An error occurred:
Close sidebar
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.04.1-c0c9-98fb
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.04.1-c0c9-98fb
Open sidebar
Navigate
Top
Additions
Removals
Overlay Int-B
Additions
This overlay adds the following controls.
Control
Description
AC-3 (2)
The information system enforces dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
AC-3 (4)
The information system enforces [Assignment: organization-defined discretionary access control policy] over defined subjects and objects where the policy specifies that a subject that has been granted access to information can do one or more of the following:
AC-3 (4)(a): Pass the information to any other subjects or objects;
AC-3 (4)(b): Grant its privileges to other subjects;
AC-3 (4)(c): Change security attributes on subjects, objects, the information system, or the information system�s components;
AC-3 (4)(d): Choose the security attributes to be associated with newly created or revised objects; or
AC-3 (4)(e): Change the rules governing access control.
AC-5
The organization:
AC-5a.: Separates [Assignment: organization-defined duties of individuals];
AC-5b.: Documents separation of duties of individuals; and
AC-5c.: Defines information system access authorizations to support separation of duties.
AC-6
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AC-6 (7)
The organization:
AC-6 (7)(a): Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
AC-6 (7)(b): Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
AC-7 (2)
The information system purges/wipes information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging/wiping requirements/techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.
AC-9
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
AC-9 (1)
The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access.
AC-10
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
AC-11
The information system:
AC-11a.: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
AC-11b.: Retains the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 (1)
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
AC-12
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
AC-16
The organization:
AC-16a.: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission;
AC-16b.: Ensures that the security attribute associations are made and retained with the information;
AC-16c.: Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and
AC-16d.: Determines the permitted [Assignment: organization-defined values or ranges] for each of the established security attributes.
AC-16 (5)
The information system displays security attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-identified special dissemination, handling, or distribution instructions] using [Assignment: organization-identified human-readable, standard naming conventions].
AC-16 (6)
The organization allows personnel to associate, and maintain the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security policies].
AC-16 (7)
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
AC-18
The organization:
AC-18a.: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
AC-18b.: Authorizes wireless access to the information system prior to allowing such connections.
AC-18 (3)
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
AC-18 (4)
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
AC-19
The organization:
AC-19a.: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and
AC-19b.: Authorizes the connection of mobile devices to organizational information systems.
AC-20
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
AC-20a.: Access the information system from external information systems; and
AC-20b.: Process, store, or transmit organization-controlled information using external information systems.
AC-20 (1)
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:
AC-20 (1)(a): Verifies the implementation of required security controls on the external system as specified in the organization�s information security policy and security plan; or
AC-20 (1)(b): Retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
AC-20 (2)
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.
AC-20 (3)
The organization [Selection: restricts; prohibits] the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.
AC-20 (4)
The organization prohibits the use of [Assignment: organization-defined network accessible storage devices] in external information systems.
AT-2
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
AT-2a.: As part of initial training for new users;
AT-2b.: When required by information system changes; and
AT-2c.: [Assignment: organization-defined frequency] thereafter.
AT-2 (2)
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
AU-5 (2)
The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
AU-6
The organization:
AU-6a.: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
AU-6b.: Reports findings to [Assignment: organization-defined personnel or roles].
AU-6 (4)
The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
AU-6 (5)
The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
AU-6 (6)
The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
AU-6 (7)
The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.
AU-6 (8)
The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.
AU-6 (9)
The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.
AU-7
The information system provides an audit reduction and report generation capability that:
AU-7a.: Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
AU-7b.: Does not alter the original content or time ordering of audit records.
AU-7 (1)
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
AU-7 (2)
The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].
AU-9 (6)
The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
AU-10
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].
AU-12
The information system:
AU-12a.: Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
AU-12b.: Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
AU-12c.: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
AU-14
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
AU-16
The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.
AU-16 (1)
The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
AU-16 (2)
The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].
CA-3
The organization:
CA-3a.: Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
CA-3b.: Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
CA-3c.: Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].
CA-3 (2)
The organization prohibits the direct connection of a classified, national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
CM-3 (6)
The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.
CM-5 (5)
The organization:
CM-5 (5)(a): Limits privileges to change information system components and system-related information within a production or operational environment; and
CM-5 (5)(b): Reviews and reevaluates privileges [Assignment: organization-defined frequency].
