Navigate

SI-6

SI-6: Security and Privacy Function Verification

a: Verify the correct operation of [one of ];

b: Perform the verification of the functions specified in SI-6a [one or more of "{{ insert: param, si-06_odp.04 }} "/"upon command by user with appropriate privilege"/"{{ insert: param, si-06_odp.05 }} "];

c: Alert [personnel or roles to be alerted of failed security and privacy verification tests is/are defined;] to failed security and privacy verification tests; and

d: [one or more of "shut the system down"/"restart the system"/"{{ insert: param, si-06_odp.08 }} "] when anomalies are discovered.

Supplemental

Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
DAF Baseline, NC3

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-6.

Control	Description
CA-7	Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a: Establishing the following system-level metrics to be monitored: [system-level metrics to be monitored are defined;]; b: Establishing [frequencies at which to monitor control effectiveness are defined;] for monitoring and [frequencies at which to assess control effectiveness are defined;] for assessment of control effectiveness; c: Ongoing control assessments in accordance with the continuous monitoring strategy; d: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e: Correlation and analysis of information generated by control assessments and monitoring; f: Response actions to address results of the analysis of control assessment and monitoring information; and g: Reporting the security and privacy status of the system to [one of ] [one of ].
CM-4	Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
CM-6	a: Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [common secure configurations to establish and document configuration settings for components employed within the system are defined;]; b: Implement the configuration settings; c: Identify, document, and approve any deviations from established configuration settings for [system components for which approval of deviations is needed are defined;] based on [operational requirements necessitating approval of deviations are defined;] ; and d: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
SI-7	a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].

Enhancements

The controls below (if any) add on to the requirements of SI-6.

Control	Description
SI-6(1)
SI-6(2)	Implement automated mechanisms to support the management of distributed security and privacy function testing.
SI-6(3)	Report the results of security and privacy function verification to [personnel or roles designated to receive the results of security and privacy function verification is/are defined;].

Related CCIs

The CCIs below are tied to SI-6.

CCI	Definition
CCI-001294	Alert organization-defined personnel or roles of failed security verification tests.
CCI-002695	Defines the security functions that require verification of correct operation.
CCI-002696	Verify correct operation of organization-defined security functions.
CCI-002697	Defines the frequency at which it will verify correct operation of organization-defined security functions.
CCI-002698	Defines the system transitional states when the system will verify correct operation of organization-defined security functions.
CCI-002699	Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
CCI-002700	Defines the personnel or roles to be notified when security verification tests fail.
CCI-002701	Defines alternative action(s) to be taken when anomalies in the operation of organization-defined security functions are discovered.
CCI-002702	Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.
CCI-004984	Defines the privacy functions that require verification of correct operation.
CCI-004985	Verify correct operation of organization-defined privacy functions.
CCI-004986	Defines the frequency at which it will verify correct operation of organization-defined privacy functions.
CCI-004987	Defines the system transitional states when the system will verify correct operation of organization-defined privacy functions.
CCI-004988	Perform verification of the correct operation of organization-defined privacy functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
CCI-004989	Alert organization-defined personnel or roles of failed privacy verification tests.
CCI-004990	Defines the personnel or roles to be notified when privacy verification tests fail.
CCI-004991	Defines alternative action(s) to be taken when anomalies in the operation of organization-defined privacy functions are discovered.
CCI-004992	Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined privacy functions are discovered.