Control Correlation Identifiers

Control Correlation Identifiers (CCIs) provide a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice.

CCI List

The following CCI list was published to the Information Assurance Support Environment (IASE) on June, 27th 2016 as version 2016-06-27 by the Cyber Workforce Development Division of the Defense Information Systems Agency (DISA) and was imported to this site on April, 11th 2017 for the convenience of Joval users and the broader security automation community.

CCI Definition
CCI-003599

The organization defines the individuals or information systems to be the only recipients of organization-defined information, information system components, or devices, by employing organization-defined security safeguards.

CCI-003486

The organization identifies the minimum personally identifiable information (PII) elements that are relevant and necessary to accomplish the legally authorized purpose of collection.

CCI-003487

The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes described in the published privacy notice.

CCI-003488

The organization limits the collection and retention of personally identifiable information (PII) to the minimum elements identified for the purposes which the individual has provided consent.

CCI-003489

The organization defines the frequency, minimally annually, for conducting reviews of its personally identifiable information (PII) holdings.

CCI-003490

The organization conducts an initial evaluation of personally identifiable information (PII) holdings.

CCI-003491

The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained.

CCI-003492

The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained.

CCI-003493

The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose.

CCI-003494

The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose.

CCI-003495

The organization, where feasible and within the limits of technology, locates and removes/redacts specified personally identifiable information (PII).

CCI-003496

The organization, where feasible and within the limits of technology, uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure.

CCI-003497

The organization defines the time period for retaining each collection of personally identifiable information (PII) that is required to fulfill the purpose(s) identified in the published privacy notice or required by law.

CCI-003498

The organization retains each collection of personally identifiable information (PII) for the organization-defined time period to fulfill the purpose(s) identified in the published privacy notice or as required by law.

CCI-003499

The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in accordance with a NARA-approved record retention schedule.

CCI-003500

The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in a manner that prevents loss, theft, misuse, or unauthorized access.

CCI-003501

The organization defines the techniques or methods to be employed to ensure the secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records).

CCI-003502

The organization uses organization-defined techniques or methods to ensure secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records).

CCI-003503

The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is collected, created, or updated.

CCI-003504

The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is created.

CCI-003505

The organization, where feasible, configures its information systems to record the date personally identifiable information (PII) is updated.

CCI-003506

The organization, where feasible, configures its information systems to record when personally identifiable information (PII) is to be deleted or archived under an approved record retention schedule.

CCI-003507

The organization develops policies that minimize the use of personally identifiable information (PII) for testing.

CCI-003508

The organization develops policies that minimize the use of personally identifiable information (PII) for training.

CCI-003509

The organization develops policies that minimize the use of personally identifiable information (PII) for research.

CCI-003510

The organization develops procedures that minimize the use of personally identifiable information (PII) for testing.

CCI-003511

The organization develops procedures that minimize the use of personally identifiable information (PII) for training.

CCI-003512

The organization develops procedures that minimize the use of personally identifiable information (PII) for research.

CCI-003513

The organization implements controls to protect personally identifiable information (PII) used for testing.

CCI-003514

The organization implements controls to protect personally identifiable information (PII) used for training.

CCI-003515

The organization implements controls to protect personally identifiable information (PII) used for research.

CCI-003516

The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for research.

CCI-003517

The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for testing.

CCI-003518

The organization, where feasible, uses techniques to minimize the risk to privacy of using personally identifiable information (PII) for training.

CCI-003519

The organization provides means, where feasible and appropriate, for individuals to authorize the collection of personally identifiable information (PII) prior to its collection.

CCI-003520

The organization provides means, where feasible and appropriate, for individuals to authorize the use of personally identifiable information (PII) prior to its collection.

CCI-003521

The organization provides means, where feasible and appropriate, for individuals to authorize the maintaining of personally identifiable information (PII) prior to its collection.

CCI-003522

The organization provides means, where feasible and appropriate, for individuals to authorize sharing of personally identifiable information (PII) prior to its collection.

CCI-003523

The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection of personally identifiable information (PII).

CCI-003524

The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the use of personally identifiable information (PII).

CCI-003525

The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the dissemination of personally identifiable information (PII).

CCI-003526

The organization provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the retention of personally identifiable information (PII).

