control

Responsibilities: The ISSO and SAs must implement, monitor, and periodically test thecontrols for system protection (application partitioning, security function isolation, DOS,mobile code, public access protection, DNS protection, data at rest protection) andnetwork security protection (boundary protection, transmission confidentiality,cryptographic functions, collaborative computing devices and VoIP).

Management Commitment: The organizations’ management must ensure thatprocedures, resources, and personnel are available to implement both system and networksecurity protection mechanisms.

Coordination: The ISSO must coordinate with all accreditation boundaries to ensure thesystem and network controls are in place, functioning and meeting the requirements.

Compliance: The sites must comply with appropriate DOE policy, RMAIP, and NISTFIPS 199 and 200 and guidance in NIST SP 800-52, 800-58, 800-77, and 800-81(asmodified).

SI-1 System and Information Integrity

Purpose: This family of controls is about discovering, preventing, repairing, monitoring,and correcting vulnerabilities and threats within the sites systems and networks.

Scope: The SC family of controls applies to all DOE EM and contractor systems andtheir associated accreditation boundaries.

Roles: ISSO and SAs

Responsibilities: The ISSO and SAs must design, implement, and monitor procedures toprotect against malicious code monitoring, flaw remediation, security alerting, SPAMprotection, error handling, and input verification and validation.

Management Commitment: The site management must implement the system andinformation integrity protections stated in the SSP.

________________________________________________________________________


256 of 266

Coordination: The ISSO must coordinate with all SAs to ensure that all accreditationboundaries follow the necessary procedures for system and information integrity.

Compliance: All DOE EM and contractor systems must comply with appropriate DOEpolicy, RMAIP, and NIST SP 800-40 (as modified).

PM-1 Program Management

FISMA requires organizations to develop and implement an organization-wideinformation security program to address information security for the systems andinformation that supports the operations and assets of the organization, including thoseprovided or managed by another organization, contractor, or other source.

Purpose: The PM family of controls focuses on the organization-wide informationsecurity requirements that are independent of any particular information system and yetare essential for managing information security programs. These security controls areimplemented, monitored, and tested at the division or agency level. Some portion ofthese controls will require the subordinate groups to provide “roll up” information. Thesubordinate groups must be responsible for providing the requisite information.

Scope: The organization must document program management controls in theinformation security program plan (or similar document). The organization-wideinformation security program plan supplements the individual security plans developedfor each organizational information system. Together, the security plans for theindividual information systems and the information security program cover the totality ofsecurity controls employed by the organization.

In addition to documenting the information security program management controls, thesecurity program plan provides a vehicle for the organization, in a central repository(eGov RPM) to document all security controls implementation, testing, authorization, andcompliance. The reporting organization must be responsible for supplying and updatinginformation in the eGov RPM system.

Roles: Organizations specify the individuals within the organization responsible for thedevelopment, implementation, assessment, authorization, and monitoring of theinformation security program management controls. At a minimum, these must be thesenior agency information security officer, risk executive, AO (may be designated), andeach divisional level CSPM.

Responsibilities: The information security program management controls and programmanagement common controls contained in the information security program plan areimplemented, assessed for effectiveness, and authorized by a senior agency ororganizational official with the same or similar authority and responsibility for managingrisk as the authorization officials for information systems. This individual will havemission, monetary, and resource control. Further, this person will be responsible forsetting acceptable levels of risk.

________________________________________________________________________


257 of 266

POA&Ms must be developed and maintained for the program management and commoncontrols that are deemed through assessment to be less than effective. Informationsecurity program management and common controls are also subject to the samecontinuous monitoring requirements as security controls employed in individualorganizational information systems.

Management Commitment: The organization management must appoint a senior agencyinformation security officer, provide information resources and documentation (Exhibits300 and 53), maintain a POA&M database, establish and maintain inventory control,develop and maintain security performance metrics, establish a mission criticalinfrastructure plan, and provide a risk management strategy, a defined securityauthorization process, and a mission/business process definition.

Coordination: The organization will be responsible for the coordination of programmanagement by distributing the necessary program management documentation, trainingas appropriate and monitoring agreed upon security controls and procedures forcompliance and effectiveness. The program management group must coordinate withsubordinate groups to ensure they are aware of, have implemented, are compliant, andprovide the required “roll up” information to program management requirements.

Compliance: The agency and associated divisions must comply with NIST FIPS 199 and200 as well as NIST SP 800-53 (as modified), Appendix G, Information SecurityPrograms.

Appendix D – EM Contractor Requirements

EM contractors are required to comply with requirements set forth in DOE O 205.1B,Chg.2, Department of Energy Cyber Security Program, Attachment 1, ContractorRequirements Document (CRD). A Contractor-developed, Risk Management Approachmust be consistent with the requirements of this RMAIP.

