An error occurred:
Close sidebar
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.04.1-c0c9-98fb
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.04.1-c0c9-98fb
Open sidebar
Navigate
Top
Additions
Removals
Overlay NC3
Additions
This overlay adds the following controls.
Control
Description
AC-3 (3)
The information system enforces [Assignment: organization-defined mandatory access control policy] over all subjects and objects where the policy:
AC-3 (3)(a): Is uniformly enforced across all subjects and objects within the boundary of the information system;
AC-3 (3)(b): Specifies that a subject that has been granted access to information is constrained from doing any of the following;
AC-3 (3)(b)(1): Passing the information to unauthorized subjects or objects;
AC-3 (3)(b)(2): Granting its privileges to other subjects;
AC-3 (3)(b)(3): Changing one or more security attributes on subjects, objects, the information system, or information system components;
AC-3 (3)(b)(4): Choosing the security attributes and attribute values to be associated with newly created or modified objects; or
AC-3 (3)(b)(5): Changing the rules governing access control; and
AC-3 (3)(c): Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges (i.e., they are trusted subjects)] such that they are not limited by some or all of the above constraints.
AC-3 (7)
The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
AC-3 (9)
The information system does not release information outside of the established system boundary unless:
AC-3 (9)(a): The receiving [Assignment: organization-defined information system or system component] provides [Assignment: organization-defined security safeguards]; and
AC-3 (9)(b): [Assignment: organization-defined security safeguards] are used to validate the appropriateness of the information designated for release.
AC-4 (1)
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4 (6)
The information system enforces information flow control based on [Assignment: organization-defined metadata].
AC-4 (9)
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
AC-9 (2)
The information system notifies the user of the number of [Selection: successful logons/accesses; unsuccessful logon/access attempts; both] during [Assignment: organization-defined time period].
AC-16 (2)
The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security attributes.
AC-16 (3)
The information system maintains the association and integrity of [Assignment: organization-defined security attributes] to [Assignment: organization-defined subjects and objects].
AC-16 (4)
The information system supports the association of [Assignment: organization-defined security attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).
AC-16 (10)
The information system provides authorized individuals the capability to define or change the type and value of security attributes available for association with subjects and objects.
AC-25
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
AT-3 (1)
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.
AT-3 (3)
The organization includes practical exercises in security training that reinforce training objectives.
AU-9 (5)
The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].
AU-9 (6)
The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].
AU-10 (1)
The information system:
AU-10 (1)(a): Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
AU-10 (1)(b): Provides the means for authorized individuals to determine the identity of the producer of the information.
AU-10 (2)
The information system:
AU-10 (2)(a): Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
AU-10 (2)(b): Performs [Assignment: organization-defined actions] in the event of a validation error.
AU-10 (3)
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
AU-10 (4)
The information system:
AU-10 (4)(a): Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
AU-10 (4)(b): Performs [Assignment: organization-defined actions] in the event of a validation error.
AU-12 (2)
The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
AU-13
The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.
CA-3 (4)
The organization prohibits the direct connection of an [Assignment: organization-defined information system] to a public network.
CM-2 (6)
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
CM-4 (2)
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
CM-8 (6)
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
CP-2 (6)
The organization plans for the transfer of essential missions and business functions to alternate processing and/or storage sites with little or no loss of operational continuity and sustains that continuity through information system restoration to primary processing and/or storage sites.
CP-2 (7)
The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
CP-7 (6)
The organization plans and prepares for circumstances that preclude returning to the primary processing site.
CP-9 (6)
The organization accomplishes information system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
CP-9 (7)
The organization enforces dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].
CP-10 (6)
The organization protects backup and restoration hardware, firmware, and software.
IA-2 (6)
The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
IA-2 (7)
The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].
IA-4 (5)
The information system dynamically manages identifiers.
IA-4 (7)
The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.
IA-5 (5)
The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.
IR-6 (3)
The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.
MA-5 (3)
The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.
MP-6 (7)
The organization enforces dual authorization for the sanitization of [Assignment: organization-defined information system media].
MP-6 (8)
The organization provides the capability to purge/wipe information from [Assignment: organization-defined information systems, system components, or devices] either remotely or under the following conditions: [Assignment: organization-defined conditions].
PE-2 (2)
The organization requires two forms of identification from [Assignment: organization-defined list of acceptable forms of identification] for visitor access to the facility where the information system resides.
PE-2 (3)
The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].
