STATE OF MICHIGAN - Local Michigan Procurement ... · Web viewDTMB’s Office of Michigan Cyber Security provides MOST (Michigan Online Security Training) which targets and provides

STATE OF MICHIGAN

Michigan Department of EducationName of Application

Information TechnologyProject Security Plan & Assessment

Prepared by: Date:

Initiation & Planning

RequirementsDefinition

FunctionalDesign

SystemDesign

Construction Testing Implementation Operations/Maintenance

Disposal

LifecycleStage

MCS USE ONLYC I A Total

Score

This document is for official use only. This document must be handled in a confidential manner at all times. Distribution and/or reproduction of this document outside the intended and approved use is strictly prohibited.

DTMB-0170 1 of 119

Table of Contents

Revision History...................................................................................................................................................................................31.0 Introduction..............................................................................................................................................................................4

1.1 Resource Roles and Responsibilities.........................................................................................................................42.0 Overview..................................................................................................................................................................................43.0 Initiation and Planning Stage..................................................................................................................................................4

3.1 Purpose......................................................................................................................................................................43.2 Laws, Regulations, DTMB and/or Agency Security Policies, Standards and Procedures........................................53.3 Data classification.....................................................................................................................................................63.4 System and Information Security Level (Low, Moderate, High)..............................................................................7

4.0 IT Business/Security Requirements Stage..............................................................................................................................85.0 Functional and System Design Stage.....................................................................................................................................9

5.1 Hardware this system/application will be utilizing.................................................................................................115.2 Other Systems or Applications serviced by this hardware......................................................................................115.3 Describe the function of the system/application and the information processed for each server utilized in this

project......................................................................................................................................................................115.4 Security Control Groups Implemented in the Project.............................................................................................125.5 Infrastructure/Network Diagram -.........................................................................................................................675.6 Data Flow Diagram.................................................................................................................................................68

6.0 Security Analysis (To be completed by MCS Security Liaison)..........................................................................................697.0 Sponsors and Stakeholders....................................................................................................................................................768.0 Approvals...............................................................................................................................................................................77Appendix A - System and Information Security Level Matrix............................................................................................................78Appendix B: NIST 800-53 Controls....................................................................................................................................................82

Revision History...................................................................................................................................................................................31.0 Introduction..............................................................................................................................................................................4

1.1 Resource Roles and Responsibilities.........................................................................................................................42.0 Overview..................................................................................................................................................................................43.0 Initiation and Planning Stage..................................................................................................................................................4

3.1 Purpose......................................................................................................................................................................43.2 Laws, Regulations, DTMB and/or Agency Security Policies, Standards and Procedures........................................53.3 Data classification.....................................................................................................................................................63.4 System and Information Security Level (Low, Moderate, High)..............................................................................7

4.0 IT Business/Security Requirements Stage..............................................................................................................................85.0 Functional and System Design Stage.....................................................................................................................................9

5.1 Hardware this system/application will be utilizing.................................................................................................115.2 Other Systems or Applications serviced by this hardware......................................................................................115.3 Describe the function of the system/application and the information processed for each server utilized in this

project......................................................................................................................................................................115.4 Security Control Groups Implemented in the Project.............................................................................................125.5 Infrastructure/Network Diagram -.........................................................................................................................675.6 Data Flow Diagram.................................................................................................................................................68

6.0 Security Analysis (To be completed by MCS Security Liaison)..........................................................................................697.0 Sponsors and Stakeholders....................................................................................................................................................768.0 Approvals...............................................................................................................................................................................77Appendix A - System and Information Security Level Matrix............................................................................................................78Appendix B: NIST 800-53 Controls....................................................................................................................................................81


DTMB-0170 2 of 119

Revision HistoryName Date Reason for Change Version


DTMB-0170 3 of 119

1.0 Introduction

This document serves as documentation of the structured process of planning adequate, cost-effective security protection for a system. This document contains detailed technical information about the system, its security requirements, and the controls implemented to provide protection against its risks and vulnerabilities. This document should be handled and controlled as a sensitive document. This document is submitted to obtain a formal security sign off from the sponsors. The lack of sign-off may prevent the security elements of this project from proceeding to production.

1.1 Resource Roles and Responsibilities

Completed DTMB Form PMM-02, Project Charter

Organization Name Role Responsibility

2.0 Overview

3.0 Initiation and Planning Stage

This is the first stage in the lifecycle of the project. This stage involves the establishment of a need for a new system or enhancements to an existing system, the data that is being collected or handled, and which policies or standards need to be addressed in the design phase. This stage will also classify the data handled by the project based on Federal NIST Guidelines.

3.1 Purpose


DTMB-0170 4 of 119

3.2 Laws, Regulations, DTMB and/or Agency Security Policies, Standards and Procedures

The State of Michigan information is a valuable asset that must be protected from unauthorized disclosure, modification, use, or destruction. Prudent steps must be taken to ensure that its integrity, confidentiality, and availability are not compromised. Laws, regulations, policies, standards and procedures have been developed to provide a secure environment for developing, implementing, and supporting information technology and systems. The system must comply with all applicable laws, both state and federal, and any additional regulations and guidelines established by MDE or DTMB. Below is a list of some of the applicable laws, regulations, policies, standards and procedures many systems must comply with. This is not an all-inclusive list:

Identity Theft Protection Act, Act 452 of 2004, as amended Social Security Number Privacy Act, Public Act 454 of 2004, as amended PCI (Payment Card Industry) Data Security Standards Publication 1075 – Tax Information Security Guidelines for Federal, State and Local Agencies

DTMB Policies, Standards, Procedures1305 SOM Enterprise Information Technology Policy1325 Information Technology Security Awareness Policy

1335 Information Technology Access Control Policy 1335.00.20 Active Directory Password Standard 1340 Information Technology Information Security Policy 1340.00.01.02 How to Handle a Breach of Personal Identifiable/Sensitive Information 1340.00.03 DTMB Server Security Operational Standard 1340.00.06 Storage of Sensitive Information on Mobile Devices & Portable Media 1340.00.07 Electronic Data Encryption 1345 Information Technology Network and Infrastructure Policy 1345.00.50 Server Management Standard 1345.00.50.06 File Integrity Monitoring Procedure 1350.10 Authentication Requirement for Access to Network, Systems, Computers, Databases,

and Applications 1350.20 Authorization Access to Data Sources 1350.40 Access Control Criteria for Data Sources 1350.90 Secure Disposal of Installed & Removable Digital Media 1355 Project Management Methodology Policy 1360 Systems Engineering Methodology Policy 1365 Information Technology Product Standards, Adoption, Acquisition, Development, and

Implementation 1370 Information Technology Configuration Management 1370.00.01 Enterprise Change Control Process Standard 1390 Information Technology Continuity of Business Policy 1410.17 Michigan State Government Network Security Policy 1460 IT Resources, Acceptable Use


DTMB-0170 5 of 119

3.3 Data classification

Protecting the confidentiality, integrity, and availability of customer and personal information, records and transactions is critical to the State of Michigan. State of Michigan considers all customer information confidential, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed. All State of Michigan staff share in the responsibility to the citizens of Michigan and customers, to ensure that the appropriate procedures and controls are implemented and that information security remains a constant priority.

The data being collected, transmitted and stored (i.e., name, date of birth, driver’s license number, credit card number, etc.) within the application is personal information (PI) or personal identifying information (PII) based in accordance with the Identity Theft Protection Act (PA 452 of 2004). Personal information and personal identifying information is defined as:

Identity Theft Protection Act:“Personal information” the first name or first initial and last name linked to 1 or more of the following data elements of a resident of this state:

(i) Social security number,(ii) Driver license number or state personal identification card number.(iii) Demand deposit or other financial account number, or credit card or debit card number, in

combination with any required security code, access code, or password that would permit access to any of the resident’s financial accounts.

“Personal identifying information” means a name, number, or other information that is used for the purpose of identifying a specific person or providing access to a person's financial accounts, including, but not limited to, a person's name, address, telephone number, driver license or state personal identification card number, social security number, place of employment, employee identification number, employer or taxpayer identification number, government passport number, health insurance identification number, mother's maiden name, demand deposit account number, savings account number, financial transaction device account number or the person's account password, stock or other security certificate or account number, credit card number, vital record, or medical records or information.

All information collected, processed, stored on or transmitted over State of Michigan computer systems and networks will be treated as a State of Michigan asset. It is the responsibility of DTMB and MDE to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse or theft of personal information.

The management and staff of DTMB and MDE will operate on the security principle of “that which is not explicitly allowed is explicitly denied.” Attempts by anyone to access, monitor, use or share information that is not explicitly allowed to them will be considered a security violation.

PI/PII being collected, processed, stored, and or transmitted is as follows:Data Element Data Element Description Encrypted in Transmission Encrypted in Storage


DTMB-0170 6 of 119

3.4 System and Information Security Level (Low, Moderate, High)

The System and Information Security Level Matrix (see Appendix A for guidelines pertaining to data classification) is used to determine the overall security level categorization of your information, application, and the interconnectivity of other systems used by your application. This categorization will determine the appropriate security controls that need to be implemented. Your Security Liaison can assist you. (This system categorization is based on FIPS Publication 199 and NIST 800-60 ver. 2.0)

CategoryApplication/Data(Classification of data

handled by this project/application)

Systems*(Classification of data handled by other applications that are

also installed on this server hardware)

OverallSecurity Level

Confidentiality Moderate Moderate Moderate

Integrity Moderate Moderate Moderate

Availability Moderate Moderate Moderate

Based on the System and Information Security Level Matrix, the “Overall Security Level” categorization of your application system has been rated a “moderate” in regards to Confidentiality, Integrity, and Availability risk.

* This rating is based on the most sensitive information.


DTMB-0170 7 of 119

4.0 IT Business/Security Requirements StageThe primary goal of this stage is to identify the security requirements for the project. These security requirements become the initial baseline for product design and a reference for determining whether the completed product performs as the system owner requested and expected. All system security requirements, (e.g., software, hardware, performance, functional, infrastructure, etc.) should be evaluated and included in the requirements gathering process.

NIST Special Publication 800-53 was selected as a baseline of minimum security controls to protect the system, information, and apply tailoring guidance as necessary. These detailed security controls are contained in Appendix B of this document.

The required security controls for this application are based on the previous section’s Data Classification (section 3.3)/System and Information Categorization (section 3.4) “Overall Security Level” (Low, Moderate, and High).

1. If this application is determined to be “Low”, you need only to implement the controls in the Low columns of Appendix B.

2. If this application is determined to be “Moderate”, you must implement all controls in the Low and Moderate columns of Appendix B.

3. If this application is determined to be “High”, you must implement all controls in the Low, Moderate, and High columns of Appendix B.

Any control groups not implemented may be flagged as a risk by the Security Liaison in the Risk Analysis Section (Section 6) and additional controls may be recommended before implementation.


DTMB-0170 8 of 119

5.0 Functional and System Design Stage

The State of Michigan is comprised of a security zone-based architecture model. This model enables separating the network in zones that are protected from each other.

The State of Michigan’s zoned network architecture, allows its firewalls to be configured so that traffic from the internet into the DMZ, and from the DMZ into the other zones, is restricted to approved traffic types only.

This ensures that none of the IP addresses in the trusted zones are visible or accessible from the internet.

Default setting for functions, ports, protocols and services is set to “deny-all”.

The State of Michigan security network zone architecture is as follows:

Zone 0 – Untrusted: In the state’s architecture, zone 0 represents the public Internet. This zone includes networks in which DTMB has no control and is completely un-trusted. Only security related services and telecommunication resources are placed in this zone.

Zone 1 – Semi-Trusted: These are networks that DTMB has implemented security controls, but the networks are not fully trusted. Services used by systems in these zones are restricted to those built for the zone. Access to and from these zones must be approved (default access is deny any). The following is a list of semi-trusted zones:

o DMZ - This zone houses IT resources that are public facing and contain no sensitive information. The DMZ is broken into the following sub-zones.

DMZ - This network, also known as MDE DMZ, is segmented and houses the state's public facing applications. Resources can establish sessions to the Internet but destinations, protocols and ports must be approved before being allowed to communicate out of the DMZ. This zone does not consume services from higher level zones.

Secure DMZ (zone 1.49) - This is a segmented network and firewalled off to provide application isolation. Resources in this sub-zone cannot establish sessions to Internet. This zone may consume services from the DMZ.

Enterprise DMZ - houses Enterprise Services that require internet access.o Vendornet - Connects business partners that require access to the state. Access from business partners

to state systems is strictly enforced.o LGNET - connects local units of government to the states network with limited access to state

resources.o UTNET (Kiosknet) - connects state kiosks to the state network.

Zone 2 – Trusted: These are networks that are under DTMB management and have security controls in place to manage access. They are restricted to trusted networks, devices, and individuals. Systems are allowed to initiate approved outbound communications to the Public Internet. Zone 2 is broken into two sub-zones:

o Zone 2 - Networks and individuals that are trusted. Networks are managed by DTMB.o Zone 2P – Same as zone 2 but firewalled off with additional security controls designed to meet PCI

requirements and/or provide application isolation (network segmentation by application).

Zone 3 – Protected: Networks and systems that require additional protection from the trusted zone. It includes devices critical to conducting State of Michigan operations as well as systems containing highly sensitive or


DTMB-0170 9 of 119

confidential data. Firewalled with security protection between systems. Systems are not allowed to initiate outbound communications to the Public Internet.

WiFi Zone(s) - Un-trusted: The state maintains a number of WiFi networks for connecting mobile devices. While these networks are considered internal and managed by the state, they are treated as un-trusted due to the nature of WiFi.

In the state's security architecture, all zone transitions require dedicated LAYER 3 security devices.


DTMB-0170 10 of 119

5.1 Hardware this system/application will be utilizing

Solutions Engineering form for hosting the hardware is completed

Server IP Address Hardware Hosting Center

Function OS Zone

5.2 Other Systems or Applications serviced by this hardware

Other Information Security Assessments (DTMB-0170) are reviewed and updated for other systems or applications serviced by this same hardware (Section 3.2 & 3.3) to now include this project’s information.

5.3 Describe the function of the system/application and the information processed for each server utilized in this project.


DTMB-0170 11 of 119

5.4 Security Control Groups Implemented in the Project

Access Control: (See Appendix B for individual control details.)

Access Control Policy and Procedures (AC-1)DTMB Policy 1335.00 Information Technology Access Control establishes the State of Michigan (SOM) executive management strategic view of how employees and trusted partners shall obtain access to established services on the SOM network.

Access to buildings and information systems is limited to authorized persons.

Access to all system components is default “deny-all” setting to ensure no one is granted access until and unless a rule is established specifically granting such access.

Card key systems have been installed at State of Michigan facilities to help ensure access is restricted toauthorized personnel. Card keys contain a photo ID of the employee and must be worn at all times

Complies with this controlYes No N/ASee Risk #

Account Management (AC-2 (1) (2) (3) (4))SOM accounts are managed by DTMB/Office Automation (OA)

Application accounts are managed by ………

Database accounts are managed by ……

Temporary and emergency accounts are set to expire in Active Directory when the account is set up through the DTMB-0161 process.



DTMB-0170 12 of 119

Access Enforcement (AC-3)DTMB 1350.10 Authentication Requirement for Access to Networks, Systems, Computers, Databases, and Applications requires the identification and use of approved personal authentication methods, appropriate for the identified level of security required, for access to SOM information technology resources to prevent unauthorized access or maintain resource data integrity.

DTMB 1350.40 Access Control Criteria for Right to Use Automated Information Resources establishes, documents, and manages the allocation of user access rights.

Access privileges are limited on the basis of an approved specific business need (i.e., a need-to-know basis or the least privilege concept). Access privileges are granted to authorize users, modified when each user’s job duties change, terminated when a user separates service.


Information Flow Enforcement (AC-4)DTMB 1350.10 Authentication Requirement for Access to Networks, Systems, Computers, Databases, and Applications requires the identification and use of approved personal authentication methods, appropriate for the identified level of security required, for access to SOM information technology resources to prevent unauthorized access or maintain resource data integrity.

DTMB 1350.40 Access Control Criteria for Right to Use Automated Information Resources establishes, documents, and manages the allocation of user access rights.

The DTMB-0090 (Firewall Rule Request) form is required to be completed and approved by an Authorized Requestor for all communication between the SOM’s internal zones and Internet and various Extranet communication.



