Navigate

CCI-002694

CCI-002694 Definition

The organization defines the external organizations to which the organization will disseminate security alerts, advisories, and directives.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoD has defined the external organizations as CNDSP Tier 1 for vetting. The CNDSP Tier 1 will pass the information to the accredited Tier 2 CNDSPs. Tier 2 CNDSPs are responsible for ensuring all Tier 3 entities receive the information. Tier 3 organizations will ensure all local Op Centers/LAN shops receive information (i.e. Component IT System and Security Personnel) (e.g. ISSM, ISSOs, and system administrators).

Validation Procedures

The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level. DoD has defined the external organizations as CNDSP Tier 1 for vetting. The CNDSP Tier 1 will pass the information to the accredited Tier 2 CNDSPs. Tier 2 CNDSPs are responsible for ensuring all Tier 3 entities receive the information. Tier 3 organizations will ensure all local Op Centers/LAN shops receive information (i.e. Component IT System and Security Personnel) (e.g. ISSM, ISSOs, and system administrators).

Compelling Evidence

Automatically compliant.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-002694.

Control	Description
SI-5	The organization: SI-5a.: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; SI-5b.: Generates internal security alerts, advisories, and directives as deemed necessary; SI-5c.: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and SI-5d.: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Control

Description

SI-5

The organization:

SI-5a.: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;

SI-5b.: Generates internal security alerts, advisories, and directives as deemed necessary;

SI-5c.: Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and

SI-5d.: Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.