Navigate

SA-18(2)

SA-18(2): Inspection of Information Systems, Components, or Devices

The organization inspects [organization-defined information systems, system components, or devices] [one or more of at random/at {{ insert: param, sa-18.2_prm_3 }}, upon {{ insert: param, sa-18.2_prm_4 }} ] to detect tampering.

Supplemental

This control enhancement addresses both physical and logical tampering and is typically applied to mobile devices, notebook computers, or other system components taken out of organization-controlled areas. Indications of need for inspection include, for example, when individuals return from travel to high-risk locations.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SA-18(2).

Control	Description
SI-4	The organization: a: Monitors the information system to detect: 1: Attacks and indicators of potential attacks in accordance with [organization-defined monitoring objectives]; and 2: Unauthorized local, network, and remote connections; b: Identifies unauthorized use of the information system through [organization-defined techniques and methods]; c: Deploys monitoring devices: 1: Strategically within the information system to collect organization-determined essential information; and 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization; d: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; e: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; f: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and g: Provides [organization-defined information system monitoring information] to [organization-defined personnel or roles] [one or more of as needed/ {{ insert: param, si-4_prm_6 }} ].

Control

Description

SI-4

The organization:

a: Monitors the information system to detect:
- 1: Attacks and indicators of potential attacks in accordance with [organization-defined monitoring objectives]; and
- 2: Unauthorized local, network, and remote connections;

b: Identifies unauthorized use of the information system through [organization-defined techniques and methods];

c: Deploys monitoring devices:
- 1: Strategically within the information system to collect organization-determined essential information; and
- 2: At ad hoc locations within the system to track specific types of transactions of interest to the organization;

d: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

e: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

f: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

g: Provides [organization-defined information system monitoring information] to [organization-defined personnel or roles] [one or more of as needed/ {{ insert: param, si-4_prm_6 }} ].

Enhancements

The controls below (if any) add on to the requirements of SA-18(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SA-18(2).

CCI	Definition
CCI-003352	The organization inspects organization-defined information systems, system components, or devices at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.
CCI-003353	The organization defines the information systems, system components, or devices to inspect at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.
CCI-003354	The organization defines the frequency on which to inspect organization-defined information systems, system components, or devices to detect tampering.
CCI-003355	The organization defines indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices.