An error occurred:
Close sidebar
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.04.1-c0c9-98fb
Xylok
Home Menu
[email protected]
© 2024
Xylok, LLC
Version: v2024.04.1-c0c9-98fb
Open sidebar
Navigate
Top
Additions
Removals
Overlay Space Platform
Additions
This overlay adds the following controls.
Control
Description
CP-10 (4)
The organization provides the capability to restore information system components within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.
SA-4 (1)
The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed.
SA-4 (2)
The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; [Assignment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
SA-4 (3)
The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes [Assignment: organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes].
SA-4 (5)
The organization requires the developer of the information system, system component, or information system service to:
SA-4 (5)(a): Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and
SA-4 (5)(b): Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.
SA-10 (2)
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
SA-11 (1)
The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
SA-11 (2)
The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service.
SA-11 (3)
The organization:
SA-11 (3)(a): Requires an independent agent satisfying [Assignment: organization-defined independence criteria] to verify the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation; and
SA-11 (3)(b): Ensures that the independent agent is either provided with sufficient information to complete the verification process or granted the authority to obtain such information.
SC-3
The information system isolates security functions from nonsecurity functions.
SC-3 (4)
The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
SC-6
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
SC-7 (15)
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
SC-8 (1)
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
SC-12 (3)
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user�s private key].
SI-3 (4)
The information system updates malicious code protection mechanisms only when directed by a privileged user.
SI-10
The information system checks the validity of [Assignment: organization-defined information inputs].
SI-13
The organization:
SI-13a.: Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
SI-13b.: Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].
SI-13 (4)
The organization, if information system component failures are detected:
SI-13 (4)(a): Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
SI-13 (4)(b): [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system].
Removals
This overlay removes the following controls.
Control
Description
AC-6 (6)
The organization prohibits privileged access to the information system by non-organizational users.
AC-11 (1)
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
AC-17
The organization:
AC-17a.: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
AC-17b.: Authorizes remote access to the information system prior to allowing such connections.
AC-17 (1)
The information system monitors and controls remote access methods.
AC-17 (2)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
AC-17 (3)
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
AC-17 (4)
The organization:
AC-17 (4)(a): Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and
AC-17 (4)(b): Documents the rationale for such access in the security plan for the information system.
AC-17 (6)
The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.
AC-18 (5)
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
AC-19 (4)
The organization:
AC-19 (4)(a): Prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
AC-19 (4)(b): Enforces the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information:
AC-19 (4)(b)(1): Connection of unclassified mobile devices to classified information systems is prohibited;
AC-19 (4)(b)(2): Connection of unclassified mobile devices to unclassified information systems requires approval from the authorizing official;
AC-19 (4)(b)(3): Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
AC-19 (4)(b)(4): Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
AC-19 (4)(c): Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].
AC-22
The organization:
AC-22a.: Designates individuals authorized to post information onto a publicly accessible information system;
AC-22b.: Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
AC-22c.: Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and
AC-22d.: Reviews the content on the publicly accessible information system for nonpublic information [Assignment: organization-defined frequency] and removes such information, if discovered.
AT-3 (2)
The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.
AU-6 (1)
The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
AU-7 (1)
The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].
AU-9 (2)
The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.
AU-12 (1)
The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].
CP-6 (1)
The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats.
CP-6 (2)
The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
CP-6 (3)
The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CP-9 (1)
The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.
CP-9 (2)
The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.
CP-9 (3)
The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system.
CP-9 (5)
The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].
CP-10 (2)
The information system implements transaction recovery for systems that are transaction-based.
IA-2 (3)
The information system implements multifactor authentication for local access to privileged accounts.
IA-2 (4)
The information system implements multifactor authentication for local access to non-privileged accounts.
MP-5 (4)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
MP-6 (3)
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
PE-2 (1)
The organization authorizes physical access to the facility where the information system resides based on position or role.
PE-2 (3)
The organization restricts unescorted access to the facility where the information system resides to personnel with [Selection (one or more): security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; [Assignment: organization-defined credentials]].
PE-3
The organization:
PE-3a.: Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;
PE-3a.1.: Verifying individual access authorizations before granting access to the facility; and
PE-3a.2.: Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards];
PE-3b.: Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
PE-3c.: Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;
PE-3d.: Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring];
PE-3e.: Secures keys, combinations, and other physical access devices;
PE-3f.: Inventories [Assignment: organization-defined physical access devices] every [Assignment: organization-defined frequency]; and
PE-3g.: Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
PE-3 (1)
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].
PE-3 (2)
The organization performs security checks [Assignment: organization-defined frequency] at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
PE-3 (3)
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
PE-6 (1)
The organization monitors physical intrusion alarms and surveillance equipment.
PE-10
The organization:
PE-10a.: Provides the capability of shutting off power to the information system or individual system components in emergency situations;
PE-10b.: Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and
PE-10c.: Protects emergency power shutoff capability from unauthorized activation.
PE-11
The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss.
PE-11 (1)
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
PE-11 (2)
The organization provides a long-term alternate power supply for the information system that is:
PE-11 (2)(a): Self-contained;
PE-11 (2)(b): Not reliant on external power generation; and
PE-11 (2)(c): Capable of maintaining [Selection: minimally required operational capability; full operational capability] in the event of an extended loss of the primary power source.
PE-12
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
PE-12 (1)
The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.
PE-13
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
PE-13 (1)
The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.
PE-13 (2)
The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].
PE-13 (3)
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
PE-13 (4)
The organization ensures that the facility undergoes [Assignment: organization-defined frequency] inspections by authorized and qualified inspectors and resolves identified deficiencies within [Assignment: organization-defined time period].
PE-15
The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
PE-16
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items.
PE-17
The organization:
PE-17a.: Employs [Assignment: organization-defined security controls] at alternate work sites;
PE-17b.: Assesses as feasible, the effectiveness of security controls at alternate work sites; and
PE-17c.: Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
RA-5 (5)
The information system implements privileged access authorization to [Assignment: organization-identified information system components] for selected [Assignment: organization-defined vulnerability scanning activities].
SC-7 (7)
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
SC-7 (8)
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
SC-7 (14)
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
SC-15
The information system:
SC-15a.: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and
SC-15b.: Provides an explicit indication of use to users physically present at the devices.
SC-15 (1)
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
SC-15 (3)
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].
SC-19
The organization:
SC-19a.: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
SC-19b.: Authorizes, monitors, and controls the use of VoIP within the information system.
SI-8 (1)
The organization centrally manages spam protection mechanisms.
SI-8 (2)
The information system automatically updates spam protection mechanisms.