DTMB-0170 13 of 119

Separation of Duties (AC-5)A DTMB-0161 (Network UserID Request) is required to be signed by management specifying required privileges before access is granted to any user.

Access privileges are limited on the basis of an approved specific business need (i.e., a need-to-know basis or the least privilege concept). Access privileges are granted to authorize users, modified when each user’s job duties change, terminated when a user separates service with MDE, and periodically reviewed to ensure only authorized users gain access based on privileges granted.

DTMB/Server Team … manages the DTMB servers.

DTMB OA manages the workstations.

……. manages the application.


Least Privilege (AC-6 (1) (2))A DTMB-0161 (Network UserID Request) is required to be signed by management specifying required privileges before access is granted to any user.

The SOM employs the concept of least privilege; allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with MDE’s missions and business functions.



DTMB-0170 14 of 119

Unsuccessful Login Attempts (AC-7)

DTMB Account Policy

Account lockout threshold – 5 invalid attemptsAccount lockout duration = 30 minutesReset account lockout counter after = 30 minutes


System Use Notification (AC-8)The current banner is specific to the State of Michigan’s IT Acceptable User Policy, 1460.00.

The SOM desktop images are created based on the need and use of the division staff and downloaded to each employee’s computer based on their roles and responsibilities. DTMB’s policy is to lock computers after 10 minutes of


DTMB-0170 15 of 119

inactivity. The ability for a user to modify this policy is disabled on all desktop computers issued by Enterprise solutions. If a user forgets their password, it must be reset by an authorized person.


Session Lock (AC-11)The system initiates a session lock after 10 minutes of inactivity and retains the session lock until the user reestablishes access using established identification and authentication.


Permitted Actions without Identification or Authentication (AC-14 (1))No actions are permitted without identification and authentication.

The User ID is used in conjunction with a password to determine whether a person is authorized to access a specific computer, application, database record, or file. Various audit records exists that record the User ID information; therefore, the person who accessed a computer or performed some action can be later identified, if necessary



DTMB-0170 16 of 119

Remote Access (AC-17 (1) (2) (3) (4) (5) (7) (8))Completion of form DTMB-0051 Remote Access Service Request is required.

Remote access service is intended for MDE’s business purposes only and for use by MDE’s employees, DTMB employees and contractors who have demonstrated a business need for and have been approved to access information resources from a location that is not connected to the SOM network. Each remote access request is authorized by the appropriate Bureau Director, Office Director or Division

Administrator. Agency and contractor employees requesting remote access to an Agency system sign a DTMB Employee

Security Agreement or Acceptable Use Policy Letter. Remote users are required to use VPN for information encryption in transit and RSA SecurID tokens for two-

factor authentication.

Vendor personnel needing access to the system are required to utilize 2-factor authentication and use the jump server to gain access to system components. Unless there is an approved change, as defined by the SOM Request for Change process, vendor accounts have no access to system components.

All users are tracked in the Access Control Server (ACS) located in zone 2.



DTMB-0170 17 of 119

Wireless Access (AC-18 (1))DTMB 800.03 Usage of State Telephones and Wireless Communication Devices DTMB 800.05 Wireless Communication DevicesDTMB 1410.21 Procurement and Acceptable Usage of the State Wireless Devices by State Employees

Employees are required to complete Employee Certification Wireless Communication Device Use Form DTMB-0055, which outlines Wireless Communication Device Acceptable Use Policy

For SOM-approved and DTMB-managed State User Wi-Fi – Access to internal systems is only granted after successful Doman authentication of both the machine and user, certificates exchanged, FIPS 140-2 encryption, enterprise logging for audit.

For any other wireless (including State Guest Wi-Fi) - Access to internal systems requires use of the State-issued VPN client and SecurID token. Mobile computers are additionally protected by a FIPS 140-2 certified full disk encryption product.

The Office of Michigan Cyber Security tests for the presence of wireless access points and detection of unauthorized wireless points on a quarterly basis for the DTMB hosting centers.


Access Control for Mobile Devices (AC-19 (1) (2) (3))



DTMB-0170 18 of 119

Use of External Information Systems (AC-20 (1) (2))A State of Michigan-furnished remote access connection is necessary for an individual through written authorization of remote access requests. Requirements for authorization include but are not limited to:

Obtaining signed Acceptable Use (Security) and Confidentiality Agreements from users. Firewalls installed on the user’s system(s) at external access points. Software installation on the user’s system(s) that requires “message authentication” and/or “user

authentication”. Encryption of confidential or sensitive data while being transmitted and secured at a remote site. Usage of RSA SecurID tokens for two-factor authentication.

Third Party and Vendors operating their servers on or traversing across the State of Michigan’s network are required to comply with the same standards and policies which govern State of Michigan servers.DTMB 1345.00.50.01 – Vendor Server Management AgreementDTMB 1345.00.50.02 – Third Party Server Management AgreementDTMB 1345.00.50.03 – Third Party and vendor Server Management – Servers Accessing the SOM NetworkDTMB 1345.00.50.04 – Third Party and Vendor Server Management – Servers Not Accessing the State of Michigan NetworkDTMB 1345.00.50.05 – Third Party and Vendor Server Management – Staff Resources


Publicly Accessible Content (AC-22)DTMB E-Michigan Look & Feel Standards for e-Government details the appearance system and requirements for e-government web sites operating within the State of Michigan.

A DMZ limits inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports.



DTMB-0170 19 of 119

Awareness & Training: (See Appendix B for individual control details.)

Security Awareness and Training Policy and Procedures (AT-1)DTMB Policy 1325.00 Information Technology Security Awareness establishes a statewide policy for the purpose of security awareness and training and to inform all levels of State’s personnel of the importance of the information they handle and the legal and business reasons for maintaining confidentiality, availability and integrity.


Security Awareness (AT-2)DTMB’s Office of Michigan Cyber Security provides MOST (Michigan Online Security Training) which targets and provides State employees with a clear understanding of computer and Internet security risks and ways to prevent and protect from such risks. MOST discusses various security issues related to employee use of computer and internet at work and at home along with a wealth of other information. Also, various government issues, policies and regulations are discussed.

All State of Michigan employees are formally invited and expected to participate in DTMB’s online cyber security awareness training.


Security Training (AT-3)DTMB’s Office of Michigan Cyber Security provides MOST (Michigan Online Security Training) which targets and provides State employees with a clear understanding of computer and Internet security risks and ways to prevent and protect from such risks. MOST discusses various security issues related to employee use of computer and internet at work and at home along with a wealth of other information. Also, various government issues, policies and regulations are discussed.

All State of Michigan employees are formally invited and expected to participate in DTMB’s online cyber security awareness training.


Security Training Records (AT-4)


DTMB-0170 20 of 119


Audit & Accountability: (See Appendix B for individual control details.)

Audit and Accountability Policy and Procedures (AU-1)DTMB 1340.00.03 Server Security Operational Standard includes installation, configuration and on-going maintenance actions for all servers and cluster systems used to support the range of information technology needs within the SOM.

DTMB 1345.00 Information Technology Network and Infrastructure Policy

DTMB 1345.00.50 – Server Management Standard governs the management and administration of all servers in the SOM IT environment.

DTMB 1345.00.50.7 Server Logging Procedure defines configuring servers to collect and forward log events to a centralized secure and encrypted location.


Auditable Events (AU-2 (3) (4)) For the Windows servers, there are three default event logs: the application log which contains events generated by applications running on the server, the security logs which contain security information such as logon attempts or object access, and the system log which contains events generated by Windows itself or its core services. Users that have the ability to logon to the server can review the application and system logs, only administrators can review the security log.

The UNIX servers have several different logging systems, which are integrated into syslog (system log). wtmp collects login information (UNIX industry standard). cronlog collects information for automated jobs and scheduling (UNIX industry standard). sulog collects the escalation of privileges, users switching to root or other users (UNIX industry standard) and fcheck (file changes) have been added for host based intrusion detection (State of Michigan standard). When required, tcp wrappers (port access control) and IP filter (local firewall) are used for granular access controls and report to syslog (Oracle Solaris standard). Each hardware vendor supplies their own fault management systems which report ongoing system status, fmadm for Oracle Solaris. These integrated logs are transferred to the Enterprise Logging Server for independent monitoring, review, and archiving.

Complies with this controlYes No N/A


DTMB-0170 21 of 119

See Risk #

Content of Audit Records (AU-3 (1))


Audit Storage Capacity (AU-4)Capacity is not exceeded when additional storage capacity is needed; the change control process is utilized.


Response to Audit Processing Failures (AU-5)DTMB IBM’s Tivoli Security Information and Event Management (TSIEM) provides an enterprise log management solution. Windows Security and File Integrity Monitoring Logs are forwarded to the IBM TSIEM and alerts generated via the IBM TSIEM.



DTMB-0170 22 of 119

Audit Review, Analysis, and Reporting (AU-6)DTMB Quality Assurance Team reviews TSIEM logs daily.

vShield App is a hypervisor-based application aware firewall solution, applied at the vNIC of a VM, that provides stateful packet inspection and blocking for internal segments. vShield App also provides additional security benefits such as internal monitoring and displaying all traffic and logging specific traffic that matches designated criteria. – this paragraph only applicable if VM


Audit Reduction and Report Generation (AU-7 (1))DTMB IBM’s Tivoli Security Information and Event Management (TSIEM) provides an enterprise log management solution. Windows Security and File Integrity Monitoring Event Logs are forwarded to the IBM TSIEM and alerts generated via the IBM TSIEM.


Time Stamps (AU-8 (1))State of Michigan components are synchronized with the SoM central NTP (Network Time Protocol) servers.



DTMB-0170 23 of 119

Protection of Audit Information (AU-9)To access TSIEM logs, access is required via VPN (2-factor), portal (Zone 3) is protected by userID and password.


Audit Record Retention (AU-11)TSIEM logs - 200MB of space to retain logs or 30 days on-line and available if 200MB of space is not exceeded.


Audit Generation (AU-12)For the Windows servers, there are three default event logs: the application log which contains events generated by applications running on the server, the security logs which contain security information such as logon attempts or object access, and the system log which contains events generated by Windows itself or its core services. Users that have the ability to logon to the server can review the application and system logs, only administrators can review the security log.

UNIX servers have several different logging systems, which are integrated into syslog (system log). wtmp collects login information (UNIX industry standard). cronlog collects information for automated jobs and scheduling (UNIX industry standard). sulog collects the escalation of privileges, users switching to root or other users (UNIX industry standard) and fcheck (file changes) have been added for host based intrusion detection (State of Michigan standard). When required, tcp wrappers (port access control) and IP filter (local firewall) are used for granular access controls and report to syslog (Oracle Solaris standard). Each hardware vendor supplies their own fault management systems which report ongoing system status, fmadm for Oracle Solaris. These integrated logs are transferred to the Enterprise Logging Server for independent monitoring, review, and archiving.



DTMB-0170 24 of 119

Security Assessment and Authorization: (See Appendix B for individual control details.)

Security Assessment and Authorization Policies and Procedures (CA-1)DTMB policy 1340.00 – Information Technology Information Security Policy; establishes how information security shall be implemented to protect SOM information from unauthorized access, use, disclosure, modification destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.


Security Assessments (CA-2 (1))The Office of Michigan Cyber Security policies include the completion of DTMB-170 Information Technology Project Security Plan & Assessment for all major applications upon implementation as well as major changes. This document serves as documentation of the structures process of planning adequate, cost-effective security protection for a system. This document contains detailed technical information about the system, its security requirements, and the controls implemented to provide protection against its risks and vulnerabilities. This document is based on and complies with NIST 800-53 standards.

The State of Michigan’s Financial Management Guide Part VII – Internal Controls provides guidance to departments when establishing and evaluating their internal accounting and administrative control system. The guidance in that chapter represents the General Framework as referenced in Public Act 431 of 1984, (the Management and Budget Act), as amended. The Act requires the State Budget Director, in consultation with the Auditor General, to develop a general framework and a system for reporting on the results of those evaluations. The Act also requires the department to evaluate the system of controls and biennially issue a report on or before May 1 of each odd numbered year to the Governor regarding the results of their evaluations. The Office of Internal Audit Service's responsibilities include department-level examination and evaluation of the adequacy and effectiveness of the internal control system. OIAS independently verifies the integrity of the department’s evaluation and biennial reporting processes. The Office of the Auditor General also periodically conducts audits of major information technology systems.



DTMB-0170 25 of 119

Information System Connections (CA-3)The DTMB-0090 (Firewall Rule Request) form is required to be completed and approved by an Authorized Requestor for all communication between the SOM’s internal zones and Internet and various Extranet communication.

DTMB is responsible for secure operation of all connectivity inside and outside the State of Michigan network. DTMB maintains responsibility for firewalls and routers, as well as ongoing monitoring of all zones within the network. As a matter of regular business operation, intrusion detection scans are run continuously and if a suspicious access attempt is detected, an alert is sent to the Office of Michigan Cyber Security.


Plan of Action and Milestones (CA-5)The Office of Michigan Cyber Security prepares a list of recommended additional controls as part of the completion of DTMB-170 Information Technology Project Security Plan & Assessment. This information, along with any recommendations identified during the agency’s biennial internal control assessment is used as a corrective action plan. The agency’s system owners acknowledge these items as part of their sign-off on these evaluation documents and can consider this information when making future updates to the system as well as during the annual budgeting process.



DTMB-0170 26 of 119

Security Authorization (CA-6)DTMB maintains a list of Authorized Requestors by Agency and DTMB who are allowed to approve Network Connections, Database Restore, Physical Access, SecureID/Remote Access, etc. These lists are updated on a quarterly basis.

The agency’s Project Managers complete a Project Charter which includes indentifying Project Sponsors. Project Sponsors are senior-level executives or managers responsible for the business area impacted by the information system. The Project Sponsor approves project implementation which initiates the change control process documented in DTMB policy 1370.00.01 – Enterprise Change Control Process Standard.


Continuous Monitoring (CA-7)

DTMB Procedure 1350.60 – Intrusion Detection and Monitoring; establishes a framework for intrusion detection and security monitoring for State of Michigan data networks.

Each hosting center has a centralized security monitoring system with cameras, both inside and outside the facility. Access control systems with key pads and door alarms are in place.

DTMB 1345.00.50.06 File Integrity Monitoring Procedure has been developed to validate the integrity of the Operating System (OS), applications, and other critical system related functions. The File Integrity service will gather information to alert if the event source has been compromised.



DTMB-0170 27 of 119

Configuration Management: (See Appendix B for individual control details.)

Configuration Management Policy and Procedures (CM-1)DTMB Policy 1370.00 – Information Technology Configuration Management provides guidance for configuration management processes for new and existing IT systems within the State of Michigan and outlines specific responsibilities for Agency Directors and the Director of DTMB.

Configuration Items (CI) are defined as part of the IMAC (Install, Move, Add, Change) process. Tasks to build the CIs and to update the status of same in the CMDB are tracked as project related tasks.

Prior to the initiation of the IMAC process, an Enterprise Architecture Solutions Assessment (EASA) must be submitted to the State’s Enterprise Architecture group for review and approval. This documents the overall architecture of the systems. Once the EASA is approved, a DTMB-184 Infrastructure Service Request (ISR) is submitted. This starts the Server Hosting Process. A Solutions Engineer creates a Hosting Solution package. This package must be approved by the project’s stakeholders.


Baseline Configuration (CM-2 (1) (3) (4))

DTMB Policy 1370.00 Information Technology Configuration Management (Issued June 4, 2009) provides guidance for configuration management processes for new and existing IT systems within the State of Michigan and outlines specific responsibilities for Agency Directors and the Director of Information Technology.

Each server goes through the IMAC (Install, Move, Add, Change) process. There are baseline configurations for each operating system level.

DTMB 1310.22 Desktop Suite StandardDTMB 1345.00.50.09 Desktop Patch Management ProcedureDTMB 1410.88 Desktop Log-Off/System Shutdown

There is a standardized M1 build for all desktops.



DTMB-0170 28 of 119

Configuration Change Control (CM-3 (2))

DTMB Change Management Procedure (1370.00.01) defines the mechanism by which changes to applications, network, infrastructure or other IT components are planned, communicated, and coordinated by DTMB.

Requests for Changes (RFCs) are managed within the scope of the Service Management Center (SMC).

