Xylok Scanner CCIs

Number	Definition	Status	Related
CCI-000631	Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.	Draft	SA-4(6)
CCI-000632	The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.	Deprecated
CCI-000633	Ensure that government off-the-shelf or commercial-off-the-shelf information assurance and information assurance-enabled information technology products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.	Draft	SA-4(6)
CCI-000634	Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.	Draft	SA-4(7)
CCI-000635	Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved.	Draft	SA-4(7)
CCI-000636	The organization obtains administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.	Draft
CCI-000637	The organization protects, as required, administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.	Draft
CCI-000638	The organization makes available to authorized personnel administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.	Draft
CCI-000639	The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.	Draft
CCI-000640	The organization protects, as required, user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.	Draft
CCI-000641	The organization makes available to authorized personnel user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.	Draft
CCI-000642	Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent.	Draft	SA-5
CCI-000643	The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.	Draft
CCI-000644	The organization protects, as required, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system.	Draft
CCI-000645	The organization makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.	Draft
CCI-000646	The organization obtains vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.	Draft
CCI-000647	The organization obtains vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.	Draft
CCI-000648	The organization protects, as required, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system.	Draft
CCI-000649	The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of implementation details of the security controls emplo.	Deprecated
CCI-000650	The organization obtains vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.	Draft
CCI-000651	The organization protects, as required, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system.	Draft
CCI-000652	The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the low-level design of the information system in terms of implementation details of the security controls employ.	Deprecated
CCI-000653	The organization obtains the source code for the information system to permit analysis and testing.	Draft
CCI-000654	The organization protects, as required, the source code for the information system to permit analysis and testing.	Draft
CCI-000655	The organization uses software and associated documentation in accordance with contract agreements and copyright laws.	Draft
CCI-000656	The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution.	Draft
CCI-000657	The organization controls the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.	Draft
CCI-000658	The organization documents the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.	Draft
CCI-000659	The organization prohibits the use of binary executable code from sources with limited or no warranty without accompanying source code.	Draft
CCI-000660	The organization prohibits the use of machine executable code from sources with limited or no warranty without accompanying source code.	Draft

CCI-000631

Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.

Draft

SA-4(6)

CCI-000632

The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.

Deprecated

CCI-000633

Ensure that government off-the-shelf or commercial-off-the-shelf information assurance and information assurance-enabled information technology products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.

Draft

SA-4(6)

CCI-000634