Suggested Metrics for Fee Determination

Contracting Officers should work with site IT/cyber security personnel to developmetrics for fee determination consistent with DOE’s fee policies and the terms of asubject contract. This table is not mandatory but could be used to help develop andinclude any additional metrics based on site specific requirements.

Requirements Below ExpectationsMeets

ExpectationsExceeds Expectations

________________________________________________________________________


258 of 266

Unless otherwise noted, thefollowing incentives or

disincentives must be applied.The contracting officer has the

flexibility to adjust the rates/feeson a contract by contract basis.

Reduce fee by 1-2% No change to fee Increase fee by 0.25%

Type I

Incidents are notreported uponoccurrence.

Reduce fee by 10-15%.

Incidents arereported asrequired.

No change to fee.

A reported incident isproven to prevent a

similar incident at anotherDOE site. Increase fee by

0.5%.

Type IIIncidents are not

reported uponoccurrence.


A reported incident isproven to prevent a

similar incident at anotherDOE site.

Increase fee by 0.25%.

Protected PII

Incident is not reportedupon occurrence as

required.Reduce fee by 2-3%.


Protected PII is detectedand prevented from

leaving the site.Increase fee by 0.5%.

Overdue POA&Ms Reduce fee by 1-2%. No change to fee. N/A

User Awareness Training 1:Less than 90% of users

trained annually.100% of users

trained annually.

100% of users trainedsemi-annually

Increase fee by .5% up to$50K max/year.

User Access

Users are providedaccess to the network

before completingtraining.

Users are providedaccess to thenetwork after

completing usertraining.

Users are provided accessto the network after

completing user training.Completion of the training

requires users tosuccessfully pass a

contractor-developed test.Increase fee by .5% up to

$50K max/year.

Privileged Users AwarenessTraining

100% of privilegedusers are trained

annually. At least 25%hold a current industry

recognizedcertification.

100% of privilegedusers are trained

annually and 33%hold a current

industry recognizedcertification.

100% of privileged usersare trained annually and

66% hold a currentindustry recognized

certification.

Maintaining eGov RPM

Documents notuploaded into the

system or not updatedat least bi-annually.Updates should be

noted in the record ofchanges. Modified

documents should bere-uploaded into the

system.

Documents areuploaded at least

bi-annually into thesystem.

No change in fee.

________________________________________________________________________


259 of 266

Requirements Below ExpectationsMeets

ExpectationsExceeds Expectations

Unless otherwise noted, thefollowing incentives or

disincentives must be applied.The contracting officer has the

flexibility to adjust the rates/feeson a contract by contract basis.

Reduce fee by 1-2% No change to fee Increase fee by 0.25%

PatchingPatches are older than

30 days fromrelease/notice.

Patches areinstalled between11 and 30 days

from release/notice.

Patches are installed lessthan 10 days from

release/notice.

Maintaining BaselineConfigurations – OS(FDCC for Windows

XP/VISTA/Win7)

Less than 85% of allsystems use the

standard baselineconfiguration without

deviation.

85% of all systemsuse the standard

baselineconfiguration

without deviation.

100% of applicationsoperate without deviation

to any baselineconfiguration settings.

Maintaining BaselineConfigurations - Apps

Less than 85% of allapplications use the

recommended securitybaseline configuration

settings.

85% of allapplications use the

recommendedsecurity baseline

configurationsettings.

100% of all applicationsuse the recommended

security baselineconfiguration settings.

Maintaining a System InventoryNo inventory of major

IT hardware andsoftware exists.

An up-to-dateinventory of majorIT hardware andsoftware exists.

A real-time or near real-time automated inventoryof major IT hardware and

software exists.Government Provided

Enterprise Solutions & SiteAssessments – The contractor isto cooperate in the deployment ofGovernment provided enterprise

solutions for the purposes ofprotecting IT resources and all

Site Assessments

Contractor does notcooperate with the

deployment.Reduce fee accordingly

or take otherappropriate actions

Full cooperation. No change in fee.

Sharing of infrastructure and ITsolutions – the contractor is to

cooperate with other EM supportcontractors in the development

and deployment of IT solutions inorder to save energy and funding.

Contractor does notcooperate.

Reduce fee by 5%.Full cooperation.

Increase fee as determinedby the contracting officer.

Definitions:

Below expectations – The rating assigned to a contractor that has failed to meet any ofthe defined requirements as deemed by the Certification Agent, the Contracting Officer,or the Federal Task Manager

________________________________________________________________________


260 of 266

Meets expectations – The rating assigned to a contractor that has met the definedrequirements as deemed by the Certification Agent, the Contracting Officer, or theFederal Task Manager

Exceeds expectations – The rating assigned to a contractor that has exceeded the definedrequirements as deemed by the Certification Agent, the Contracting Officer, or theFederal Task Manager and has not had a below expectations within the last two years.