RFCs (and the Remedy tickets) are evaluated through a multi-tiered process, coincident with the impact of the Change. The first review is by the Local Change Board (LCB). If the change has wider ranging impact and potential consequences, it will be brought forward to the Enterprise Change Board (ECB). The LCBs meet each week to review the single domain changes and bring them forward as appropriate into the ECB weekly review, occurring every Wednesday AM.


Security Impact Analysis (CM-4)

Any changes to the infrastructure must first be approved by the Department of Technology, Management and Budget (DTMB) Enterprise Architecture committee. DTMB’s Office of Michigan Cyber Security has developed a detailed Security Plan & Assessment (DTMB-170) which must be approved prior to any changes. Additionally, a Request For Change (RFC) must be submitted and approved prior to implementation.


Access Restrictions for Change (CM-5)

A DTMB-0161 (Network UserID Request) is required to be signed by management specifying required privileges before access is granted to any user.



Configuration Settings (CM-6 (3))


DTMB-0170 29 of 119

DTMB Technical Standard 1340.00.03, DTMB Server Security Operational Standard, documents the procedures for installation, configuration and on-going maintenance actions for servers and cluster systems used to support the range of information technology needs within the State of Michigan.

DTMB 1345.00.50 Server Management Standard – Requirements for managing and standardizing all servers.

DTMB Technical Procedure 1345.00.50.08, defines the detailed outline of the patching process for updating the operating system (O/S), hot fixes, and security updates for servers within the State of Michigan

Quarterly PCI Compliance standards identify any configuration vulnerabilities. It allows the server team to remediate the vulnerabilities.


Least Functionality (CM-7 (1))



Information System Component Inventory (CM-8 (1) (5))

DTMB Technical Services has a server team assigned to each information system. Each team works with the business owner of the data to track the different components

DTMB Configuration Management Database (CMDB) documents specific details of components.


Configuration Management Plan (CM-9)


DTMB-0170 30 of 119



Contingency Planning: (See Appendix B for individual control details.)

Contingency Planning Policy and Procedures (CP-1)DTMB 1390.00 Policy Information Technology Continuity of Business Planning establishes the State of Michigan (SOM) guidelines for continuity of business planning.


Contingency Plan (CP-2 (1))Completion of DTMB-208; Business Service/System/Application/Business Function Information.



DTMB-0170 31 of 119

Contingency Training (CP-3)DTMB/Data Operation Center, Business Continuity and Disaster Recovery Team provides each State of Michigan department Business Continuity Planning/Disaster Recovery training and administers state of Michigan’s Living Disaster Recovery Planning System (LDRPS). All users of LDRPS are trained prior to receiving access to LDRPS. Access to LDRPS is granted with approval by each department head or its designee. The Statewide Business Continuity and Disaster Recovery Team officially gathers on a quarterly basis to provide updates and guidance.


Contingency Plan Testing and Exercises (CP-4 (1))The Continuity of Government Initiative (COGI), led by the Department of Technology Management and Budget (DTMB) and commissioned by the Governor, requires state agencies to identify and create a Business Continuity Plan for their mission critical business functions.

Each server has the standard State of Michigan backup protection provided by the DTMB Enterprise Backup and Recovery (EBUR) section.


Alternate Storage Site (CP-6 (1) (3))DTMB has a production data center and a development/DR data center. Both data centers are secured by DTMB Data Center Operations as part of their service offering.

Servers are backed up by the DTMB Enterprise Backup and Recovery (EBUR) section. All backups are stored in off-site location.



DTMB-0170 32 of 119

Alternate Processing Site (CP-7 (1) (2) (3) (5))DTMB has a production data center and a development/DR data center. Both data centers are secured by DTMB Data Center Operations as part of their service offering.


Telecommunication Services (CP-8 (1) (2))DTMB has a production data center and a development/DR data center. Both data centers are secured by DTMB Data Center Operations as part of their service offering.


Information System Backup (CP-9 (1))DTMB has a production data center and a development/DR data center. Both data centers are secured by DTMB Data Center Operations as part of their service offering.

All servers located at one of the Enterprise Hosting Centers, participates in the backup strategy using the enterprise backup service. This strategy is designed according to the business continuity plans and processing requirements of the application. The strategy is implemented during the initial installation of the server environment. If the requirements are not specified, the standard default backup strategy is applied.

The Enterprise Backup and Recovery solution is centrally managed and scheduled utilizing the targeted backup solution. This solution takes advantage of the back-end storage switching infrastructure and consolidated off-site disk cache, virtual libraries, Dense Wave Division Multiplexers (DWDM), dedicated fibre channel connectivity and Enterprise class tape libraries with drives using “Fat tape” technologies.



DTMB-0170 33 of 119

Information System Recovery and Reconstitution (CP-10 (1) (2) (3))DTMB has a production data center and a development/DR data center. Both data centers are secured by DTMB Data Center Operations as part of their service offering.


Identification & Authentication: (See Appendix B for individual control details.)

Identification and Authentication Policy and Procedures (IA-1)DTMB 1350.10 Authentication Requirement for Access to Networks, Systems, Computers, Databases, and Applications procedure requires the identification and use of approved personal authentication methods, appropriate for the identified level of security required, for access to State of Michigan information technology resources to prevent unauthorized access or maintain resource data integrity.


Identification and Authentication (Organizational Users) (IA-2 (1) (2) (3) (8)) All users are assigned a unique User ID that allows access to the computer resources they have been authorized to

use. The individual to whom a User ID has been assigned is accountable for any use of the User ID. Users, applications, and systems to be authenticated to agency computer resources through the use of a unique

password prior to allowing access. Passwords are the responsibility of the person to whom the User ID and password is associated. Passwords are considered confidential and should not be shared or disclosed to another person. RSA SecurID tokens for two-factor authentication and VPN are used when remotely accessing state’s network.

Authentication information (e.g., password or PIN) is never disclosed to another user or shared among users.



DTMB-0170 34 of 119

Device Identification and Authentication (IA-3)DTMB 1350.40 Access Control Criteria for Right to Use Automated Information Resources establishes, documents, and manages the allocation of user access rights.

Device identification is managed through Kerberos tickets assigned from a central domain authority.

The domain controllers are the servers that respond to security authentication requests (logging in, checking permissions, etc.) within the Windows Server domain. Authentication is the validation of the password and the ID of users seeking access to a domain.


Identifier Management (IA-4) The specific level of access granted to a user for any computer resource, or information asset is approved by the

user’s management and the owner of the resource. This access has to be commensurate with the duties and job responsibilities of the individual needing access.

User IDs that are assigned to consultants, contractors, and temporary staff are only authorized to access computer systems for a limited period of time from the date of issue. These User IDs are disabled and/or deleted no later than day-end of the user’s last day of employment or assignment.

All User IDs assigned to a person are immediately disabled and staged for deletion from all computer resources when the person leaves the Agency.



DTMB-0170 35 of 119

Authenticated Management (IA-5 (1) (2) (3))A DTMB-0161 (Network UserID Request) is required to be signed by management specifying required privileges before access is granted to any user. All users are assigned a unique userID for access. In addition to a unique userID, the user is required to use a password for authentication. The password is in compliance with DTMB 1335.00.20, Active Directory Password Standard. Sharing accounts and credentials is prohibited. All changes to user accounts (except for password resets) are approved by the employee’s manager. Authentication is provided by Active Directory (AD). Authenticating users via Active Directory centralizes accounts and allows continuity of existing policies for password complexity, aging and reuse.

DTMB Active Directory Password Standard 1335.00.20:

Maximum password age = 90 daysEnforce password history = 10 passwordsMinimum password age = 1 daysMinimum password length = 8 charactersPasswords must meet complexity requirements = EnabledIs not based on the user’s account nameContains at least eight charactersContains characters from three of the following four-categories:Uppercase alphabet characters (A-Z)Lowercase alphabet characters (a-z)Arabic numerals (0-9)Non-alphanumeric characters (for example, !$#,%)

Account Policy

Account lockout threshold – 5 invalid attemptsAccount lockout duration = 30 minutesReset account lockout counter after = 30 minutes

Application password composition – enter applicable data if there is application password



DTMB-0170 36 of 119

Authenticator Feedback (IA-6)Passwords are obscured when the user keys them into the system. Additionally, the error message displayed on screen when authentication fails does not provide information that could lead to exploitation.

Authentication information feedback to user is obscured (e.g., asterisks in password field).

All users and automated system processes are required to authenticate using an approved authentication methodology.


Cryptographic Module Authentication (IA-7)The state of Michigan incorporates federal and state statutory and regulatory requirements, national and international security standards and best practices in its policies and procedures including NIST 800 series and FIPS 140-2, Security requirements for Cryptographic Modules standards.

The State validates the FIPS 140-2 certification of products used.


Identification and Authentication (non-organizational users) (IA-8)DTMB 1350.40 Access Control Criteria for Right to Use Automated Information Resources establishes, documents, and manages the allocation of user access rights.



DTMB-0170 37 of 119

Incident Response: (See Appendix B for individual control details.)

Incident Response Policy and Procedures (IR-1)DTMB 1350.07 Incident Response Process Life Cycle defines a formal process and establishes a set of measured responses to potential or actual compromises of security or an unauthorized or illegal action or extraordinary occurrence on State of Michigan data networks.

DTMB also has a security policy that establishes a formal statewide Notification of Breach procedure in the event of a security breach. (DTMB 1340.00.01.02) “How to Handle A Breach of Personal Identifiable/ Sensitive Information Incidents”

An incident is an adverse event whereby some aspect of physical or financial security is threatened; confidentiality or privacy of data is violated; data is manipulated, lost or stolen; financial resources or items of value are lost, stolen or misused; or used for unauthorized or unlawful activity.


Incident Response Training (IR-2)


Incident Response Testing and Exercises (IR-3)

DTMB 1350.07 Incident Response Process Life Cycle defines a formal process and establishes a set of measured responses to potential or actual compromises of security or an unauthorized or illegal action or extraordinary occurrence on State of Michigan data networks.



DTMB-0170 38 of 119

Incident Handling (IR-4 (1))

DTMB has a security policy that establishes a formal statewide Notification of Breach procedure in the event of a security breach. (DTMB 1340.00.01.02) “How to Handle A Breach of Personal Identifiable/ Sensitive Information Incidents”

DTMB 1340.00.01.01 Lost or Stolen State-Owned IT Equipment procedure outlines the actions to be taken when loss or theft of equipment assigned by the Michigan Department of Technology, Management & Budget (DTMB) occurs and to inform employees and contract staff of their responsibilities for DTMB equipment assigned to them.


Incident Monitoring (IR-5)


DTMB maintains an Operations-Status-Board (OSB). The items on the OSB contain Incidents, Problems, Changes, and Notifications. The OSB is reviewed during the Daystart Teleconference each morning. The moderator of the Daystart Teleconference reviews current incidents, upcoming changes, outstanding problems, and noteworthy announcements.


Incident Reporting (IR-6 (1))

DTMB has a security policy that establishes a formal statewide Notification of Breach procedure in the event of a security breach. (DTMB 1340.00.01.02) “How to Handle A Breach of Personal Identifiable/ Sensitive Information Incidents”

DTMB 1340.00.01.01 Lost or Stolen State-Owned IT Equipment procedure outlines the actions to be taken when loss or theft of equipment assigned by the Michigan Department of Technology, Management & Budget (DTMB) occurs and to inform employees and contract staff of their responsibilities for DTMB equipment assigned to them.

Security Incident Report Form DTMB-0094 is used to report any security related incidents.


DTMB-0170 39 of 119


Incident Response Assistance (IR-7 (1))

The Office of Michigan Cyber Security provides assistance and incident response support to agencies for the handling and reporting of security incidents.


Incident Response Plan (IR-8)


Maintenance: (See Appendix B for individual control details.)

System Maintenance Policy and Procedures (MA-1)


DTMB Technical Standard 1340.00.03, DTMB Server Security Operational Standard, documents the procedures for installation, configuration and on-going maintenance actions for servers and cluster systems used to support the range of information technology needs within the State of Michigan.

Service maintenance activities are documented as part of the DTMB Change Control Process. Routine preventative and regular maintenance (including repairs) of system components are performed in accordance with manufacturer or vendor specifications and/or organizational requirements. This includes scheduling, performing, documenting and reviewing maintenance records.


Controlled Maintenance (MA-2 (1))


DTMB-0170 40 of 119


Service maintenance activities are documented as part of the change control process and approved by the DTMB Agency Local Change Control Board. Routine preventative and regular maintenance (including repairs) of system components are performed in accordance with manufacturer or vendor specifications and/or organizational requirements. This includes scheduling, performing, documenting and reviewing maintenance records. Restriction of system maintenance activities is to authorized personnel.


Maintenance Tools (MA-3 (1) (2))DTMB Policy 1365 Information Technology Product Standards Adoption, Acquisition, Development, and Implementation provides guidance in establishing processes to manage the adoption, acquisition, development, and implementation of Information Technology Products. To adopt a set of guiding principles that will promote long-term sustainability through standardization and will create cost savings opportunities through consolidation of environments and leveraging the State Enterprise’s buying power. This policy outlines specific responsibilities for Agency Directors and the Director of Technology, Management and Budget.

The system is in compliance with DTMB Technical Procedure 1345.00.50.08, which defines the detailed outline of the patching process for updating the operating system (O/S), hot fixes, and security updates for servers within the State of Michigan.

Patches are performed at non-peak hours manually to insure their integrity and to minimize any downtime.


Non-Local Maintenance (MA-4 (1) (2))


Maintenance Personnel (MA-5)DTMB 1350.20 Authorization Prerequisite for Access to Protected Data Resources


DTMB-0170 41 of 119

Restriction of system maintenance activities is to authorized personnel. Access to system level account are controlled and audited by DTMB Technical Services Division.

.Complies with this controlYes No N/ASee Risk #

Timely Maintenance (MA-6)The system has maintenance performed on regular intervals (will follow the same system maintenance procedures in place by the State of Michigan) to prevent system failures or problems.

.Complies with this controlYes No N/ASee Risk #

Media Protection: (See Appendix B for individual control details.)

Media Protection Policy and Procedures (MP-1)DTMB policy 1340.00 – Information Technology Information Security Policy; establishes how information security shall be implemented to protect SOM information from unauthorized access, use, disclosure, modification destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.


Media Access (MP-2 (1))Tape files stored at the hosting centers are only available through the automated tape retrieval processes which are operated by only Data Center Operation’s staff.

Only authorized users have access to information either printed or electronic.


DTMB-0170 42 of 119


Media Marking (MP-3)Each server has the standard State of Michigan backup protection provided by the DTMB Enterprise Backup and Recovery (EBUR) section.


Media Storage (MP-4)DTMB policy 1340.00.06 permits storage of confidential or sensitive information on portable device/media only if all of the following requirements are satisfied: Use is restricted to individuals whose job duties require it. Granted for a finite duration as needed to fulfill the specific functions required to perform a specific job. Approval has been obtained by both the employee’s department head (or their designee) and the system/data

owner. For non-SOM employees, “department” is defined as the SOM Agency contracting with the 3rd party. Sensitive data has been encrypted. Encryption must comply with the DTMB Standard 1340.00.07 as published.

Unencrypted storage of sensitive information on mobile devices and portable media is prohibited. Please note that SOM Administrative Guide Procedure 1350.90 for data sanitation and media disposal will need to be followed.

SOM laptops are equipped with Safeboot Encryption. It is a full-disk encryption product designed for protecting SOM laptops.

All backups for all servers are stored off-site in a DTMB Hosting Facility. When backups have reached the retention period, they are disposed or degaussed in compliance with DTMB Procedure 1350.90, Secure Disposal of Installed and Removable Digital Media.

Paper and digital media is stored in a physically secured environment, locked cabinets, secure building, rooms, etc.Complies with this controlYes No N/ASee Risk #

Media Transport (MP-5 (2) (4))MDE restricts the pickup, receipt, transfer, and delivery of media to authorized personnel.

Complies with this controlYes No N/A


DTMB-0170 43 of 119

See Risk #

Media Sanitization (MP-6)DTMB Procedure 1350.90, Secure Disposal of Installed and Removable Digital Media.

DTMB 0910.06 Destruction of Confidential Records – provides and administers services necessary to properly destroy confidential records for State agencies.

Paper media containing credit card information is destroyed (cross-cut shredded) at end of day in compliance with DTMB procedure 1350.90, Secure Disposal of Installed and Removable Digital Media. The shredded documents are placed in a locked, serial-numbered bin and picked up on Mondays, Wednesdays and Fridays. The bins are tracked by a vendor until destruction.