CCI-003527

The organization obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected personally identifiable information (PII).

CCI-003528

The organization ensures that individuals are aware of all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII.

CCI-003529

The organization ensures that individuals, where feasible, consent to all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII.

CCI-003530

The organization implements mechanisms to support itemized or tiered consent for specific uses of personally identifiable information (PII) data.

CCI-003531

The organization provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records.

CCI-003532

The organization publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records.

CCI-003533

The organization publishes regulations governing how individuals may request access to records maintained in a Privacy Act system of records.

CCI-003534

The organization publishes access procedures for Privacy Act systems of records in System of Records Notices (SORNs).

CCI-003535

The organization adheres to Privacy Act requirements for the proper processing of Privacy Act requests.

CCI-003536

The organization adheres to OMB policies and guidance for the proper processing of Privacy Act requests.

CCI-003537

The organization provides a process for individuals to have inaccurate personally identifiable information (PII) maintained by the organization corrected or amended, as appropriate.

CCI-003538

The organization establishes a process for disseminating corrections or amendments of the personally identifiable information (PII) to other authorized users of the PII, such as external information-sharing partners.

CCI-003539

The organization establishes a process, where feasible and appropriate, to notify affected individuals that their personally identifiable information (PII) information has been corrected or amended.

CCI-003540

The organization implements a process for receiving complaints, concerns, or questions from individuals about the organizational privacy practices.

CCI-003541

The organization implements a process for responding to complaints, concerns, or questions from individuals about the organizational privacy practices.

CCI-003542

The organization defines the time period within which it must respond to complaints, concerns, or questions from individuals about the organizational privacy practices.

CCI-003543

The organization responds to complaints, concerns, or questions from individuals about the organizational privacy practices within the organization-defined time period.

CCI-003544

The organization defines the frequency on which it will update the inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003545

The organization establishes an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003546

The organization establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003547

The organization maintains an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003548

The organization maintains an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003549

The organization updates, per organization-defined frequency, an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003550

The organization updates, per organization-defined frequency, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).

CCI-003551

The organization defines the frequency for providing each update of the personally identifiable information (PII) inventory to the CIO or information security official.

CCI-003552

The organization provides each update of the personally identifiable information (PII) inventory to the CIO or information security official, per organization-defined frequency, to support the establishment of information security requirements for all new or modified information systems containing PII.

CCI-003553

The organization develops a Privacy Incident Response Plan.

CCI-003554

The organization implements a Privacy Incident Response Plan.

CCI-003555

The organization provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.

CCI-003556

The organization provides effective notice to the public regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).

CCI-003557

The organization provides effective notice to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).

CCI-003558

The organization provides effective notice to the public regarding its authority for collecting personally identifiable information (PII).

CCI-003559

The organization provides effective notice to individuals regarding its authority for collecting personally identifiable information (PII).

CCI-003560

The organization provides effective notice to the public regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).

CCI-003561

The organization provides effective notice to individuals regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).

CCI-003562

The organization provides effective notice to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).

CCI-003563

The organization provides effective notice to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).

CCI-003564

The organization provides effective notice to the public regarding the ability of individuals to access personally identifiable information (PII).

CCI-003565

The organization provides effective notice to individuals regarding the ability to access personally identifiable information (PII).

CCI-003566

The organization provides effective notice to the public regarding the ability to have personally identifiable information (PII) amended or corrected if necessary.

CCI-003567

The organization provides effective notice to individuals regarding the ability to have personally identifiable information (PII) amended or corrected if necessary.

CCI-003568

The organization describes the personally identifiable information (PII) the organization collects.

CCI-003569

The organization describes the purpose(s) for which it collects the personally identifiable information (PII).

CCI-003570

The organization describes how the organization uses personally identifiable information (PII) internally.

CCI-003571

The organization describes whether the organization shares personally identifiable information (PII) with external entities.

CCI-003572

The organization describes the categories of those external entities with whom personally identifiable information (PII) is shared.

CCI-003573

The organization describes the purposes for sharing personally identifiable information (PII) with external entities.

CCI-003574

The organization describes whether individuals have the ability to consent to specific uses or sharing of personally identifiable information (PII).

CCI-003575

The organization describes how individuals may exercise their consent regarding specific uses or sharing of personally identifiable information (PII).