________________________________________________________________________


261 of 266

Appendix E – NIST 800-27 Rev A Engineering Principles

This appendix is guidance to enable sites to comply with NIST 800-53 Rev 4, controlSA-8, Engineering Principles. One check “” signifies the principle can be used to supportthe life-cycle phase, and two checks “” signifies the principle is key to successfulcompletion of the life-cycle phase.

Principle Initiation Devel/Acquis Implement Oper/Maint DisposalDoes your organization perform any of thefollowing principle activities during any of partof the system development life cycle listed to theright? If yes, highlight the appropriate box forthe corresponding phase yellow, otherwise leaveblank.1 Establish a sound security policy as the

“foundation” for design

2 Treat security as an integral part of the overallsystem design

3 Clearly delineate the physical and logical securityboundaries governed by associated securitypolicies

4 (formerly 33) Ensure that developers are trainedin how to develop secure software

5 (formerly 4) Reduce risk to an acceptable level 6 (formerly 5) Assume that external systems are

insecure

7 (formerly 6) Identify potential trade-offs betweenreducing risk and increased costs and decrease inother aspects of operational effectiveness.

8 Implement tailored system security measures tomeet organizational security goals.

9 (formerly 26) Protect information while beingprocessed, in transit, and in storage

10 (formerly 29) Consider custom products toachieve adequate security

11 (formerly 31) Protect against all likely classes of“attacks”

12 (formerly 18) Where possible, base security onopen standards for portability and interoperability

13 (formerly 19) Use common language indeveloping security requirements

14 (formerly 21) Design security to allow for regularadoption of new technology, including a secureand logical technology upgrade process

15 (formerly 27) Strive for operational ease of use 16 (formerly 7) Implement layered security (Ensure

no single point of vulnerability)

17 (formerly 10) Design and operate an IT system tolimit damage and to be resilient in response

18 (formerly 13) Provide assurance that the systemis, and continues to be, resilient in the face ofexpected threats

19 (formerly 14) Limit or contain vulnerabilities

________________________________________________________________________


262 of 266

Principle Initiation Devel/Acquis Implement Oper/Maint DisposalDoes your organization perform any of thefollowing principle activities during any of partof the system development life cycle listed to theright? If yes, highlight the appropriate box forthe corresponding phase yellow, otherwise leaveblank.20 (formerly 16) Isolate public access systems from

mission critical resources (e.g., data, processes,etc.)

21 (formerly 17) Use boundary mechanisms toseparate computing systems and networkinfrastructures

22 (formerly 20) Design and implement auditmechanisms to detect unauthorized useand to support incident investigations

23 (formerly 28) Develop and exercise contingencyor disaster recovery procedures to ensureappropriate availability

24 (formerly 9) Strive for simplicity 25 (formerly 11) Minimize the system elements to be

trusted

26 (formerly 24) Implement least privilege. 27 (formerly 25) Do not implement unnecessary

security mechanisms

28 (formerly 30) Ensure proper security in theshutdown or disposal of a system

29 (formerly 32) Identify and prevent common errorsand vulnerabilities

30 (formerly 12) Implement security through acombination of measures distributed physicallyand logically

31 (formerly 15) Formulate security measures toaddress multiple overlapping informationdomains

32 (formerly 22) Authenticate users and processes toensure appropriate access control decisions bothwithin and across domains

33 (formerly 23) Use unique identities to ensureaccountability

________________________________________________________________________


263 of 266

Appendix F – Sanitization and Disposal of Media and MobileDevices

Sanitization

Unclassified Removable Media

Removable media requires sanitization prior to removal from an EM site and thegovernment relinquishing title to the media when the media will be used again in otherenvironments (e.g., donations to schools or other charitable organizations, returningequipment to vendors after a trial)

If the media contained classified information then the media must be destroyed inaccordance with this RMAIP and applicable law and/or DOE policy, directive orguidance. The Committee on National Security Systems Policy No. 26 (CNSSP No. 26)requires that removable media be marked or labeled with the highest securityclassification of any system into which the media has been inserted. The threat ofobfuscation on electronic media makes prohibitive the capability of transferring filesfrom an NSS system thought to be unclassified to removable media and declassifying themedia based on the viewable contents of the files transferred. All media that has beeninserted in the NSS for any reason must be marked and handled at the same classificationof the NSS.