The electronic media that needs disposal or is being released for reuse must be sent to the DTMB Depot for reformatting. A software program is used to wipe all data from the storage sectors prior to sending the computer for disposal or reuse. A record is kept that includes the PC tag number, staff name who wiped the computer, date and time. The Depot stores the equipment by agency for inventory control.


Physical & Environmental Protection: (See Appendix B for individual control details.)

Physical and Environmental Protection (PE-1 thru PE-18)

DTMB 1345.00 Policy Information Technology Network and Infrastructure establishes the responsibilities as they apply to the utilization of State of Michigan information networks and IT resources.

DTMB 1310.02 Information Processing Security

Physical security throughout State of Michigan facilities is the responsibility of the DTMB Cyber Security Infrastructure Protection.

A comprehensive set of security policies or procedures have been developed that address the following:

•Controlling access over State of Michigan facilities•Background investigation of employees, prospective employees and vendor employees•Issuance of card keys used to access facilities•Removal of access by terminated employees/vendor personnel•Investigation of security violations•Controlling access to secured areas within State of Michigan facilities


DTMB-0170 44 of 119

DTMB Cyber Security Infrastructure Protection is also responsible for administering the card key systems and the hiring of physical security vendors.

Card key systems have been installed at State of Michigan facilities to help ensure access is restricted to authorized personnel.

Card keys contain a photo ID of the employee and must be worn at all times.

Visitors to State of Michigan facilities must check in with the security officer stationed at the entrance to the facility. Visitors must present a valid, government-issued photo ID, which is retained by thesecurity officer until the visitor leaves the facility. The visitor must then sign a visitor log andrequest that his/her visit be approved by a State of Michigan employee, who is authorized to signnon-employees into the facility and who indicates approval by signing the log. The visitor isissued a temporary ID badge to be worn throughout his or her visit. This temporary badge doesnot permit access through any secured doors within the facility. The visitor’s photo ID is returnedupon receipt of the visitor badge by the security officer.

State of Michigan Hosting CentersThe State of Michigan has Two Tier III, One Tier II and One Tier I computer-hosting centers that have been designed to be reliable, adaptable and resilient data centers within the State. These Tier III sites have multiple power and cooling distribution paths, with only one path active, redundant components, concurrently maintainable, with 99.982% availability.

The hosting centers have similar security plans. The security begins at the perimeter of the building. Security cameras are in place at all three Hosting Centers and the Computer room. A Security guard is present at all three of the hosting centers, and screens all personnel and visitors. Access to all the centers requires a security card and pin number and a Michigan State Police Background check.

Critical facility support equipment at all the hosting centers is continuously monitored. If an event occurs at a hosting center site, an alarm is sounded at the Hosting Center site and the appropriate facility manager is immediately contacted. Once alerted, the facility manager directs a coordinated response.

The Hosting Center network is built out with datacenter class routing/switching infrastructure to support dual connectivity to equipment within the Hosting Centers. There is an Enhanced Security Zone within the Hosting Centers that is available to Systems/Applications that call for security from the rest of the SOM network.

The Department’s Storage Strategy provides for tiered information protection across the Department’s storage infrastructure within the Hosting Centers. This strategy provides for higher information availability and lower storage management costs. All storage is moving toward virtual provisioning, wide striping and thin pools.

The Enterprise Backup and Recovery solution is centrally managed and scheduled utilizing the targeted backup solution. This solution takes advantage of the back-end storage switching infrastructure and consolidated off-site disk cache, virtual libraries, Dense Wave Division Multiplexers (DWDM), dedicated fibre channel connectivity and Enterprise class tape libraries with drives using “Fat tape” technologies.

Lake Superior Hosting CenterThe Lake Superior Hosting Center is located at the Secondary Complex and is considered a Tier III data center by the Uptime Institute, which provides 99.982% availability. This hosting center is physically supported 7 days a week, 24 hours a day, 365 days a year with on-site computer operations staff and on-call technical support staff. The hosting


DTMB-0170 45 of 119

center has two sources of power; the utility company and on-site diesel electric power generators. Lake Superior hosting center is connected to the State of Michigan Lansing Metropolitan Area Network (LMAN) and connected to the Traverse Bay Hosting Center via a private dark fiber. This fiber connection is redundantly configured, with one link routed underground and a second redundant link router above ground. The center has 360 tons of cooling capacity and a fire detection system with three levels of alarms. In the event of a fire where the ceiling reaches 165 degrees, a wet sprinkler system will be activated.

Lake Ontario Hosting CenterThe Lake Ontario Hosting Center is located at the State’s Secondary Complex and considered a Tier II data center by the Uptime Institute, which provides 99.75% availability and is staffed Monday through Friday during normal business hours. The staff at the Lake Superior Hosting Center remotely monitors and maintains this facility during non-business hours.

Traverse Bay Hosting CenterThe Traverse Bay Hosting Center is located downtown Lansing and is considered a Tier III data center by the Uptime Institute, which provides 99.982% availability and houses both test/development and disaster recovery equipment. This center supports services 7 days a week, 24 hours a day, 365 days a year. It is staffed Monday through Friday during normal business hours. The staff at the Lake Superior Hosting Center remotely monitors and maintains this facility during non-business hours.

Lake St. Clair Computer Room (LCCR)The Lake St. Clair Computer Room is located at Cadillac Place in Detroit and is considered a Tier I data center by the Uptime Institute. This facility houses local systems that cannot be housed in Lansing and some critical applications with a requirement to be located in excess of fifty miles from the production system. The site is staffed on an as needed basis and by on-call Technical Support and facility staff maintains this facility during non-business hours. The computer room is connected to the State of Michigan, (LMAN) and a redundant path over Connectionless Broadband Digital Service (CBDS).


Planning: (See Appendix B for individual control details.)

Security Planning Policy and Procedures (PL-1)DTMB policy 1340.00 – Information Technology Information Security Policy; establishes how information security shall be implemented to protect SOM information from unauthorized access, use, disclosure, modification destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.



DTMB-0170 46 of 119

System Security Plan (PL-2)The Security plan document (DTMB-170) serves as the instrument to capture the plans for providing cost-effective security protection for SOM systems. This document contains detailed technical description of the configuration management, roles and responsibilities, security controls implemented to provide protection against risks and vulnerabilities.


Rules of Behavior (PL-4)DTMB has established and makes readily available to all information system users, a set of rules that describes their responsibilities and expected behavior with regard to information and information system usage (DTMB Policy 1460.00). DTMB receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information.

Access privileges to MDE’s computer resources and information assets are granted to an individual user or class (group) of users for authorized business purposes only, and are limited and restricted to the minimum set of access privileges for the performance of their respective job duties (i.e., a need-to-know or least privilege concept).


Privacy Impact Assessment (PL-5)Only applicable if a Federal system


Security-Related Activity Planning (PL-6)Prior to the migration of any change (hotfix, release, patch, upgrade, system change, etc.) or upcoming security assessment (e.g., state audit, safeguard review, internal risk assessment) coordination is done between DTMB and the Agency to inform them of potential operational impact. If possible, security assessment activities that will have operational impact are performed during non-business hours to reduce impact to operations.

DTMB conducts regular change control board meetings and circulates for approval all Request for Change (RFC)


DTMB-0170 47 of 119


Personnel Security: (See Appendix B for individual control details.)

Personnel Security Policy and Procedures (PS-1)DTMB 200.03 – Employee Background Policy

The Agency uses user Id’s and passwords for access control, but also user accountability. Each account is assigned to a single individual. Sharing accounts is not permitted.

Civil Service Rules and Regulations govern state classified employment. Rules have the force and effect of law. Regulations implement the rules issued by the commission. The Michigan Civil Service Commission provides policy for state employee position categorization, personnel screen, personnel termination and transfer.

DTMB’s Security and Management Policy and Procedure 300.23 requires each employee to visibly display an identification badge while within State of Michigan premises. Persons without proper access authorizations are escorted or directed to the security group/receptionist at the sites. All employees are expected to use their own identification badge or access into the building as well as any restricted areas. When employment is terminated; information system access is terminated, exit interviews are conducted, and all information system-related property is returned (e.g., photo ID badge, keys, etc.)


Position Categorization (PS-2)The Michigan Civil Service Commission provides policy for state employee position categorization, personnel screen, personnel termination and transfer.


Personnel Screening (PS-3)State of Michigan employees are screened through NEOGOV, the automated selection and hiring system used by the Civil Service Commission, which includes a background check ICHAT (Internet Criminal History Access Tool) and a drug test. Candidates for Security Positions are subject to a name-based and fingerprint criminal history check, employment eligibility check, and employment reference checks. In addition, the State Police will report any criminal activity matched to fingerprints to the Department.


DTMB-0170 48 of 119


Personnel Termination (PS-4)The Michigan Civil Service Commission provides policy for state employee position categorization, personnel screen, personnel termination and transfer.

Upon separation or transfer, a Network User ID Request DTMB-0161 form and anEmployee/Contractor Departure Checklist form DTMB-0034 is required to be completed,


Personnel Transfer (PS-5)The Michigan Civil Service Commission provides policy for state employee position categorization, personnel screen, personnel termination and transfer.

Upon separation or transfer, a Network User ID Request DTMB-0161 form and an Employee/Contractor Departure Checklist form DTMB-0034 is required to be completed..


Access Agreements (PS-6)Any SOM individual who is granted access to personal information may only access using a role defined for the specific set of tasks required of their position. Form DTMB-0161, Network User ID Request is required before access is granted.


DTMB-0170 49 of 119

The DTMB-0927 Physical Security Access Request form is required to be completed and signed for any individual requesting access to DTMB secured facilities.

The DTMB-0928 Contractor Security Agreement; or the DTMB-0929 IT Employee Security Agreement, is filled out to insure the individual acknowledges and agrees to comply with the State of Michigan Computer Crime Law, Civil Service Rule 2-8.1 (Conflict of Interest), Network Security Policy Procedure 1410.17 and the IT Acceptable Use Act 1460.00 as well as HIPPA confidentiality requirements. DTMB-0928 and DTMB-0929 are required to be renewed annually. Contractor access cards are only authorized for a one year period.

Contractors have signed Non-disclosure Agreement (DTMB-0049) before access is granted.

Non-Disclosure Contractor Security Agreements (DTMB-0928) have been completed and signed where appropriate

Users have signed End User Computing Agreement (DTMB-0929) before access is granted.


Third-Party Personnel Security (PS-7)DTMB 200.32 – Contractor Background Check Policy

All contracted employees have had a background check (DTMB-0021) performed, have read and signed Contractor Security Form DTMB-0928, the DTMB-1460.00 Acceptable use Policy, and have signed the End User Computing Agreement DTMB-0929.


Personnel Sanctions (PS-8)200.25 – IT Violations to Acceptable Use Policy

Violators of policies and procedures are subject to disciplinary measures including privilege revocation and/or employment termination. In addition, the formal sanctions process includes penalties for unauthorized disclosure of PI/PII.

Complies with this control


DTMB-0170 50 of 119

Yes No N/ASee Risk #

Risk Assessment: (See Appendix B for individual control details.)

Risk Assessment Policy and Procedures (RA-1)DTMB policy 1340.00 – Information Technology Information Security Policy; establishes how information security shall be implemented to protect SOM information from unauthorized access, use, disclosure, modification destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.


Security Categorization (RA-2)MDE, DTMB Agency Services/MDE works with the Office of Michigan Cyber Security to develop a comprehensive security and risk assessment document (DTMB-170). This document serves as documentation of the structured process of planning adequate, cost-effective security protection for a system. This document contains detailed technical information about the system, its security requirements, and the controls implemented to provide protection against its risks and vulnerabilities. This document is submitted to obtain a formal security sign-off from the sponsors of a new or existing system.

The risk assessment document contains: Data classification section System and Information Security Level (Low, Moderate, High)


Risk Assessment (RA-3)An Enterprise Architecture Solutions Assessment (EASA) document captures the key elements of each technical solution that is currently in production or is being proposed as a new solution. The EASA identifies all key components of a solution and their position on the EA Technology Roadmaps. This enables a rapid risk assessment for all reviewed solutions. Enter EA #

MDE, DTMB Agency Services/MDE works with the Office of Michigan Cyber Security to develop a comprehensive security and risk assessment document (DTMB-170). This document serves as documentation of the structured process of planning adequate, cost-effective security protection for a system. This document contains detailed technical information about the system, its security requirements, and the controls implemented to provide protection


DTMB-0170 51 of 119

against its risks and vulnerabilities. This document is submitted to obtain a formal security sign-off from the sponsors of a new or existing system.

The risk assessment document contains a section in the appendix that analyzes the following: Threat source Risk if a control is not implemented Current controls in place Probability of occurring (H,M,L) Impact if it does occur (H,M,L) Recommended mitigating additional controls


Vulnerability Scanning (RA-5 (1))The Office of Michigan Cyber Security uses Qualys’ security and compliance suite to manage the State of Michigan’s IT vulnerability management program.

QualysGuard® Vulnerability Management (VM) automates the process of doing vulnerability assessments across the enterprise and gives the State of Michigan access to a comprehensive vulnerability KnowledgeBase. It provides both external and internal scans of the SoM infrastructure. These scans provide comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues that are then used to remediate vulnerabilities found within the infrastructure.

The vulnerability scan tests the effectiveness of PCI compliancy policy and controls by examining network infrastructure for vulnerabilities. The scan systematically tests and analyzes IP devices, services and applications against known security holes. A post-scan compliancy report reveals actual vulnerabilities and states what needs fixing.

In a PCI security zone, MCS requires each Confirmed Vulnerability and Potential Vulnerability that is identified on the compliancy report as being “Failed PCI” be remediated. In all zones, Confirmed Vulnerability and Potential Vulnerability identified with a Severity Level of 3-5 must be remediated.

All servers are scanned for vulnerabilities and remediation’s made prior to implementing new firewall rules. In the event a vulnerability cannot be remediated, an exception (DTMB-0400) is completed and approved or denied by the Technical Review Board (TRB) or Executive Technology Review Board (ETRB). False positives reports are submitted to Office of Michigan Cyber Security (MCS) for approval and kept on file by MCS.

Vulnerability scans are maintained by Qualys for a minimum of 2 years.


DTMB-0170 52 of 119

Enter scanning schedule if servers are on one???


System & Services Acquisition: (See Appendix B for individual control details.)

System and Services Acquisition Policy and Procedures (SA-1)DTMB policy 1365.00 Information Technology (IT) Product Standards Adoption, Acquisition, Development, and Implementation Policy addresses information technology product standards.

The State of Michigan (SOM) contract boilerplate language describes how a request for general services or IT services is purchased.


Allocation of Resources (SA-2)DTMB Policy 1340.00 – This policy establishes the State of Michigan (SOM) executive management strategic view of how information security shall be implemented to protect the SOM information from unauthorized access, use, disclosure, modification, destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.



DTMB-0170 53 of 119

Life Cycle Support (SA-3)DTMB Policy 1360.00 Systems Engineering Methodology provides the framework for the State’s Systems Development Lifecycle Methodology. This policy provides guidance for the development, enhancement, and maintenance of new and existing IT systems within the State of Michigan. DTMB and its client agencies are required to follow the Systems Engineering Methodology for all new initiatives as well as enhancement and maintenance of existing systems.


Acquisitions (SA-4 (1) (4))All DTMB contracts contain required contract language related to State of Michigan security requirements. All services and products provided as a result of a contract shall comply with all applicable State IT policies and standards. Contractors shall request any exception to State IT policies and standards in accordance with DTMB processes. The State may deny the exception request or seek a policy or standards exception


Information System Documentation (SA-5 (1) (3))EA Assessment #DTMB and the agency projects include documentation of requirements in design sessions that are signed off by the business owner. SEM documentsUser guidesTRB/ETRB



DTMB-0170 54 of 119

Software Usage Restrictions (SA-6)DTMB maintains a technology roadmap of all approved software and hardware for desktop/laptops and systems (servers). Any software requested by the agencies that is non-standard or not already approved is considered an exception and would need to be reviewed and approved by the DTMB Standards Committee. All exceptions are tracked and reviewed annually.