CCI-003576

The organization describes how individuals may obtain access to personally identifiable information (PII).

CCI-003577

The organization describes how the personally identifiable information (PII) will be protected.

CCI-003578

The organization revises its public notices to reflect changes in practice or policy that affect personally identifiable information (PII), before or as soon as practicable after the change.

CCI-003579

The organization revises its public notices to reflect changes in practice or policy that impact privacy, before or as soon as practicable after the change.

CCI-003580

The organization provides real-time notice and/or layered notice when it collects personally identifiable information (PII).

CCI-003581

The organization publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing personally identifiable information (PII).

CCI-003582

The organization keeps System of Records Notices (SORNs) current.

CCI-003583

The organization includes Privacy Act Statements on its forms that collect personally identifiable information (PII), or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected.

CCI-003584

The organization publishes System of Records Notices (SORNs) on its public website.

CCI-003585

The organization ensures the public has access to information about its privacy activities.

CCI-003586

The organization ensures the public is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO).

CCI-003587

The organization ensures its privacy practices are publicly available through organizational websites or otherwise.

CCI-003588

The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.

CCI-003589

The organization shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes.

CCI-003590

The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the personally identifiable information (PII) covered.

CCI-003591

The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which the personally identifiable information (PII) may be used.

CCI-003592

The organization monitors its staff on the authorized sharing of personally identifiable information (PII) with third parties.

CCI-003593

The organization audits its staff on the authorized sharing of personally identifiable information (PII) with third parties.

CCI-003594

The organization trains its staff on the authorized sharing of personally identifiable information (PII) with third parties.

CCI-003595

The organization trains its staff on the consequences of unauthorized use or sharing of personally identifiable information (PII).

CCI-003596

The organization evaluates any proposed new instances of sharing personally identifiable information (PII) with third parties to assess whether the sharing is authorized.

CCI-003597

The organization evaluates any proposed new instances of sharing personally identifiable information (PII) with third parties to assess whether additional or new public notice is required.

CCI-003392

The organization determines and documents the legal authority that permits the collection of personally identifiable information (PII), either generally or in support of a specific program or information system need.

CCI-003393

The organization determines and documents the legal authority that permits the use of personally identifiable information (PII), either generally or in support of a specific program or information system need.

CCI-003394

The organization determines and documents the legal authority that permits the maintenance of personally identifiable information (PII), either generally or in support of a specific program or information system need.

CCI-003395

The organization determines and documents the legal authority that permits the sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.

CCI-003396

The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is collected.

CCI-003397

The organization appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of personally identifiable information (PII) by programs and information systems.

CCI-003398

The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is used.

CCI-003399

The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is maintained.

CCI-003400

The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is shared.

CCI-003401

The organization monitors federal privacy laws and policy for changes that affect the privacy program.

CCI-003402

The organization defines the allocation of budget resources sufficient to implement and operate the organization-wide privacy program.

CCI-003403

The organization defines the allocation of staffing resources sufficient to implement and operate the organization-wide privacy program.

CCI-003404

The organization allocates sufficient organization-defined budget resources to implement and operate the organization-wide privacy program.

CCI-003405

The organization allocates sufficient organization-defined staffing resources to implement and operate the organization-wide privacy program.

CCI-003406

The organization develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures.

CCI-003407

The organization develops operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).

CCI-003408

The organization disseminates operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).

CCI-003409

The organization implements operational privacy policies which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).

CCI-003410

The organization develops operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).

CCI-003411

The organization disseminates operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).

CCI-003412

The organization implements operational privacy procedures which govern the appropriate privacy and security controls for programs, information systems, or technologies involving personally identifiable information (PII).

CCI-003413

The organization defines the frequency, minimally biennially, on which the privacy plan, policies, and procedures are to be updated.

CCI-003414

The organization updates the privacy plan per organization-defined frequency.

CCI-003415

The organization updates the privacy policies per organization-defined frequency.

CCI-003416

The organization updates the privacy procedures per organization-defined frequency.

CCI-003417

The organization documents a privacy risk management process which assesses the privacy risk to individuals.

CCI-003418

The organization implements a privacy risk management process which assesses the privacy risk to individuals.

CCI-003419

The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the collection of personally identifiable information (PII).