Approved methods of sanitization: Degaussing magnetic media Running a wipe program such as BCWipe at least three times

Approved methods of destruction: Shredding Grinding the surface Degaussing magnetic media and then breaking the media into small pieces

Mobile Devices

Mobile devices that do not contain magnetic storage (e.g., BlackBerries, cell phones) maybe wiped with a site-approved product designed for this purpose and then be excessed ordonated by the site. Testing of electronic storage has proven that wiping is an effectivemeans to ensure data can’t be obtained from the device once the process has beenperformed.

Laptops, if utilizing an approved full disk encryption solution, may also be wiped andexcessed or donated by the site. If the laptop has been known to have had classifiedinformation then the disk must be destroyed prior to the laptop being excessed ordonated.

________________________________________________________________________


264 of 266

Classified Media

Clear all storage media that will be reused on a different system for the same or morerestrictive Information Group or a potential user that has a different Need-to-Know.

Use only overwriting software and hardware that are compatible with media to beoverwritten.

Protect cleared storage media that has been used in classified processing commensuratewith the highest Information Group (i.e., classification level and category of information)it has ever contained. The media must be handled in accordance with applicable DOEClassified Matter Protection and Control processes.

Purge classified storage media that will be reused in a less restrictive Information Group.

Destroy classified storage media that cannot be purged.

Identify the reuse of classified storage media in the SSP of the system where the media isused and track/control the media until it is purged or destroyed.

Individuals performing purging of classified storage media planned for reuse must certifythat the process has been successfully completed by affixing a label to the storage media.At a minimum, the label must document:

a. Storage media serial number, make and modelb. Most restrictive Information Group hosted prior to purgingc. Purpose of purgingd. A statement that the storage media contains no classified informatione. The procedure usedf. The date, printed name and signature of the certifier

Destruction

All media used in the classified program or that has been known to contain sensitiveinformation in significant quantity must be destroyed before leaving an EM site when atits end of life. The preferred method is to wipe and destroy if possible.

Approved methods of destruction:

Degaussing of drives Sanding the surfaces Shredding Grinding into fine particulate Burning

________________________________________________________________________


265 of 266

Acronym List

AA Application AdministratorAO Authorizing OfficialAODR Authorizing Official Designated RepresentativeATO Authority to OperateBIA Business Impact AssessmentC&A Certification and AccreditationCA Certification AgentCAO Continuous Authorization to OperateCCB Change Control BoardCI Counter-IntelligenceCIA Confidentiality (C), Integrity (I), and Availability (A)CIO Chief Information OfficerCM Continuous MonitoringCNSS Committee on National Security SystemsCNSSP No.26 The Committee on National Security Systems Policy No. 26CO Contracting OfficerCPU Central Processing UnitCSIRTs Computer Security Incident Response Team(s)CY Calendar YearDBA Database AdministratorDHS Department of Homeland SecurityDNS Domain Name SystemDNSSEC Domain Name System Security ExtensionsDOE Department of EnergyeGov RPM eGov Risk Portfolio Manager™EM Office of Environmental ManagementEMCSPM EM Cyber Security Program ManagerFedRAMP Federal Risk and Authorization Management ProgramFIPS Federal Information Processing StandardsFISMA Federal Information Security Management ActFRD Formerly Restricted DataFY Fiscal YearHQ HeadquartersHQSS Headquarters Security SystemHSPD Homeland Security Presidential DirectiveICS Industrial Control SystemsIEEE Institute of Electrical and Electronics EngineersIMC Information Management ConferenceIP Implementation PlanIPv6 Internet Protocol Version 6ISM industrial, Scientific, and MedicalISP Internet Service ProviderISSM Information System Security ManagerISSO Information System Security Officer

________________________________________________________________________


266 of 266

IT Information TechnologyJC3 DOE Joint Cybersecurity CenterLMH Low (L), Moderate (M), and High (H)MIPP Mission Information Protection ProgramMTD Maximum Tolerable DowntimeNDA Network Device AdministratorNIST National Institute of Standards and TechnologyNSS National Security SystemsOMB Office of Management and BudgetPII Personally Identifiable InformationPIV Personal Identity VerificationPM Program ManagementPOA&M Plan of Action and MilestonesPSO Project Security OfficerPSP Program Security PlanRA Risk AssessmentRD Restricted DataRE Risk ExecutiveRMA Risk Management ApproachRMAIP Risk Management Approach Implementation PlanRPO Recovery Point ObjectiveRTO Recovery Time ObjectiveSAR Security Assessment ReportSDM Senior DOE ManagementSP Special PublicationsST&E Security Test and EvaluationSSP System Security PlanCUI Controlled Unclassified InformationTFNI Transclassified Foreign Nuclear InformationUCNI Unclassified Controlled Nuclear InformationUS-CERT US-Computer Emergency Response TeamVPN Virtual Private NetworkingWAN Wide Area NetworkingWIDS Wireless Intrusion Detection System