User-Installed Software (SA-7)Workstations are secured through a DTMB Automated Software Delivery and a consolidated Anti-virus system. The Symantec Endpoint Protection prevents users from installing software that is not “pushed” down by the IT help desk. All software must be formally requested through the IT help and the Remedy system; and access to software is strictly controlled. Desktops do not have ADMIN rights, users are not able to add or remove software programs. Moreover, personal peripherals are not supported. (digital cameras, PDAs for example)

The DTMB Office of Automation prepares and tests all software installation packages, and provides these packages through automated installation process upon approval.


Security Engineering Principles (SA-8)DTMB Policy 1360.00 Systems Engineering Methodology provides the framework for the State’s Systems Development Lifecycle Methodology. This policy provides guidance for the development, enhancement, and maintenance of new and existing IT systems within the State of Michigan. DTMB and its client agencies are required to follow the Systems Engineering Methodology for all new initiatives as well as enhancement and maintenance of existing systems.

Any changes to the infrastructure must first be approved by the Department of Technology, Management and Budget (DTMB) Enterprise Architecture committee. DTMB’s Office of Michigan Cyber Security has developed a detailed Security Plan & Assessment (DTMB-170) which must be approved prior to any changes. Additionally, a Request For Change (RFC) must be submitted and approved prior to implementation.


DTMB-0170 55 of 119


External Information System Services (SA-9)List contracts, SLA’s


Developer Configuration Management (SA-10)DTMB Policy 1370.00 – Information Technology Configuration Management provides guidance for configuration management processes for new and existing IT systems within the State of Michigan and outlines specific responsibilities for Agency Directors and the Director of DTMB.


Developer Security Testing (SA-11)


System & Communication Protection: (See Appendix B for individual control details.)

System and Communications Protection Policy and Procedures (SC-1)DTMB 1345.00 Information Technology Network and Infrastructure Policy

DTMB 1305.00 Enterprise Information Technology Policy

System and communication protection controls are developed, documented and disseminated through the State of Michigan Administrative Guide

Complies with this control


DTMB-0170 56 of 119

Yes No N/ASee Risk #

Application Partitioning (SC-2)DTMB employs an N-Tier development methodology (SUITE Process) that outlines Software Development Life Cycle (SDLC) along with considerations for procurement and data security. With regard to application interfaces and back-end storage the connection points for users in a content management switch, which handles all SSL based communications with client workstations. Behind the content management switch web servers maintain session identifiers and act as load balancers to the application servers. The application servers execute all business logic and initiate all interactions with the respective databases. The databases are segregated by network zone security from the application servers.


Information Shared Resources (SC-4)DTMB employs Role-Based Access Controls (RBAC) for all user and service accounts. In addition, the DTMB-161 process (Network User ID Request) controls via management authorization all network access. Also the DTMB-0090 (Firewall Rule Request) process controls all communication ports across zones for all applications.


Denial of Service Protection (SC-5)DTMB is responsible for secure operation of all connectivity inside and outside the State of Michigan network. DTMB maintains responsibility for firewalls and routers, as well as ongoing monitoring of all zones within the network. As a matter of regular business operation, intrusion detection scans are run continuously and if a suspicious access attempt is detected, an alert is sent to the Office of Michigan Cyber Security.


Boundary Protection (SC-7 (1) (2) (3) (4) (5) (7))DTMB 1350.80 Firewall and SOM-NET Perimeter Security Standard

Firewalls and routers are key components of the SOM architecture that controls entry to and exit from the network. These devices are software or hardware devices that block unwanted access and manage authorized access into and out of the network.


DTMB-0170 57 of 119



Transmission Integrity (SC-8 (1))DTMB 1340.00.07 Electronic Data Encryption defines requirements to use a method of encryption both when data is in transit across internal or external networks.


Transmission Confidentiality (SC-9 (1))DTMB 1340.00.07 Electronic Data Encryption defines requirements to use a method of encryption both when data is in transit across internal or external networks.


Network Disconnect (SC-10)All network connections are terminated after completion of communication session.


DTMB-0170 58 of 119


Cryptographic Key Establishment and Management (SC-12)Any servers or applications which use VeriSign certificates have an encryption key length of greater than 1024 bits or greater. All certificates issued internally by Office Automation use an encryption key length of 2048 bits.

NOTE: Effective calendar year 2013, all certificate renewals must include an increase in public key length to 2048 bit.Complies with this controlYes No N/ASee Risk #

Use of Cryptography (SC-13)DTMB 1340.00.06 Storage of Sensitive Information on Mobile Devices and Portable Media DTMB Standard 1340.00.07 Electronic Data Encryption


Public Access Protections (SC-14)DTMB Procedure 1350.18 – documents the baseline practices necessary to enhance, maintain, and monitor the security profile of all State of Michigan hosts made available for public access via the Internet.

A DMZ limits inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports.


DTMB-0170 59 of 119


Collaborative Computing Devices (SC-15)


Public Key Infrastructure Certificates (SC-17)DTMB Office of Automation (OA) currently administers Verisign SSL certificates, which are used for external (Internet) servers. These are billable certificates. OA buys a pool of licenses (standard and premium) and allocates them by request to the application teams. Agencies are charged back for the license they use. The Standard certificates support negotiated bit strengths of 40, 56 and 128. The Premium certificates are forced 128 bit strength only.

DTMB OA also maintains a Microsoft certificate authority (CA) to support self-signed certificates internally (intranet.) These certificates are non-billable. PCs and servers that are a member of the SOM domain are configured by AD policy to trust this CA by default.


Mobile Code (SC-18)


Voice Over Internet Protocol (SC-19)DTMB Telecommunications Voice over Internet Protocol communications are IP based and protected through compliance with a variety of DTMB Security standards. In addition, the DTMB VOIP implementation adheres to the NIST SP 800-58 or manufacturer’s security recommendations.


DTMB-0170 60 of 119


Secure Name/Address Resolution Service (Authoritative Source) (SC-20 (1))State of Michigan servers and workstations use State of Michigan Active Directory (AD) Domain Name Service (DNS) servers. The response from DNS is authoritative.


Architecture and Provisioning for Name/Address Resolution Services (SC-22)State of Michigan servers and workstations use State of Michigan Active Directory (AD) Domain Name Service (DNS) servers. The response from DNS is authoritative.


Session Authenticity (SC-23)Kerberos is used to verify authenticity for Windows system calls. Kerberos is a shared secret authentication protocol. Kerberos requires both client and server to authenticate, or logon, thus preventing an intruder from impersonating either client or server.



DTMB-0170 61 of 119

Protection of Information at Rest (SC-28)DTMB policy 1340.00.06 permits storage of confidential or sensitive information on portable device/media only if all of the following requirements are satisfied: Use is restricted to individuals whose job duties require it. Granted for a finite duration as needed to fulfill the specific functions required to perform a specific job. Approval has been obtained by both the employee’s department head (or their designee) and the system/data

owner. For non-SOM employees, “department” is defined as the SOM Agency contracting with the 3rd party. Sensitive data has been encrypted. Encryption must comply with the DTMB Standard 1340.00.07 as published.

Unencrypted storage of sensitive information on mobile devices and portable media is prohibited. Please note that SOM Administrative Guide Procedure 1350.90 for data sanitation and media disposal will need to be followed.

SOM laptops are equipped with Safeboot Encryption. It is a full-disk encryption product designed for protecting SOM laptops.


Information System Partitioning (SC-32)DTMB maintains responsibility for firewalls and routers, as well as ongoing monitoring of all zones within the network. As a matter of regular business operation, intrusion detection scans are run continuously and if a suspicious access attempt is detected, an alert is sent to the Office of Michigan Cyber Security.


System and Information Integrity: (See Appendix B for individual control details.)

System and Information Integrity Policy and Procedures (SI-1)


DTMB-0170 62 of 119

DTMB policy 1340.00 – Information Technology Information Security Policy; establishes how information security shall be implemented to protect SOM information from unauthorized access, use, disclosure, modification destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.


Flaw Remediation (SI-2 (2))Information system flaws are reported to DTMB via the Remedy system.

Newly released security patches, service packs, and hot fixes are tested for effectiveness and potential side effects on the information systems before installation.


Malicious Code Protection (SI-3 (1) (2) (3))IBM AppScan tool is used to simulate a hacking attempt on the web application by attempting to bypass the security controls implemented. Vulnerabilities are remediated based on the Common Vulnerability Scoring System (CVSS).

All Windows based servers run Windows Firewall and Symantec Antivirus.

Network intrusion prevention and detection systems are in place to monitor network and/or system activities for malicious or unauthorized access attempts. If an attack is detected, a response module provides options to notify and alert an operator to take explicit actions to stop the attack at hand and prevent any malicious or unauthorized access attempts.

Workstations and servers are members of the State of Michigan’s anti-virus system.


Information System Monitoring (SI-4 (2) 4) (5) (6))DTMB maintains responsibility for firewalls and routers, as well as ongoing monitoring of all zones within the network. As a matter of regular business operation, intrusion detection scans are run continuously and if a suspicious access attempt is detected, an alert is sent to the Office of Michigan Cyber Security.


DTMB-0170 63 of 119

Network Intrusion prevention and detection solutions are in place to monitor network and/or system activities for malicious or unwanted behavior.


Security Alerts, Advisories, and Directives (SI-5)The Office of Michigan Cyber Security and DTMB Technical Services subscribe to a number of security issues/advisory alert systems (US-CERT and other private security partners). These alerts are transformed into immediate remedial action if necessary, or a planned maintenance event, depending on the threat level and exposure.


Software and Information Integrity (SI-7 (1))DTMB 1345.00.50.06 File Integrity Monitoring Procedure has been developed to validate the integrity of the Operating System (OS), applications, and other critical system related functions. The File Integrity service will gather information to alert if the event source has been compromised.


Spam Protection (SI-8)DTMB Office Automation (OA) is responsible for SPAM and anti-virus protection and filtering on inbound mail.

DTMB OA is responsible for blocking SPAM on internal mail.

DTMB OA is responsible for maintaining server and workstation antivirus and malware protection.

DTMB Michigan Cyber Security (MCS) and DTMB Telecom are responsible for maintaining malware payload filtering at Internet connection points to SOM networks.



DTMB-0170 64 of 119

Information Input Restrictions (SI-9)All input into information systems is restricted to authorized personnel. In order for an employee to get authorization to a system, they must complete DTMB-161 form, which lists the systems to be accessed as well as the level of access. This access is then reviewed and approved by a supervisor.

At a workstation level, all workstations are password protected and have automatic screen savers activated in the event that the workstation is idle for 10 minutes.


Information Input Validation (SI-10)


Error Handling (SI-11)Windows security logs record error conditions in accordance with centrally defined policies for auditing.


Information Output Handling and Retention (SI-12)



DTMB-0170 65 of 119

5.5 Infrastructure/Network Diagram -


DTMB-0170 66 of 119

5.6 Data Flow Diagram


DTMB-0170 67 of 119

6.0 Security Analysis (To be completed by MCS Security Liaison)The Office of Michigan Cyber Security believes that the recommended additional controls listed in the analysis below, will additionally reduce the security risk to the public, maintain the SOM’s business objectives to protect the public, and are relevant and responsive to the threats identified and therefore, strongly recommend that these controls be incorporated into your system in a deliberate and timely manner.

The Office of Michigan Cyber Security makes no warranty that the threats/vulnerabilities or recommended controls identified in the Security Analysis are all inclusive.

Threats / Vulnerabilities

Risks if a control is not implemented

Controls Currently Implemented in the Project (See Section 5.4/6.4)

Probability

(H, M, L)*

Impact

(H,M,L)*

Recommended AdditionalControls

1. Lack of data classification by Agency

Data not properly classified could lead to the following:

Confidentiality risks – These risks represent unauthorized access, use disclosure, disruption, modification, perusal, inspection, recording or destruction of information.

Integrity risks –These risks represent threats to business resources from unauthorized users and malicious code that attempts to corrupt the business data or system on which it relies.

Availability risks – These risks represent threats to business processes by unauthorized users and malicious code that attempt to disrupt the way business is done and how information is processed.

Moderate Moderate Agency to develop a data classification by which it assigns a level of sensitivity and an owner to each piece of information that it owns and maintains. Classifies information and the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance

Compliancy with DTMB Policy 1340.00 Information Technology Security


DTMB-0170 68 of 119




Probability

(H, M, L)*

Impact

(H,M,L)*


2. Lack of Security Awareness program from Agency

If personnel are not educated about their security responsibilities, security safeguards and processes that have been implemented may become ineffective through errors or intentional actions and could cause:

Damage to Agency reputation

Loss of citizen’s trust

Adhere to legal requirements

Financial loss

Loss of business or service to citizens

Inadequate protection of sensitive or confidential information

Moderate Moderate Agency create a security awareness training program in compliance with DTMB policy 1325.00 – Information Technology Security Awareness

Compliance with NIST 800-53;AT-1 thru AT-4

3. Lack of Incident Response

A possible breach of PII reported by citizens and Agency is not prepared to respond could cause:

Identity Theft

Fraud

Financial Loss

Compromise of confidentiality and integrity of data

Legal Ramifications

Audit logs Low Moderate Agency is aware of and creates incident response plan in compliance with:

DTMB policy 1340.00 – Information Technology Information Security Policy; establishes how information security shall be implemented to protect SOM information from unauthorized access, use, disclosure, modification destruction, or denial and to ensure confidentiality, integrity and availability of SOM information.

DTMB procedure 1340.00.01.02 defines How to Handle a Breach of Personal Identifiable/Sensitive

DTMB Policy/Procedure 100.20 – Compliance with Identity Theft Protection Act Information Incidents


DTMB-0170 69 of 119




Probability

(H, M, L)*

Impact

(H,M,L)*


4. Lack of DR/BCP and update

By not having a DR/BCP, results in the Agency’s inability to prepare for, respond to, manage, and recover from adverse events that may affect its mission.

If the DR/BCP is not reviewed/updated at least annually for system/Agency changes or when problems are encountered during system implementation, execution, or testing, the plan may not accurately reflect the mission, functions, or business processes supported by the information system, and therefore not be a viable plan and could result in:

Resource ramifications to Agency

Efficiency ramifications to customer.

Inability to provide required federal reports.

Primary and secondary systems located in different hosting centers.

Backups of system are performed and stored in off site location

Low Moderate Compliance with DTMB 1390.00 Policy - Information Technology Continuity of Business Planning.

Completion of Business Application Criticality Request (DTMB-208) by Agency and DTMB/Agency Services

Compliance with NIST 800-53;CP-2 Contingency PlanCP-10 Info Systems Recovery and Reconstitution

Create and review the DR/BCP at least annually to address system/Agency changes, or problems encountered during the system implementation, execution or testing. Revise the plan as necessary for these changes and communicate updates to appropriate organizational elements responsible for related plans.

5. Lack of testing and training of DR/BCP

DR/BCP must be maintained in a state of readiness, which must include having personnel trained to fulfill their roles and responsibilities within a plan, having plans exercised in a secure environment to validate their content, and having systems and system components tested to ensure their operability in an operational environment specified by the plan. Lack of a tested DR/BCP will hinder the Agency’s ability to prepare for, respond to, manage, and recover from adverse events that may affect its mission.

Compliance with NIST 800-53;CP-3 Contingency Training &CP-4 Contingency Plan Testing and Exercises


DTMB-0170 70 of 119




Probability

(H, M, L)*

Impact

(H,M,L)*


6. Transmission of PI/PII

PII transmitted unencrypted within the SOM network.Unauthorized individual could gain access to the data when transmitted resulting in the following:

Identity Theft

Fraud

Financial Loss


Legal Ramifications

Access controls

Audit logs

Low Moderate Compliance with DTMB 1340.00.07 ‘….defines a requirement to use a method of encryption both when data is in transit across internal or external networks….. State of Michigan’s requirements for encrypting transmitted data:• Centrally managed digital certificates.• Approved data encryption methods include 3DES or AES with up to 256 bits, with 128 bits the absolute minimum for moving data over internally managed networks.• Message data integrity from source to host will be verified by making sure the message hasn’t been modified since it left the storage source by adding an encrypted digest to the message, using either the MD5 or the SHA-1 algorithms.’

Compliance with NIST 800-53;SC-8 Transmission Integrity &SC-9 Transmission Confidentiality

7. Lack of encryption of PI/PII at rest

PI/PII stored unencrypted.