IA-2
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-2 (1)
The information system implements multifactor authentication for network access to privileged accounts.
IA-2 (2)
The information system implements multifactor authentication for network access to non-privileged accounts.
IA-5 (2)
The information system, for PKI-based authentication:
IA-5 (2)(a): Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;
IA-5 (2)(b): Enforces authorized access to the corresponding private key;
IA-5 (2)(c): Maps the authenticated identity to the account of the individual or group; and
IA-5 (2)(d): Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
IR-4 (1)
The organization employs automated mechanisms to support the incident handling process.
IR-4 (3)
The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions.
IR-4 (10)
The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.
IR-5 (1)
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
IR-9
The organization responds to information spills by:
IR-9a.: Identifying the specific information involved in the information system contamination;
IR-9b.: Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
IR-9c.: Isolating the contaminated information system or system component;
IR-9d.: Eradicating the information from the contaminated information system or component;
IR-9e.: Identifying other information systems or system components that may have been subsequently contaminated; and
IR-9f.: Performing other [Assignment: organization-defined actions].
IR-9 (1)
The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills.
IR-9 (2)
The organization provides information spillage response training [Assignment: organization-defined frequency].
IR-9 (4)
The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations.
MA-3 (3)
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
MA-3 (3)(a): Verifying that there is no organizational information contained on the equipment;
MA-3 (3)(b): Sanitizing or destroying the equipment;
MA-3 (3)(c): Retaining the equipment within the facility; or
MA-3 (3)(d): Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.
MA-3 (4)
The information system restricts the use of maintenance tools to authorized personnel only.
MA-4 (1)
The organization:
MA-4 (1)(a): Audits nonlocal maintenance and diagnostic sessions [Assignment: organization-defined audit events]; and
MA-4 (1)(b): Reviews the records of the maintenance and diagnostic sessions.
MA-4 (2)
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections.
MA-4 (4)
The organization protects nonlocal maintenance sessions by:
MA-4 (4)(a): Employing [Assignment: organization-defined authenticators that are replay resistant]; and
MA-4 (4)(b): Separating the maintenance sessions from other network sessions with the information system by either:
MA-4 (4)(b)(1): Physically separated communications paths; or
MA-4 (4)(b)(2): Logically separated communications paths based upon encryption.
MA-4 (5)
The organization:
MA-4 (5)(a): Requires the approval of each nonlocal maintenance session by [Assignment: organization-defined personnel or roles]; and
MA-4 (5)(b): Notifies [Assignment: organization-defined personnel or roles] of the date and time of planned nonlocal maintenance.
MA-5 (2)
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for all compartments of information on the system.
MA-5 (4)
The organization ensures that:
MA-5 (4)(a): Cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on classified information systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and
MA-5 (4)(b): Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.
MA-5 (5)
The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorizations.
MP-1
The organization:
MP-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
MP-1a.1.: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
MP-1a.2.: Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and
MP-1b.: Reviews and updates the current:
MP-1b.1.: Media protection policy [Assignment: organization-defined frequency]; and
MP-1b.2.: Media protection procedures [Assignment: organization-defined frequency].
MP-2
The organization restricts access to [Assignment: organization-defined types of digital and/or non-digital media] to [Assignment: organization-defined personnel or roles].
MP-3
The organization:
MP-3a.: Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and
MP-3b.: Exempts [Assignment: organization-defined types of information system media] from marking as long as the media remain within [Assignment: organization-defined controlled areas].
MP-4
The organization:
MP-4a.: Physically controls and securely stores [Assignment: organization-defined types of digital and/or non-digital media] within [Assignment: organization-defined controlled areas]; and
MP-4b.: Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-5
The organization:
MP-5a.: Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];
MP-5b.: Maintains accountability for information system media during transport outside of controlled areas;
MP-5c.: Documents activities associated with the transport of information system media; and
MP-5d.: Restricts the activities associated with the transport of information system media to authorized personnel.
MP-5 (3)
The organization employs an identified custodian during transport of information system media outside of controlled areas.
MP-5 (4)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
MP-6
The organization:
MP-6a.: Sanitizes [Assignment: organization-defined information system media] prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization-defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and
MP-6b.: Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
MP-6 (1)
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.
MP-6 (2)
The organization tests sanitization equipment and procedures [Assignment: organization-defined frequency] to verify that the intended sanitization is being achieved.
