Navigate

CCI-002561

CCI-002561 Definition

The organization authorizes the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed documents and implements a process to authorize the use of all information system components (through the use of an acceptable use agreement) which have the potential to cause damage to the information system if used maliciously. The organization must maintain an audit trail of authorizations. DoD has defined the information system components as all information system components (through the use of an acceptable use agreement).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process as well as the audit trail of authorizations to ensure the organization being inspected/assessed authorizes the use of all information system components (through the use of an acceptable use agreement) which have the potential to cause damage to the information system if used maliciously. DoD has defined the information system components as all information system components (through the use of an acceptable use agreement).

Compelling Evidence

1.) Signed and dated service level agreements (SLA). 2.) Signed and dated user agreement. 3.) System security plan (SSP) (reference "usage" section).

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002561.

Control	Description
SC-43	The organization: SC-43a.: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and SC-43b.: Authorizes, monitors, and controls the use of such components within the information system.