Unauthorized individual could gain access to the data resulting in the following:

Identity Theft

Fraud

Financial Loss


Legal Ramifications

Audit logs

Access controls

Low Moderate Compliance with DTMB 1340.00.06 – Storage of Sensitive Information on Mobile Devices and Portable Media

Compliance with DTMB 1340.00.07 – Electronic Data Encryption – ‘State of Michigan’s requirements for data storage encryption:• A minimum of 128-bit key must be used for all data storage encryption.• Whenever supported by the underlying product suites Transparent Data Encryption (TDE) should be used. TDE is based on a dual encryption method that uses a second encryption key that is stored in a file external to the encrypted database file.’

Compliance with NIST 800-53;SC-28 – Protection of Information at Rest


DTMB-0170 71 of 119




Probability

(H, M, L)*

Impact

(H,M,L)*


8. Lack of System & Information Integrity

Malicious programs and code could be injected by a malicious user and used to obtain back door access to the system or improper system configurations; which could lead to vulnerabilities that when exploited could lead to:

Unauthorized access to State’s information system


Moderate Moderate Perform periodic system testing to ensure that the system checks for accuracy, completeness, validity and authenticity to prevent malicious code or unauthorized software changes.

Request an application scan be performed by Michigan Cyber Security (MCS)

Secure coding techniques are based on guidance such as the OWASP guide(http://www.owasp.org

Compliance with NIST 800-53;SI-9 Information Input &SI-10 Information Input Validation

9. Lack of a consistent, structured systems engineering methodology

Improper guidance in the development, enhancement, and maintenance of an application could lead to:

Unreliable, unpredictable, and inconsistent IT solution.

More costs to the agency to implement and operate.

Lack of clear and consistent documented solution, decisions, and recommendations.

EASA (Enterprise Architecture Solutions Assessment) submitted and approved.

Low Moderate Compliancy with DTMB Policy 1360.00 Systems Engineering Methodology

Compliance with NIST 800-53;SA-3 Life Cycle Support &SA-8 Security Engineering Principles

10. Lack of vulnerability scan on servers in SOM zone 2

Weaknesses may develop on servers in zone 2, which are not scanned on a regular basis, and a malicious individual may exploit them which could result in:

Identity Theft

Fraud

Financial Loss


Legal Ramifications

Servers are scanned only if a new firewall rule is requested and vulnerabilities are remediated before firewall rule is implemented.

System is in compliance with DTMB Technical Procedure 1345.00.50.08, defines the detailed outline of the patching process for updating the operating system (O/S), hot fixes, and security updates for servers within the State of Michigan

Low Moderate Agency request to DTMB Technical Services to scan servers on a quarterly basis and resolve any vulnerabilities in a timely manner to reduce the likelihood of a vulnerability being exploited and potential compromise of the system.

Compliance with NIST 800-53;CA-7 Continuous Monitoring &RA-5 Vulnerability Scanning


DTMB-0170 72 of 119

http://www.owasp.org/




Probability

(H, M, L)*

Impact

(H,M,L)*


11. Inadequate review of audit logs

Malicious individual gains unauthorized access to system and modifies information without being detected or misuses resources of the system/application

Moderate Moderate Agency to document an audit and accountability policy and procedure for reviewing audit logs. Procedures should include how often they are reviewed, how long they are retained and by whom

Compliance with NIST 800-53;AU-1 thru AU-12

12. Lack of segmentation of PI/PII

PI/PII is located in zone 2 and not firewalled off from other zone 2 devices, which could result in:

Compromise of confidentiality, integrity and availability of PI/PII.

Access controls

Audit logs

Low Moderate Segment PI/PII to zone 2P or zone 3 which provides additional security controls

Compliance with NIST 800-53;SC-32 Information System Partitioning


DTMB-0170 73 of 119




Probability

(H, M, L)*

Impact

(H,M,L)*


13. Lack of updating/reviewing DTMB-170 at least annually or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may affect the security status of the system

The DTMB-170 takes into account vulnerabilities, threat sources, and security controls that are planned or in place to determine the resulting level of risk posed to Agency operations, Agency assets, or individuals based on the operation of the information system. Without periodic assessment, evaluation and analysis of these threats and vulnerabilities may become outdated; therefore, inadequate levels of information security may be applied, potentially causing:

Undiscovered weaknesses in the system/application

Inability to provide the Agency with security issues that may exist

Inability to validate that controls are fully commensurate with the risks to which the Agency is exposed

System administration and management not having a clear understanding of the system’s security posture

Lack of compliancy with policies, standards, procedures and legislation

Compliance with NIST 800-53;CA-2 Security Assessments,PL-2 System Security Plan, andRA-3 Risk Assessment

Compliance with DTMB policy 1340.00 Information Technology Information Security included completing a comprehensive security review (DTMB-170) for all major applications upon implementation as well as major changes.

* - The Probability and Impact are based on the Agency’s existing controls.


DTMB-0170 74 of 119

7.0Sponsors and Stakeholders

Sponsors

Stakeholders


DTMB-0170 75 of 119

8.0ApprovalsBy signing below, I certify that I have read and acknowledge all sections of this document and each recommended control contained in Section 9.0 and any risk that may remain. My signature indicates that the Agency has accepted each risk if the corresponding recommended control is not implemented.

Approved by: ____________________________________________Date: _______________

Approved by: ________________________________________ Date: __________________

Approved by: ________________________________________ Date: __________________

Approved by: ________________________________________ Date: __________________

Approved by: _________________________________________ Date: __________________

Approved by: ________________________________________ Date: ___________________ Glen Gorton, Business Relation Manager, DTMB

Approved by: ________________________________________ Date: ___________________Rock Rakowski, Manager, Office of Michigan Cyber Security


DTMB-0170 76 of 119

Appendix A - System and Information Security Level Matrix

Security Objective

Potential Impact

Low Moderate High

Confidentiality:

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

The unauthorized disclosure of information would have limited adverse effect on State of Michigan operations, assets, or individuals.

Example(s):o Public

Information

o Information available via Freedom of Information Act

The unauthorized disclosure of information would have a serious adverse effect on State of Michigan operations, assets, or individuals.

Example(s):o Personal

information affecting an individual’s privacy (e.g. an individual’s medical information; driver’s license number; social security number; banking information, etc…)

The unauthorized disclosure of information would have a severe or catastrophic adverse effect on State of Michigan operations, assets, or individuals.

Example(s):o Highly sensitive information

that may affect human life or safety (e.g. under cover investigation information; confidential response plans for emergencies)

o Information that if released would violate State or Federal Law

o Significant amount of privacy information (e.g. thousands of individuals credit card numbers; social security numbers; banking information; medical information, etc…)


DTMB-0170 77 of 119

Low Moderate High

Integrity:

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The unauthorized modification or destruction of information would have limited adverse effect on State of Michigan operations, assets, or individuals.

The unauthorized modification or destruction of information would have a serious adverse effect on State of Michigan operations, assets, or individuals.

The unauthorized modification or destruction of information would have a severe or catastrophic adverse effect on State of Michigan operations, assets, or individuals.

Example(s):o Information that could affect

human life or safety (e.g. criminal history; warrant/arrest data; active investigation information; child protection services information)

o Information that could severely affect public confidence (e.g. modification of voter registration or voting results; tax information; lottery drawings)

Information that may affect national security (e.g. birth certificates; emergency response plans and procedures; risk assessments and vulnerability information)


DTMB-0170 78 of 119

Low Moderate High

Availability:

Ensuring timely and reliable access to and use of information and systems.

The disruption of access to or use of information or an information system would have limited adverse effect on State of Michigan operations, assets, or individuals.

The disruption of access to or use of information or an information system would have a serious adverse effect on State of Michigan operations, assets, or individuals.

Example(s):o Information or

information system that if not available, would seriously affect the public’s trust of the State (e.g. unemployment applications; Secretary of State applications; OTIS)

o Information or information system that if not available, could seriously affect the State financially (e.g. large revenue generating applications;)

The disruption of access to or use of information or an information system would have a severe or catastrophic adverse effect on State of Michigan operations, assets, or individuals.

Example(s):o Information or information

system that if not available, could affect human life or safety (e.g. LEIN; prisoner tracking systems; emergency response systems)

o Information or information system that if not available, would severely affect the public’s trust of the State (e.g. welfare checks; food stamps; voter registration)

o Information or information system that if not available, could severely affect the State financially (e.g. Tax systems;


DTMB-0170 79 of 119

Appendix B: NIST 800-53 ControlsLow Moderate High

Access ControlsAC-1Access Control Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented access control policy that

addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

AC-2Account Mgmt

The organization manages information system accounts, including:a. Identifying account types (i.e., individual, group,

system, application, guest/anonymous, and temporary);

b. Establishing conditions for group membership;c. Identifying authorized users of the information

system and specifying access privileges;d. Requiring appropriate approvals for requests to

establish accounts;e. Establishing, activating, modifying, disabling, and

removing accounts;f. Specifically authorizing and monitoring the use of

guest/anonymous and temporary accounts;g. Notifying account managers when temporary

accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes;

h. Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users;

i. Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and

j. Reviewing accounts [Assignment: organization-defined frequency].

(1) The organization employs automated mechanisms to support the management of information system accounts

(2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

(3) The information system automatically disables inactive accounts after [Assignment: organization defined time period].

(4) The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals.

AC-3Access Enforcement

The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.

AC-4Information Flow

The information system enforces approved authorizations for controlling the flow of information within the system and


DTMB-0170 80 of 119

Enforcement between interconnected systems in accordance with applicable policy.

AC-5Separation of Duties

The organization:a. Separates duties of individuals as necessary, to prevent

malevolent activity without collusion;b. Documents separation of duties; andc. Implements separation of duties through assigned

information system access authorizations.

AC-6Least Privilege

` The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

(1) The organization explicitly authorizes access to [Assignment: organization-defined list of security functions (deployed in hardware, software, and firmware) and security-relevant information].

(2) The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined list of security functions or security-relevant information], use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions.

AC-7Unsuccessful Login Attempts

The information system:a. Enforces a limit of [Assignment: organization-defined

number] consecutive invalid login attempts by a user during a [Assignment: organization-defined time period];

andb. Automatically locks the account/node for an

[Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: organization-defined delay algorithm] when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection.

AC-8System Use Notification

The information system:a. Displays an approved system use notification

message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are


DTMB-0170 81 of 119

accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording;

b. Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and

c. For publicly accessible systems: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii) includes in the notice given to public users of the information system, a description of the authorized uses of the system.

AC-10Concurrent Session Control

The information system limits the number of concurrent sessions for each system account to [Assignment: organization-defined number].

AC-11Session Lock

The information system:a. Prevents further access to the system by initiating a

session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and

b. Retains the session lock until the user reestablishes access using established identification and authentication procedures.

AC-14Permitted Actions Without Identification or Authorization

The organization:a. Identifies specific user actions that can be performed

on the information system without identification or authentication; and

b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.

(1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.

AC-17Remote Access

The organization:a. Documents allowed methods of remote access to

the information system;b. Establishes usage restrictions and implementation

guidance for each allowed remote access method;c. Monitors for unauthorized remote access to the

information system;d. Authorizes remote access to the information system

prior to connection; ande. Enforces requirements for remote connections to the

information system.

(1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.

(2) The organization uses cryptography to protect the confidentiality and integrity of remote access sessions.

(3) The information system routes all remote accesses through a limited number of managed access control points.

(4) The organization authorizes the execution of privileged commands and access to security-relevant


DTMB-0170 82 of 119

information via remote access only for compelling operational needs and documents the rationale for such access in the security plan for the information system.

(5) The organization monitors for unauthorized remote connections to the information system [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered.

(7) The organization ensures that remote sessions for accessing [Assignment: organization-defined list of security functions and security-relevant information] employ [Assignment: organization-defined additional security measures] and are audited.

(8) The organization disables [Assignment: organization-defined networking protocols within the information system deemed to be non-secure] except for explicitly identified components in support of specific operational requirements.

AC-18Wireless Access

The organization:a. Establishes usage restrictions and implementation

guidance for wireless access;b. Monitors for unauthorized wireless access to the

information system;c. Authorizes wireless access to the information

system prior to connection; andd. Enforces requirements for wireless connections to

the information system.

(1) The information system protects wireless access to the system using authentication and encryption.

(2) The organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered.

(4) The organization does not allow users to independently configure wireless networking capabilities.

(5) The organization confines wireless communications to organization-controlled boundaries.

AC-19Access Control for Mobile Devices

Definition:Mobile devices include portable storage media (e.g., USB memory sticks, external hard disk drives) and portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, personal digital assistants, cellular

The organization:a. Establishes usage restrictions and implementation

guidance for organization-controlled mobile devices;b. Authorizes connection of mobile devices meeting

organizational usage restrictions and implementation guidance to organizational information systems;

c. Monitors for unauthorized connections of mobile devices to organizational information systems;

d. Enforces requirements for the connection of mobile devices to organizational information systems;

e. Disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction;

f. Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; and

(1) The organization restricts the use of writable, removable media in organizational information systems.

(2) The organization prohibits the use of personally owned, removable media in organizational information systems.

(3) The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.


DTMB-0170 83 of 119

telephones, digital cameras, and audio recording devices). Organization-controlled mobile devices include those devices for which the organization has the authority to specify and the ability to enforce specific security requirements.

g. Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

AC-20Use of External Information Systems

The organization establishes terms and conditions, consistent with any trust relationshipsestablished with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:a. Access the information system from the external

information systems; andb. Process, store, and/or transmit organization-

controlled information using the external information systems.

(1) The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:(a) Can verify the implementation of required security

controls on the external system as specified in the organization’s information security policy and security plan; or

(b) Has approved information system connection or processing agreements with the organizational entity hosting the external information system.

(2) The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems.

AC-22Publically Accessible Content

The organization:a. Designates individuals authorized to post information

onto an organizational information system that is publicly accessible;

b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;

c. Reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system;

d. Reviews the content on the publicly accessible organizational information system for nonpublic information [Assignment: organization-defined frequency]; and

e. Removes nonpublic information from the publicly accessible organizational information system, if discovered.

Awareness and TrainingAT-1Security Awareness and Training Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented security awareness and

training policy that addresses purpose, scope,


DTMB-0170 84 of 119

roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

AT-2Security Awareness

The organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and [Assignment: organization-defined frequency] thereafter.

AT-3Security Training

The organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter.

AT-4Security Training Records

The organization:a. Documents and monitors individual information

system security training activities including basic security awareness training and specific information system security training; and

b. Retains individual training records for [Assignment: organization-defined time period].

Audit and AccountabilityAU-1Audit and Accountability Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A Formal, documented audit and accountability

policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.

AU-2Auditable Events

The organization:a. Determines, based on a risk assessment and

mission/business needs, that the information system must be capable of auditing the following events: [Assignment: organization-defined list of auditable events];

(3) The organization reviews and updates the list of auditable events [Assignment: organization-defined frequency].

(4) The organization includes execution of privileged functions in the list of events to be audited by the


DTMB-0170 85 of 119

b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

c. Provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and

d. Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited within the information system: [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited along with the frequency of (or situation requiring) auditing for each identified event].

information system.

AU-3Content of Audit Records

The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.

(1) The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject.

(2) The organization centrally manages the content of audit records generated by [Assignment: organization-defined information system components]

AU-4Audit Storage Capacity

The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.

AU-5Response to Audit Processing Failures

The information system:a. Alerts designated organizational officials in the event

of an audit processing failure; andb. Takes the following additional actions: [Assignment:

organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

(1) The information system provides a warning when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of maximum audit storage capacity.

(2) The information system provides a real-time alert when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]

AU-6Audit Review, Analysis and Reporting

The organization:a. Reviews and analyzes information system audit

records [Assignment: organization-defined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and

b. Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or

(1) The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.


DTMB-0170 86 of 119

other credible sources of information.

AU-7Audit Reduction and Report Generation

The information system provides an audit reduction and report generation capability.

(1) The information system provides the capability to automatically process audit records for events of interest based on selectable event criteria.

AU-8Time Stamps

The information system uses internal system clocks to generate time stamps for auditrecords.

(1) The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source].

AU-9Protection of Audit Info

Definition:Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

AU-10Non-repudiation

The information system protects against an individual falsely denying having performed a particular action.

AU-11Audit Record Retention

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

AU-12Audit Generation

The information system:a. Provides audit record generation capability for the

list of auditable events defined in AU-2 at [Assignment: organization-defined information system components];

b. Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and

c. Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.

(1) The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].

Security Assessment and AuthorizationCA-1 The organization develops, disseminates, and


DTMB-0170 87 of 119

Security Assessment and Authorization Policies and Procedures

reviews/updates [Assignment: organization-defined frequency]:a. Formal, documented security assessment and

authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.

