Navigate

SI-6

SI-6: Security Function Verification

The information system:

a: Verifies the correct operation of [organization-defined security functions];

b: Performs this verification [one or more of {{ insert: param, si-6_prm_3 }} /upon command by user with appropriate privilege/ {{ insert: param, si-6_prm_4 }} ];

c: Notifies [organization-defined personnel or roles] of failed security verification tests; and

d: [one or more of shuts the information system down/restarts the information system/ {{ insert: param, si-6_prm_7 }} ] when anomalies are discovered.

Supplemental

Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-6.

Control	Description
CA-7	The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a: Establishment of [organization-defined metrics] to be monitored; b: Establishment of [organization-defined frequencies] for monitoring and [organization-defined frequencies] for assessments supporting such monitoring; c: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; e: Correlation and analysis of security-related information generated by assessments and monitoring; f: Response actions to address results of the analysis of security-related information; and g: Reporting the security status of organization and the information system to [organization-defined personnel or roles] [organization-defined frequency].
CM-6	The organization: a: Establishes and documents configuration settings for information technology products employed within the information system using [organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b: Implements the configuration settings; c: Identifies, documents, and approves any deviations from established configuration settings for [organization-defined information system components] based on [organization-defined operational requirements]; and d: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Control

Description

CA-7

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

a: Establishment of [organization-defined metrics] to be monitored;

b: Establishment of [organization-defined frequencies] for monitoring and [organization-defined frequencies] for assessments supporting such monitoring;

c: Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

d: Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

e: Correlation and analysis of security-related information generated by assessments and monitoring;

f: Response actions to address results of the analysis of security-related information; and

g: Reporting the security status of organization and the information system to [organization-defined personnel or roles] [organization-defined frequency].

CM-6

The organization:

a: Establishes and documents configuration settings for information technology products employed within the information system using [organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

b: Implements the configuration settings;

c: Identifies, documents, and approves any deviations from established configuration settings for [organization-defined information system components] based on [organization-defined operational requirements]; and

d: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Enhancements

The controls below (if any) add on to the requirements of SI-6.

Control	Description
SI-6(1)
SI-6(2)	The information system implements automated mechanisms to support the management of distributed security testing.
SI-6(3)	The organization reports the results of security function verification to [organization-defined personnel or roles].

Related CCIs

The CCIs below are tied to SI-6.

CCI	Definition
CCI-001294	Alert organization-defined personnel or roles of failed security verification tests.
CCI-002695	Defines the security functions that require verification of correct operation.
CCI-002696	Verify correct operation of organization-defined security functions.
CCI-002697	Defines the frequency at which it will verify correct operation of organization-defined security functions.
CCI-002698	Defines the system transitional states when the system will verify correct operation of organization-defined security functions.
CCI-002699	Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
CCI-002700	Defines the personnel or roles to be notified when security verification tests fail.
CCI-002701	Defines alternative action(s) to be taken when anomalies in the operation of organization-defined security functions are discovered.
CCI-002702	Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.