MP-6 (3)
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
MP-7
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
MP-8
The organization:
MP-8a.: Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];
MP-8b.: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
MP-8c.: Identifies [Assignment: organization-defined information system media requiring downgrading]; and
MP-8d.: Downgrades the identified information system media using the established process.
MP-8 (1)
The organization documents information system media downgrading actions.
MP-8 (2)
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency].
MP-8 (4)
The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.
PE-2 (3)
The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].
PE-3 (1)
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].
PE-3 (2)
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
PE-3 (3)
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
PE-4
The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].
PE-5
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
PE-5 (3)
The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device.
PE-6 (1)
The organization monitors physical intrusion alarms and surveillance equipment.
PE-6 (2)
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].
PE-6 (3)
The organization employs video surveillance of [Assignment: organization-defined operational areas] and retains video recordings for [Assignment: organization-defined time period].
PE-6 (4)
The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].
PE-19
The organization protects the information system from information leakage due to electromagnetic signals emanations.
PE-19 (1)
The organization ensures that information system components, associated data communications, and networks are protected in accordance with national emissions and TEMPEST policies and procedures based on the security category or classification of the information.
PS-3 (1)
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
PS-3 (2)
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.
PS-4
The organization, upon termination of individual employment:
PS-4a.: Disables information system access within [Assignment: organization-defined time period];
PS-4b.: Terminates/revokes any authenticators/credentials associated with the individual;
PS-4c.: Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];
PS-4d.: Retrieves all security-related organizational information system-related property;
PS-4e.: Retains access to organizational information and information systems formerly controlled by terminated individual; and
PS-4f.: Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period].
PS-4 (1)
The organization:
PS-4 (1)(a): Notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and
PS-4 (1)(b): Requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.
PS-6 (2)
The organization ensures that access to classified information requiring special protection is granted only to individuals who:
PS-6 (2)(a): Have a valid access authorization that is demonstrated by assigned official government duties;
PS-6 (2)(b): Satisfy associated personnel security criteria; and
PS-6 (2)(c): Have read, understood, and signed a nondisclosure agreement.
PS-6 (3)
The organization:
PS-6 (3)(a): Notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information; and
PS-6 (3)(b): Requires individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information.
RA-5 (3)
The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
RA-6
The organization employs a technical surveillance countermeasures survey at [Assignment: organization-defined locations] [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined events or indicators occur]].
SA-4 (2)
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
SA-4 (6)
The organization:
SA-4 (6)(a): Employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and
SA-4 (6)(b): Ensures that these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
SA-11 (3)
The organization:
SA-11 (3)(a): Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
SA-11 (3)(b): Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
SA-12 (9)
The organization employs [Assignment: organization-defined Operations Security (OPSEC) safeguards] in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.
SA-15 (9)
The organization approves, documents, and controls the use of live data in development and test environments for the information system, system component, or information system service.
SC-2
The information system separates user functionality (including user interface services) from information system management functionality.
SC-2 (1)
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
SC-3
The information system isolates security functions from nonsecurity functions.
SC-4
The information system prevents unauthorized and unintended information transfer via shared system resources.
SC-8
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
SC-8 (1)
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
SC-8 (2)
The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.
SC-8 (3)
The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
SC-8 (4)
The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
SC-10
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
SC-12 (2)
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.
SC-12 (3)
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user�s private key].
SC-13
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-15 (1)
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
SC-15 (3)
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].
SC-15 (4)
The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
SC-28
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
SC-28 (1)
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
SC-42
The information system:
SC-42a.: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and
SC-42b.: Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].
SC-42 (3)
The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].
SI-3 (4)
The information system updates malicious code protection mechanisms only when directed by a privileged user.
SI-4 (2)
The organization employs automated tools to support near real-time analysis of events.
SI-4 (14)
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
SI-4 (19)
The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
SI-4 (21)
The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period].
SI-7
The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].
SI-7 (1)
The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].
SI-7 (2)
The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.
SI-10 (3)
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
SI-14 (1)
The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources].
Removals
This overlay removes the following controls.
Control
Description
MA-5 (1)
The organization:
MA-5 (1)(a): Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:
MA-5 (1)(a)(1): Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;
MA-5 (1)(a)(2): Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and
MA-5 (1)(b): Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.