CA-2Security Assessments

The organization:a. Develops a security assessment plan that describes

the scope of the assessment including: Security controls and control enhancements

under assessment; Assessment procedures to be used to determine

security control effectiveness; and Assessment environment, assessment team,

and assessment roles and responsibilities;b. Assesses the security controls in the information

system [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;

c. Produces a security assessment report that documents the results of the assessment; and

d. Provides the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative.

(1) The organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.

(2) The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection: in-depth monitoring; malicious user testing; penetration testing; red team exercises; [Assignme: organization-defined other forms of security testing]].

CA-3Information Systems Connections

The organization:a. Authorizes connections from the information system

to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements;

b. Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and

c. Monitors the information system connections on an ongoing basis verifying enforcement of security requirements.


DTMB-0170 88 of 119

CA-5Plan of Action and Milestones

The organization:a. Develops a plan of action and milestones for the

information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

b. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

CA-6Security Authorization

The organization:a. Assigns a senior-level executive or manager to the

role of authorizing official for the information system;b. Ensures that the authorizing official authorizes the

information system for processing before commencing operations; and

c. Updates the security authorization [Assignment: organization-defined frequency].

CA-7Continuous Monitoring

The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:a. A configuration management process for the

information system and its constituent components;b. A determination of the security impact of changes to

the information system and environment of operation;

c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and

d. Reporting the security state of the information system to appropriate organizational officials [Assignment: organization-defined frequency].

Configuration ManagementCM-1Configuration Management Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented configuration management

policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.


DTMB-0170 89 of 119

CM-2Baseline Configuration

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

(1) The organization reviews and updates the baseline configuration of the information system:(a) [Assignment: organization-defined frequency];(b) When required due to [Assignment organization-

defined circumstances]; and(c) As an integral part of information system

component installations and upgrades. (3) The organization retains older versions of baseline

configurations as deemed necessary to support rollback.

(4) The organization:(a) Develops and maintains [Assignment:

organization-defined list of software programs not authorized to execute on the information system]; and

(b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.

(2) The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

(5) The organization:(a) Develops and maintains [Assignment:

organization-defined list of software programst authorized to execute on the information system]; and

(b) Employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.

(6) The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.

CM-3Configuration Change Control

The organization:a. Determines the types of changes to the information

system that are configuration controlled;b. Approves configuration-controlled changes to the system

with explicit consideration for security impact analyses;c. Documents approved configuration-controlled changes to

the system;d. Retains and reviews records of configuration-controlled

changes to the system;e. Audits activities associated with configuration-controlled

changes to the system; andf. Coordinates and provides oversight for configuration

change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection: (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

(2) The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

(1) The organization employs automated mechanisms to:(a) Document proposed changes to the

information system;(b) Notify designated approval authorities;(c) Highlight approvals that have not been

received by [Assignment: organization-defined time period];

(d) Inhibit change until designated approvals are received; and

(e) Document completed changes to the information system.

CM-4Security Impact Analysis

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

(1) The organization analyzes new software in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CM-5Access Restrictions for Change

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the


DTMB-0170 90 of 119

enforcement actions.(2) The organization conducts audits of

information system changes [Assignment: organization-defined frequency] and when indications so warrant to determine whether unauthorized changes have occurred.

(3) The information system prevents the installation of [Assignment: organization-defined critical software programs] that are not signed with a certificate that is recognized and approved by the organization.

CM-6Configuration Settings

The organization:a. Establishes and documents mandatory configuration

settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

b. Implements the configuration settings;c. Identifies, documents, and approves exceptions from

the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and

d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

(3) The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.

(1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.

(2) The organization employs automated mechanisms to respond to unauthorized changes to [Assignment: organization-defined configuration settings].

CM-7Least Functionality

The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services].

(1) The organization reviews the information system [Assignment: organization-defined frequency] to identify and eliminate unnecessary functions, ports, protocols, and/or services.

(2) The organization employs automated mechanisms to prevent program execution in accordance with [Selection: (one or more): list of authorized software program; list of unauthorized software programs; rules authorizing the terms and conditions of software program usage]

CM-8Information Systems Component Inventory

The organization develops, documents, and maintains an inventory of information system components that:a. Accurately reflects the current information system;b. Is consistent with the authorization boundary of the

information system;c. Is at the level of granularity deemed necessary for

tracking and reporting;d. Includes [Assignment: organization-defined

information deemed necessary to achieve effective property accountability]; and

e. Is available for review and audit by designated organizational officials.

(1) The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

(5) The organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.

(2) The organization employs automated mechanisms to help maintain an up-do-date, complete, accurate, and readily available inventory of information system components.

(3) The organization: (a) Employs automated mechanisms

[Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and

(b) Disables network access by such


DTMB-0170 91 of 119

components/devices or notifies designated organizational officials.

(4) The organization includes in property accountability information for information system components, a means for identifying by [Selection (one or more): name; position; role] individuals responsible for administering those components.

CM-9Configuration Mgmt Plan

The organization develops, documents, and implements a configuration management planfor the information system that:a. Addresses roles, responsibilities, and configuration

management processes and procedures;b. Defines the configuration items for the information system

and when in the system development life cycle the configuration items are placed under configuration management; and

c. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.

Contingency PlanningCP-1Contingency Planning Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, documented contingency planning policy

that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.

CP-2Contingency Plan

The organization:a. Develops a contingency plan for the information

system that: Identifies essential missions and business

functions and associated contingency requirements;

Provides recovery objectives, restoration priorities, and metrics;

Addresses contingency roles, responsibilities, assigned individuals with contact information;

Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;

Addresses eventual, full information system restoration without deterioration of the security

(1) The organization coordinates contingency plan development with organizational elements responsible for related plans.

(2) The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

(3) The organization plans for the resumption of essential missions and business functions within [Assignment: organization-defined time period] of contingency plan activation.


DTMB-0170 92 of 119

measures originally planned and implemented; and

Is reviewed and approved by designated officials within the organization;

b. Distributes copies of the contingency plan to [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements];

c. Coordinates contingency planning activities with incident handling activities;

d. Reviews the contingency plan for the information system [Assignment: organization-defined frequency];

e. Revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; and

f. Communicates contingency plan changes to [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements].

CP-3Contingency Training

The organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency].

(1) The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.

CP-4Contingency Plan Testing and Exercises

The organization:a. Tests and/or exercises the contingency plan for the

information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the plan’s effectiveness and the organization’s readiness to execute the plan; and

b. Reviews the contingency plan test/exercise results and initiates corrective actions.

(1) The organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.

(2) The organization tests/exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site’s capabilities to support contingency operations.

(4) The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.

CP-6Alternate Storage Site

The organization establishes an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information.

(1) The organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards.

(3) The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

(2) The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.


DTMB-0170 93 of 119

CP-7Alternate Processing Site

The organization:a. Establishes an alternate processing site including

necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period consistent with recovery time objectives] when the primary processing capabilities are unavailable; and

b. Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.

(1) The organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards.

(2) The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

(3) The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements.

(5) The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

(4) The organization configures the alternate processing site so that it is ready to be used as the operational site supporting essential missions and business functions.

CP-8Telecommunications Services

The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable.

(1) The organization:(a) Develops primary and alternate

telecommunications service agreements that contain priority-of-service provisions in accordance with the organization’s availability requirements; and

(b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

(2) The organization obtains alternate telecommunications services with consideration for

(3) The organization obtains alternate telecommunications service providers that are separated from primary service providers so as not to be susceptible to the same hazards.

(4) The organization requires primary and alternate telecommunications service providers to have contingency plans.


DTMB-0170 94 of 119

reducing the likelihood of sharing a single point of failure with primary telecommunications services.

CP-9Information System Backup

The organization:a. Conducts backups of user-level information

contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];

b. Conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];

c. Conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and

d. Protects the confidentiality and integrity of backup information at the storage location.

(1) The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

(2) The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.

(3) The organization stores backup copies of the operating system and other critical information system software, as well as copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not collocated with the operational system.

CP-10Info Systems Recovery and Reconstitution

The organization provides for the recovery and reconstitution of the information system toa known state after a disruption, compromise, or failure.

(2) The information system implements transaction recovery for systems that are transaction-based.

(3) The organization provides compensating security controls for [Assignment: organization-defined circumstances that can inhibit recovery and reconstitution to a known state].

(4) The organization provides capability to reimage information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.

Identification & AuthenticationIA-1Identification and Authentication Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a. A formal, document identification and

authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

IA-2Identification and Authentication (Organizational Users)

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

(1) The information system uses multifactor authentication for network access to privileged

(2) The information system uses multifactor authentication for network access to non-privileged accounts.

(3) The information system uses multifactor authentication for local access to privileged accounts.

(4) The information system uses multifactor authentication for local access to non-privileged accounts.

(9) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for


DTMB-0170 95 of 119

accounts. (8) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts.

network access to non-privileged accounts.

IA-3Device Identification and Authentication

The information system uniquely identifies and authenticates [Assignment: organization-defined list of specific and/or types of devices] before establishing a connection.

IA-4Identifier Mgmt

The organization manages information system identifiers for users and devices by:a) Receiving authorization from a designated

organizational official to assign a user or device identifier;

b) Selecting an identifier that uniquely identifies an individual or device;

c) Assigning the user identifier to the intended party or the device identifier to the intended device;

d) Preventing reuse of user or device identifiers for [Assignment: organization-defined time period]; and

e) Disabling the user identifier after [Assignment: organization-defined time period of inactivity].

IA-5Authenticator Mgmt

The organization manages information system authenticators for users and devices by:a) Verifying, as part of the initial authenticator

distribution, the identity of the individual and/or device receiving the authenticator;

b) Establishing initial authenticator content for authenticators defined by the organization;

c) Ensuring that authenticators have sufficient strength of mechanism for their intended use;

d) Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;

e) Changing default content of authenticators upon information system installation;

f) Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate);

g) Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];

h) Protecting authenticator content from unauthorized disclosure and modification; and

i) Requiring users to take, and having devices implement, specific measures to safeguard authenticators.

(1) The information system, for password-based authentication:

(2) The information system, for PKI-based authentication:(a) Validates certificates by constructing a

certification path with status information to an accepted trust anchor;

(b) Enforces authorized access to the corresponding private key; and

(c) Maps the authenticated identity to the user account.

(3) The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).


DTMB-0170 96 of 119

(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

(b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created;

(c) Encrypts passwords in storage and in transmission;

(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; and

(e) Prohibits password reuse for [Assignment: organization-defined number] generations.

IA-6Authenticator Feedback

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IA-7Cryptographic Module Authentication

The information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.

IA-8Identification and Authentication (Non-Organizational Users)

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Incident ResponseIR-1Incident Response Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a) A formal, documented incident response policy that


b) Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.

IR-2Incident Response Training

The organization:a) Trains personnel in their incident response roles and

responsibilities with respect to the information

(1) The organization incorporates simulated events into incident response training to facilitate effective response by


DTMB-0170 97 of 119

system; andb) Provides refresher training [Assignment:

organization-defined frequency].

personnel in crisis situations.(2) The organization employs automated

mechanisms to provide a more thorough and realistic training environment.

IR-3Incident Response Testing and Exercises

The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results.

(1) The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability.

IR-4Incident Handling

The organization:a) Implements an incident handling capability for

security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;

b) Coordinates incident handling activities with contingency planning activities; and

c) Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.

(1) The organization employs automated mechanisms to support the incident handling process.

IR-5Incident Monitoring

The organization tracks and documents information system security incidents.

(1) The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.

IR-6Incident Reporting

The organization:a) Requires personnel to report suspected security

incidents to the organizational incident response capability within [Assignment: organization-defined time-period]; and

b) Reports security incident information to designated authorities.

(1) The organization employs automated mechanisms to assist in the reporting of security incidents.

IR-7Incident Response Assistance

The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.

(1) The organization employs automated mechanisms to increase the availability of incident response-related information and support.

IR-8Incident Response Plan

The organization:a) Develops an incident response plan that:

Provides the organization with a roadmap for implementing its incident response capability;

Describes the structure and organization of the incident response capability;

Provides a high-level approach for how the incident response capability fits into the overall


DTMB-0170 98 of 119

organization; Meets the unique requirements of the

organization, which relate to mission, size, structure, and functions;

Defines reportable incidents; Provides metrics for measuring the incident

response capability within the organization. Defines the resources and management support

needed to effectively maintain and mature an incident response capability; and

Is reviewed and approved by designated officials within the organization;

b) Distributes copies of the incident response plan to [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements];

c) Reviews the incident response plan [Assignment: organization-defined frequency];

d) Revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and

e) Communicates incident response plan changes to [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements].

MaintenanceMA-1System Maintenance Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment organization-defined frequency]:a) A formal, documented information system

maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b) Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.

MA-2Controlled Maintenance

The organization:a) Schedules, performs, documents, and reviews

records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;

b) Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;

(1) The organization maintains maintenance records for the information system that include:(a) Date and time of maintenance;(b) Name of the individual performing the

maintenance;(c) Name of escort, if necessary;(d) A description of the maintenance performed; and(e) A list of equipment removed or replaced (including

identification numbers, if applicable).

(2) The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required, producing up-do date, accurate, complete, and available records of all maintenance and repair actions, needed, in process, and completed.


DTMB-0170 99 of 119

c) Requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;

d) Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and

e) Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.

MA-3Maintenance Tools

The organization approves, controls, monitors the use of, and maintains on an ongoing basis, information system maintenance tools.

(1) The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.

(2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system.

(3) The organization prevents the unauthorized removal of maintenance equipment by one of the following: (i) verifying that there is no organizational information contained on the equipment; (ii) sanitizing or destroying the equipment; (iii) retaining the equipment within the facility; or (iv) obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.

MA-4Non-Local Maintenance

The organization:a) Authorizes, monitors, and controls non-local

maintenance and diagnostic activities;b) Allows the use of non-local maintenance and

diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;

c) Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions;

d) Maintains records for non-local maintenance and diagnostic activities; and

e) Terminates all sessions and network connections when non-local maintenance is completed.

(1) The organization audits non-local maintenance and diagnostic sessions and designated organizational personnel review the maintenance records of the sessions.

(2) The organization documents, in the security plan for the information system, the installation and use of non-local maintenance and diagnostic connections.

(3) The organization:(a) Requires that non-local maintenance

and diagnostic services be performed from an information system that implements a level of security at least as high as that implemented on the system being serviced; or

(b) Removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software and surreptitious implants) before reconnecting the component to the information system.

MA-5Maintenance Personnel

The organization:a) Establishes a process for maintenance personnel

authorization and maintains a current list of authorized maintenance organizations or personnel; and

b) Ensures that personnel performing maintenance on


DTMB-0170 100 of 119

the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance when maintenance personnel do not possess the required access authorizations.

MA-6Timely Maintenance

The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined list of security-critical information system components and/or key information technology components] within [Assignment: organization-defined time period] of failure.

Media ProtectionMP-1Media Protection Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a) Establishes a process for maintenance personnel

authorization and maintains a current list of authorized maintenance organizations or personnel; and

b) Ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance when maintenance personnel do not possess the required access authorizations.

MP-2Media Access

The organization restricts access to [Assignment: organization-defined types of digital and non-digital media] to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures].

(1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.

MP-3Media Marking

The organization:a) Marks, in accordance with organizational policies and

procedures, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and

b) Exempts [Assignment: organization-defined list of removable media types] from marking as long as the exempted items remain within [Assignment: organization-defined controlled areas].

MP-4 The organization:


DTMB-0170 101 of 119

Media Storage a) Physically controls and securely stores [Assignment: organization-defined types of digital and non-digital media] within [Assignment: organization-defined controlled areas] using [Assignment: organization-defined security measures];

b) Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.

MP-5Media Transport

The organization:a) Protects and controls [Assignment: organization-defined

types of digital and non-digital media] during transport outside of controlled areas using [Assignment: organization-defined security measures];

b) Maintains accountability for information system media during transport outside of controlled areas; and

c) Restricts the activities associated with transport of such media to authorized personnel.

(2) The organization documents activities associated with the transport of information system media.

(4) The organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.

(3) The organization employs an identified custodian throughout the transport of information system media.

MP-6Media Sanitation

The organization:a) Sanitizes information system media, both digital and

non-digital, prior to disposal, release out of organizational control, or release for reuse; and

b) Employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.

