An error occurred:
Close sidebar
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.03.2-e179-0f10
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.03.2-e179-0f10
Open sidebar
Navigate
Top
Additions
Removals
Overlay Cross Domain (Access)
Additions
This overlay adds the following controls.
Control
Description
AC-3 (2)
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
AC-3 (3)
The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:
AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system;
AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects;
AC-3 (3)(b)(2): Granting its privileges to other subjects;
AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components;
AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
AC-3 (3)(b)(5): Changing the rules governing access control; and
AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.
AC-3 (5)
The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.
AC-3 (7)
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
AC-4 (22)
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.
AC-5
The organization:
AC-5a.: Separates [Assignment: organization-defined duties of individuals];
AC-5b.: Documents separation of duties of individuals; and
AC-5c.: Defines information system access authorizations to support separation of duties.
AC-6 (6)
The organization prohibits privileged access to the information system by non-organizational users.
AC-16 (1)
The information system dynamically associates security attributes with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies] as information is created and combined.
AC-16 (2)
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
AC-16 (3)
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects].
AC-16 (4)
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
AC-16 (5)
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions].
AC-16 (7)
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
AC-16 (8)
The information system implements [Assignment: organization-defined techniques or technologies] with [Assignment: organization-defined level of assurance] in associating security attributes to information.
AC-16 (9)
The organization ensures that security attributes associated with information are reassigned only via re-grading mechanisms validated using [Assignment: organization-defined techniques or procedures].
AC-23
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.
AC-25
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
AT-2 (2)
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
AU-5 (2)
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
AU-5 (4)
The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.
AU-6
The organization:
AU-6a.: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
AU-6b.: Reports findings to [Assignment: organization-defined personnel or roles].
AU-6 (5)
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
AU-6 (7)
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.
AU-6 (8)
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
AU-6 (9)
The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
AU-7 (2)
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].
AU-9 (2)
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
AU-9 (5)
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
AU-9 (6)
The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
AU-12
The information system:
AU-12a.: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
AU-12b.: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
AU-12c.: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
AU-14
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
AU-16
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
AU-16 (1)
The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
AU-16 (2)
The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
CA-2 (3)
The organization accepts the results of an assessment of [Assignment: organization-defined information system] performed by [Assignment: organization-defined external organization] when the assessment meets [Assignment: organization-defined requirements].
CA-3 (2)
The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
CA-8 (1)
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
CM-2 (6)
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
CM-4 (2)
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
CM-5 (4)
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].
CM-5 (5)
The organization:
CM-5 (5)(a): Limits privileges to change information system components and system-related information within a production or operational environment; and
CM-5 (5)(b): Reviews and reevaluates privileges [Assignment: organization-defined frequency].
CP-10 (6)
The organization protects backup and restoration hardware, firmware, and software.
IA-2
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-2 (1)
The information system implements multifactor authentication for network access to privileged accounts.
IA-2 (2)
The information system implements multifactor authentication for network access to non-privileged accounts.
IA-5 (5)
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
MP-2
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
PL-7
The organization:
PL-7a.: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
PL-7b.: Reviews and updates the CONOPS [Assignment: organization-defined frequency].
RA-5 (3)
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
RA-6
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]].
SA-10 (6)
The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
SA-11 (1)
The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
SA-11 (2)
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.
SA-11 (3)
The organization:
SA-11 (3)(a): Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
SA-11 (3)(b): Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
SA-11 (6)
The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.
SA-11 (7)
The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].
SA-13
The organization:
SA-13a.: Describes the trustworthiness required in the [Assignment: organization-defined information system, information system component, or information system service] supporting its critical missions/business functions; and
SA-13b.: Implements [Assignment: organization-defined assurance overlay] to achieve such trustworthiness.
SA-15 (5)
The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to [Assignment: organization-defined thresholds].
SA-15 (8)
The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
SA-15 (11)
The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
SA-17 (2)
The organization requires the developer of the information system, system component, or information system service to:
SA-17 (2)(a): Define security-relevant hardware, software, and firmware; and
SA-17 (2)(b): Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
SA-17 (5)
The organization requires the developer of the information system, system component, or information system service to:
SA-17 (5)(a): Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and
SA-17 (5)(b): Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
SA-17 (6)
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate testing.
SA-17 (7)
The organization requires the developer of the information system, system component, or information system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
SA-18
The organization implements a tamper protection program for the information system, system component, or information system service.
SA-19 (2)
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
SA-19 (3)
The organization disposes of information system components using [Assignment: organization-defined techniques and methods].
SA-21
The organization requires that the developer of [Assignment: organization-defined information system, system component, or information system service]:
SA-21a.: Have appropriate access authorizations as determined by assigned [Assignment: organization-defined official government duties]; and
SA-21b.: Satisfy [Assignment: organization-defined additional personnel screening criteria].
SC-2 (1)
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
SC-3 (1)
The information system utilizes underlying hardware separation mechanisms to implement security function isolation.
SC-3 (2)
The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
SC-3 (3)
The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.
SC-7 (15)
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
SC-7 (16)
The information system prevents discovery of specific system components composing a managed interface.
SC-7 (22)
The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.
SC-7 (23)
The information system disables feedback to senders on protocol format validation failure.
SC-11
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].
SC-32
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].
SC-41
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].
SI-3 (4)
The information system updates malicious code protection mechanisms only when directed by a privileged user.
SI-4 (7)
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
SI-4 (9)
The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].
SI-4 (13)
The organization:
SI-4 (13)(a): Analyzes communications traffic/event patterns for the information system;
SI-4 (13)(b): Develops profiles representing common traffic patterns and/or events; and
SI-4 (13)(c): Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.
SI-4 (14)
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
SI-4 (24)
The information system discovers, collects, distributes, and uses indicators of compromise.
SI-7 (6)
The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
SI-7 (9)
The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
SI-7 (10)
The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].
Removals
This overlay removes the following controls.
Control
Description
AC-16 (6)
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies].
AC-22
The organization:
AC-22a.: Designates individuals authorized to post information onto a publicly accessible information system;
AC-22b.: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
AC-22c.: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
AC-22d.: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
IA-8 (2)
The information system accepts only FICAM-approved third-party credentials.
IA-8 (3)
The organization employs only FICAM-approved information system components in [Assignment: organization-defined information systems] to accept third-party credentials.
SA-9
The organization:
SA-9a.: Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
SA-9b.: Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
SA-9c.: Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.
SA-9 (1)
The organization:
SA-9 (1)(a): Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and
SA-9 (1)(b): Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles].
SA-9 (2)
The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services.
SC-20
The information system:
SC-20a.: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
SC-20b.: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
SC-21
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
SI-3 (2)
The information system automatically updates malicious code protection mechanisms.