PE-3 (2)
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
PE-3 (4)
The organization uses lockable physical casings to protect [Assignment: organization-defined information system components] from unauthorized physical access.
PE-3 (6)
The organization employs a penetration testing process that includes [Assignment: organization-defined frequency], unannounced attempts to bypass or circumvent security controls associated with physical access points to the facility.
PE-6 (2)
The organization employs automated mechanisms to recognize [Assignment: organization-defined classes/types of intrusions] and initiate [Assignment: organization-defined response actions].
PE-9 (1)
The organization employs redundant power cabling paths that are physically separated by [Assignment: organization-defined distance].
PE-9 (2)
The organization employs automatic voltage controls for [Assignment: organization-defined critical information system components].
PE-11 (2)
The organization provides a long-term alternate power supply for the information system that is:
PE-11 (2)(a): Self-contained;
PE-11 (2)(b): Not reliant on external power generation; and
PE-11 (2)(c): Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
PE-12 (1)
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
PE-14 (1)
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
PE-14 (2)
The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.
PL-7
The organization:
PL-7a.: Develops a security Concept of Operations (CONOPS) for the information system containing at a minimum, how the organization intends to operate the system from the perspective of information security; and
PL-7b.: Reviews and updates the CONOPS [Assignment: organization-defined frequency].
PS-3 (2)
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.
SA-4 (8)
The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains [Assignment: organization-defined level of detail].
SA-10 (5)
The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
SA-10 (6)
The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
SA-11 (6)
The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.
SA-11 (7)
The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at [Assignment: organization-defined depth of testing/evaluation].
SA-11 (8)
The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
SA-12 (2)
The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.
SA-12 (7)
The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.
SA-12 (10)
The organization employs [Assignment: organization-defined security safeguards] to validate that the information system or system component received is genuine and has not been altered.
SA-12 (12)
The organization establishes inter-organizational agreements and procedures with entities involved in the supply chain for the information system, system component, or information system service.
SA-12 (13)
The organization employs [Assignment: organization-defined security safeguards] to ensure an adequate supply of [Assignment: organization-defined critical information system components].
SA-12 (14)
The organization establishes and retains unique identification of [Assignment: organization-defined supply chain elements, processes, and actors] for the information system, system component, or information system service.
SA-12 (15)
The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.
SA-15 (1)
The organization requires the developer of the information system, system component, or information system service to:
SA-15 (1)(a): Define quality metrics at the beginning of the development process; and
SA-15 (1)(b): Provide evidence of meeting the quality metrics [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined program review milestones]; upon delivery].
SA-15 (8)
The organization requires the developer of the information system, system component, or information system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.
SA-19 (1)
The organization trains [Assignment: organization-defined personnel or roles] to detect counterfeit information system components (including hardware, software, and firmware).
SA-19 (2)
The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service.
SC-3 (2)
The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
SC-3 (4)
The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
SC-3 (5)
The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
SC-4 (2)
The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
SC-6
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
SC-7 (15)
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
SC-7 (22)
The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.
SC-7 (23)
The information system disables feedback to senders on protocol format validation failure.
SC-15 (4)
The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
SC-16
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
SC-16 (1)
The information system validates the integrity of transmitted security attributes.
SC-20 (2)
The information system provides data origin and integrity protection artifacts for internal name/address resolution queries.
SC-31
The organization:
SC-31a.: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
SC-31b.: Estimates the maximum bandwidth of those channels.
SC-37
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].
SC-37 (1)
The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices].
SC-40
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
SC-41
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].
SI-3 (9)
The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands].
SI-4 (7)
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
SI-4 (9)
The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].
SI-4 (13)
The organization:
SI-4 (13)(a): Analyzes communications traffic/event patterns for the information system;
SI-4 (13)(b): Develops profiles representing common traffic patterns and/or events; and
SI-4 (13)(c): Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.
SI-4 (17)
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
SI-4 (18)
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information.
SI-7 (6)
The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
SI-7 (9)
The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].
SI-7 (10)
The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].
SI-7 (15)
The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.
SI-10 (2)
The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period].
SI-10 (5)
The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].
SI-15
The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content.
Removals
This overlay removes the following controls.
Control
Description
IR-4 (5)
The organization implements a configurable capability to automatically disable the information system if [Assignment: organization-defined security violations] are detected.
SC-7 (18)
The information system fails securely in the event of an operational failure of a boundary protection device.
SI-7 (5)
The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.