(1) The organization tracks, documents, and verifies media sanitization and disposal actions.

(2) The organization tests sanitization equipment and procedures to verify correct performance [Assignment: organization-defined frequency],

(3) The organization sanitizes portable, removable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined list of circumstances requiring sanitization of portable, removable storage devices].

Physical and Environmental ProtectionPE-1Physical and Environmental Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a) A formal, documented physical and environmental

protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and


DTMB-0170 102 of 119

compliance; andb) Formal, documented procedures to facilitate the

implementation of the physical and environmental protection policy and associated physical and environmental protection controls.

PE-2Physical Access Authorizations

The organization:a) Develops and keeps current a list of personnel with

authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible);

b) Issues authorization credentials;c) Reviews and approves the access list and

authorization credentials [Assignment: organization-defined frequency], removing from the access list personnel no longer requiring access.

PE-3Physical Access Control

The organization:a) Enforces physical access authorizations for all

physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible);

b) Verifies individual access authorizations before granting access to the facility;

c) Controls entry to the facility containing the information system using physical access devices and/or guards;

d) Controls access to areas officially designated as publicly accessible in accordance with the organization’s assessment of risk;

e) Secures keys, combinations, and other physical access devices;

f) Inventories physical access devices [Assignment: organization-defined frequency]; and

g) Changes combinations and keys [Assignment: organization-defined frequency] and when keys are lost, combinations are compromised, or individuals are transferred or terminated.

(1) The organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.

PE-4Access Control for Transmission Medium

The organization controls physical access to information system distribution and transmission lines within organizational facilities.

PE-5Access Control for Output Devices

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

PE-6Monitoring Physical Access

The organization:a) Monitors physical access to the information system

to detect and respond to physical security incidents;

(1) The organization monitors real-time physical intrusion alarms and surveillance equipment.

(2) The organization employs automated mechanisms to recognize potential intrusions and initiate designated


DTMB-0170 103 of 119

b) Reviews physical access logs [Assignment: organization-defined frequency]; and

c) Coordinates results of reviews and investigations with the organization’s incident response capability.

response actions.

PE-7Visitor Control

The organization controls physical access to the information system by authenticatingvisitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.

(1) The organization escorts visitors and monitors visitor activity, when required.

PE-8Access Records

The organization:a) Maintains visitor access records to the facility where

the information system resides (except for those areas within the facility officially designated as publicly accessible); and

b) Reviews visitor access records [Assignment: organization-defined frequency].

(1) The organization employs automated mechanisms to facilitate the maintenance and review of access records.

(2) The organization maintains a record of all physical access, both visitor and authorized individuals.

PE-9Power Equipment and Power Cabling

The organization protects power equipment and power cabling for the information system from damage and destruction.

PE-10Emergency Shutoff

The organization:a) Provides the capability of shutting off power to the

information system or individual system components in emergency situations;

b) Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and

c) Protects emergency power shutoff capability from unauthorized activation.

PE-11Emergency Power

The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.

(1) The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.

PE-12Emergency Lighting

The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.

PE-13Fire Protection

The organization employs and maintains fire suppression and detection devices/systems for the

(1) The organization employs fire detection devices/systems for the information system that


DTMB-0170 104 of 119

information system that are supported by an independent energy source.

activate automatically and notify the organization and emergency responders in the event of a fire.

(2) The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.

(3) The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.

PE-14Temperature and Humidity Controls

The organization:a) Maintains temperature and humidity levels within the

facility where the information system resides at [Assignment: organization-defined acceptable levels]; and

b) Monitors temperature and humidity levels [Assignment: organization-defined frequency].

PE-15Water Damage Protection

The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.

(1) The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.

PE-16Delivery and Removal

The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.

PE-17Alternate Work Site

The organization:a) Employs [Assignment: organization-defined management,

operational, and technical information system security controls] at alternate work sites;

b) Assesses as feasible, the effectiveness of security controls at alternate work sites; and

c) Provides a means for employees to communicate with information security personnel in case of security incidents or problems.

PE-18Location of Info System Components

The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

(1) The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.

PlanningPL-1Security Planning Policy

The organization develops, disseminates, and reviews/updates [Assignment; organization-defined


DTMB-0170 105 of 119

and Procedures frequency]:a) A formal, documented security planning policy that


b) Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls.

PL-2System Security Plan

The organization:a) Develops a security plan for the information system

that: Is consistent with the organization’s enterprise

architecture; Explicitly defines the authorization boundary for

the system; Describes the operational context of the

information system in terms of missions and business processes;

Provides the security categorization of the information system including supporting rationale;

Describes the operational environment for the information system;

Describes relationships with or connections to other information systems;

Provides an overview of the security requirements for the system;

Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and

Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;

b) Reviews the security plan for the information system [Assignment: organization-defined frequency]; and

c) Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.

PL-4Rules of Behavior

a) Establishes and makes readily available to all information system users, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; and

b) Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.


DTMB-0170 106 of 119

PL-5Privacy Impact Assessment (PIA)

The organization conducts a privacy impact assessment on the information system in accordance with OMB policy.

PL-6Security-Related Activity Planning

The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals.

Personnel SecurityPS-1Personnel Security Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a) A formal, documented personnel security policy

that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b) Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.

PS-2Position Categorization

The organization:a) Assigns a risk designation to all positions;b) Establishes screening criteria for individuals filling

those positions; andc) Reviews and revises position risk designations

[Assignment: organization-defined frequency].

PS-3Personnel Screening

The organization:a) Screens individuals prior to authorizing access to the

information system; andb) Rescreens individuals according to [Assignment:

organization-defined list of conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening].

PS-4Personnel Termination

The organization, upon termination of individual employment:

a) Terminates information system access;b) Conducts exit interviews;c) Retrieves all security-related organizational

information system-related property; andd) Retains access to organizational information and

information systems formerly controlled by terminated individual.

PS-5Personnel Transfer

The organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization and initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-


DTMB-0170 107 of 119

defined time period following the formal transfer action].

PS-6Access Agreements

The organization:a) Ensures that individuals requiring access to

organizational information and information systems sign appropriate access agreements prior to being granted access; and

b) Reviews/updates the access agreements [Assignment: organization-defined frequency].

PS-7Third-Party Personnel Security

The organization:a) Establishes personnel security requirements

including security roles and responsibilities for third-party providers;

b) Documents personnel security requirements; andc) Monitors provider compliance.

PS-8Personnel Sanctions

The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.

Risk AssessmentRA-1Risk Assessment Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a) A formal, documented risk assessment policy that


b) Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.

RA-2Security Categorization

The organization:a) Categorizes information and the information system

in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

b) Documents the security categorization results (including supporting rationale) in the security plan for the information system; and

c) Ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

RA-3Risk Assessment

The organization:a) Conducts an assessment of risk, including the

likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;


DTMB-0170 108 of 119

b) Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]];

c) Reviews risk assessment results [Assignment: organization-defined frequency]; and

d) Updates the risk assessment [Assignment: organization-defined frequency] or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.

RA-5Vulnerability Scanning

The organization:a) Scans for vulnerabilities in the information system

and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

b) Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and

improper configurations; Formatting and making transparent, checklists

and test procedures; and Measuring vulnerability impact;

c) Analyzes vulnerability scan reports and results from security control assessments;

d) Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and

e) Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

(1) The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned.

(2) The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency] or when new vulnerabilities are identified and reported.

(3) The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

(4) The organization attempts to discern what information about the information system is discoverable by adversaries.

(5) The organization includes privileged access authorization to [Assignment: organization-identified information system components] for selected vulnerability scanning activities to facilitate more thorough scanning.

(7) The organization employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized software on organizational information system and notify designated organizational officials.

System and Services AcquisitionSA-1System and Services Acquisition Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:a) A formal, documented system and services

acquisition policy that includes information security


DTMB-0170 109 of 119

considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b) Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.

SA-2Allocation of Resources

The organization:a) Includes a determination of information security

requirements for the information system in mission/business process planning;

b) Determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and

c) Establishes a discrete line item for information security in organizational programming and budgeting documentation.

SA-3Life Cycle Support

The organization:a) Manages the information system using a system

development life cycle methodology that includes information security considerations;

b) Defines and documents information system security roles and responsibilities throughout the system development life cycle; and

c) Identifies individuals having information system security roles and responsibilities.

SA-4Acquisitions

The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards:a) Security functional requirements/specifications;b) Security-related documentation requirements; andc) Developmental and evaluation-related assurance

requirements.

(1) The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.

(4) The organization ensures that each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment.

2) The organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls to be deployed within the information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.

SA-5Information System Documentation

The organization:a) Obtains, protects as required, and makes available

to authorized personnel, administrator documentation for the information system that describes: Secure configuration, installation, and operation

of the information system; Effective use and maintenance of security

features/functions; and

(1) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.

(3) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes

(2) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.


DTMB-0170 110 of 119

Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and

b) Obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: User-accessible security features/functions and

how to effectively use those security features/functions;

Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and

User responsibilities in maintaining the security of the information and information system; and

c) Documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.

the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.

SA-6Software Usage Restrictions

The organization:a) Uses software and associated documentation in

accordance with contract agreements and copyright laws;

b) Employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and

c) Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

SA-7User-Installed Software

The organization enforces explicit rules governing the installation of software by users.

SA-8Security Engineering Principles

The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

SA-9External Information System Services

The organization:a) Requires that providers of external information

system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

b) Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

c) Monitors security control compliance by external service providers.


DTMB-0170 111 of 119

SA-10Developer Configuration Mgmt

The organization requires that information system developers/integrators:a) Perform configuration management during information

system design, development, implementation, and operation;

b) Manage and control changes to the information system;c) Implement only organization-approved changes;d) Document approved changes to the information system;

ande) Track security flaws and flaw resolution.

SA-11Developer Security Testing

The organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers):a) Create and implement a security test and evaluation plan;b) Implement a verifiable flaw remediation process to correct

weaknesses and deficiencies identified during the security testing and evaluation process; and

c) Document the results of the security testing/evaluation and flaw remediation processes.

SA-12Supply Chain Protection

The organization protects against supply chain threats by employing [Assignment: organization-defined list of measures to protect against supply chain threats] as part of a comprehensive, defense-in-breadth information security strategy.

SA-13Trustworthiness

The organization requires that the information system meets [Assignment: organization-defined level of trustworthiness]

System and Communication ProtectionSC-1System and Communication Protection Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]a) A formal, documented system and communications

protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b) Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

SC-2Application Partitioning

The information system separates user functionality (including user interface services) from information system management functionality.

SC-3Security Function Isolation

The information system isolates security functions from nonsecurity functions.


DTMB-0170 112 of 119

SC-4Information in Shared Resources

The information system prevents unauthorized and unintended information transfer via shared system resources.

SC-5Denial of Service Protection

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].

SC-7Boundary Protection

The information system:a) Monitors and controls communications at the

external boundary of the system and at key internal boundaries within the system; and

b) Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

(1) The organization physically allocates publicly accessible information system components to separate sub-networks with separate physical network interfaces.

(2) The information system prevents public access into the organization’s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.

(3) The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.

(4) The organization:(a) Implements a managed interface for each

external telecommunication service;(b) Establishes a traffic flow policy for each

managed interface;(c) Employs security controls as needed to protect

the confidentiality and integrity of the information being transmitted;

(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;

(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]; and

(f) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.

(5) The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception).

(7) The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.

(6) The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.

(8) The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers within the managed interfaces of boundary protection devices.

SC-8Transmission Integrity

The information system protects the integrity of transmitted information.


DTMB-0170 113 of 119

(1) The system employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.

SC-9Transmission Confidentiality

The information system protects the confidentiality of transmitted information.

(1) The system employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by [Assignment: organization-defined alternative physical measures].

SC-10Network Disconnect

The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

SC-12Crypto Key Establishment and Mgmt

The organization establishes and manages cryptographic keys for required cryptography employed within the information system.

(1) The organization maintains availability of information in the event of the loss of cryptographic keys by users.

SC-13Use of Cryptography

The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

SC-14Public Access Protections

The information system protects the integrity and availability of publicly available information and applications.

SC-15Collaborative Computing Devices

The information system:a) Prohibits remote activation of collaborative

computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and

b) Provides an explicit indication of use to users physically present at the devices.

SC-17Public Key Infrastructure (PKI) Certificates

The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates under an appropriate certificate policy from an approved service provider.

SC-18Mobile Code

The organization:a) Defines acceptable and unacceptable mobile code and

mobile code technologies;b) Establishes usage restrictions and implementation

guidance for acceptable mobile code and mobile code technologies; and


DTMB-0170 114 of 119

c) Authorizes, monitors, and controls the use of mobile code within the information system.

SC-19Voice Over Internet Protocol (VoIP)

The organization:a) Establishes usage restrictions and implementation

guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

b) Authorizes, monitors, and controls the use of VoIP within the information system.

SC-20Secure Name/Address Resolution Svc (Authoritative Sources)

The information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.

(1) The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.

SC-21Secure Name/Address Resolution Svc (Recursive or Caching Resolver)

The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.

SC-22Architecture and Provisioning for Name/Address Resolution Svc

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

SC-23Session Authenticity

The information system provides mechanisms to protect the authenticity of communications sessions.

SC-24Fail to Known State

The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.

SC-28Protection of Information at Rest

The information system protects the confidentiality and integrity of information at rest.


DTMB-0170 115 of 119

SC-32Information System Partitioning

The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.

System and Information IntegritySI-1System and Information Integrity Policy and Procedures

The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]a) A formal, documented system and information

integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b) Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.

SI-2Flaw Remediation

The organization:a) Identifies, reports, and corrects information system

flaws;b) Tests software updates related to flaw remediation

for effectiveness and potential side effects on organizational information systems before installation; and

c) Incorporates flaw remediation into the organizational configuration management process.

(2) The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.

(1) The organization centrally manages the flaw remediation process and installs software updates automatically.

SI-3Malicious Code Protection

The organization:a) Employs malicious code protection mechanisms at

information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: Transported by electronic mail, electronic mail

attachments, web accesses, removable media, or other common means; or

Inserted through the exploitation of information system vulnerabilities;

b) Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures;

c) Configures malicious code protection mechanisms to: Perform periodic scans of the information system

[Assignment: organization-defined frequency] and real-time scans of files from external

(1) The organization centrally manages malicious code protection mechanisms.

(2) The information system automatically updates malicious code protection mechanisms (including signature definitions).

(3) The information system prevents non-privileged users from circumventing malicious code protection capabilities.


DTMB-0170 116 of 119

sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and

[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and

d) Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

SI-4Information System Monitoring

The organization:a) Monitors events on the information system in accordance

with [Assignment: organization-defined monitoring objectives] and detects information system attacks;

b) Identifies unauthorized use of the information system;c) Deploys monitoring devices: (i) strategically within the

information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

d) Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and

e) Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

(2) The organization employs automated tools to support near real-time analysis of events.

(4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.

(5) The information system provides near real-time alerts when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators].

(6) The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.

SI-5Security Alerts, Advisories, and Directives

The organization:a) Receives information system security alerts,

advisories, and directives from designated external

(1) The organization employs automated mechanisms to make security alert and advisory information available


DTMB-0170 117 of 119

organizations on an ongoing basis;b) Generates internal security alerts, advisories, and

directives as deemed necessary;c) Disseminates security alerts, advisories, and

directives to [Assignment: organization- defined list of personnel (identified by name and/or by role)]; and

d) Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

throughout the organization as needed.

SI-6Security Functionality Verification

The information system verifies the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period]] and [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

SI-7Software and Information Integrity

The information system detects unauthorized changes to software and information.(1) The organization reassesses the integrity of software

and information by performing [Assignment: organization-defined frequency] integrity scans of the information system.

(2) The organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification.

SI-8Spam Protection

The organization:a) Employs spam protection mechanisms at information

system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and

b) Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.

(1) The organization centrally manages spam protection mechanisms.

SI-9Information Input Restrictions

The organization restricts the capability to input information to the information system to authorized personnel.

SI-10Information Input Validation

The information system checks the validity of information inputs.


DTMB-0170 118 of 119

SI-11Error Handling

The information system:a) Identifies potentially security-relevant error conditions;b) Generates error messages that provide information

necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries; and

c) Reveals error messages only to authorized personnel.

SI-12Information Output Handling and Retention

The organization handles and retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.


DTMB-0170 119 of 119