CCI-003420

The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the sharing of personally identifiable information (PII).

CCI-003421

The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the storing of personally identifiable information (PII).

CCI-003422

The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the transmitting of personally identifiable information (PII).

CCI-003423

The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the use of personally identifiable information (PII).

CCI-003424

The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the disposal of personally identifiable information (PII).

CCI-003425

The organization conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.

CCI-003426

The organization establishes privacy roles for contractors.

CCI-003427

The organization establishes privacy responsibilities for contractors.

CCI-003428

The organization establishes access requirements for contractors.

CCI-003429

The organization establishes privacy roles for service providers.

CCI-003430

The organization establishes privacy responsibilities for service providers.

CCI-003431

The organization establishes access requirements for service providers.

CCI-003432

The organization includes privacy requirements in contracts.

CCI-003433

The organization includes privacy requirements in other acquisition-related documents.

CCI-003434

The organization defines the frequency for monitoring privacy controls and internal privacy policy to ensure effective implementation.

CCI-003435

The organization defines the frequency for auditing privacy controls and internal privacy policy to ensure effective implementation.

CCI-003436

The organization monitors privacy controls, per organization-defined frequency, to ensure effective implementation.

CCI-003437

The organization monitors internal privacy policy to ensure effective implementation.

CCI-003438

The organization audits privacy controls, per organization-defined frequency, to ensure effective implementation.

CCI-003439

The organization audits internal privacy policy, per organization-defined frequency, to ensure effective implementation.

CCI-003440

The organization develops a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.

CCI-003441

The organization implements a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.

CCI-003442

The organization updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.

CCI-003443

The organization defines the frequency, minimally annually, for administering its basic privacy training.

CCI-003444

The organization defines the frequency, minimally annually, for administering the targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.

CCI-003445

The organization administers basic privacy training per the organization-defined frequency.

CCI-003446

The organization administers, per organization-defined frequency, targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.

CCI-003447

The organization defines the frequency, minimally annually, on which personnel certify acceptance of responsibilities for privacy requirements.

CCI-003448

The organization ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency.

CCI-003449

The organization develops reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.

CCI-003450

The organization disseminates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.

CCI-003451

The organization updates reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.

CCI-003452

The organization develops reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

CCI-003453

The organization disseminates reports to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

CCI-003454

The organization updates reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

CCI-003455

The organization designs information systems to support privacy by automating privacy controls.

CCI-003456

The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the date of each disclosure of a record.

CCI-003457

The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the nature of each disclosure of a record.

CCI-003458

The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the purpose of each disclosure of a record.

CCI-003459

The organization keeps an accurate accounting of disclosures of Privacy Act information held in each system of records under its control.

CCI-003460

The organization, as part of the accurate accounting of disclosures of Privacy Act information held in each system of records under its control, includes the name and address of the person or agency to which the disclosure was made.

CCI-003461

The organization retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer.

CCI-003462

The organization makes the accounting of disclosures available to the person named in the record upon request.

CCI-003463

The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy of that information.

CCI-003464

The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the relevancy of that information.

CCI-003465

The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the timeliness of that information.

CCI-003466

The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the completeness of that information.

CCI-003467

The organization collects personally identifiable information (PII) directly from the individual to the greatest extent practicable.

CCI-003468

The organization defines the frequency on which it will check for, and correct as necessary, inaccurate or outdated personally identifiable information (PII) used by its programs or systems.

CCI-003469

The organization checks for, and corrects as necessary, any inaccurate or outdated personally identifiable information (PII) used by its programs or systems on an organization-defined frequency.

CCI-003470

The organization issues guidelines ensuring the quality of disseminated Privacy Act information.

CCI-003471

The organization issues guidelines ensuring the utility of disseminated Privacy Act information.

CCI-003472

The organization issues guidelines ensuring the objectivity of disseminated Privacy Act information.

CCI-003473

The organization issues guidelines ensuring the integrity of disseminated Privacy Act information.

CCI-003474

The organization issues guidelines maximizing the quality of disseminated Privacy Act information.

CCI-003475

The organization issues guidelines maximizing the utility of disseminated Privacy Act information.

CCI-003476

The organization issues guidelines maximizing the objectivity of disseminated Privacy Act information.

CCI-003477

The organization issues guidelines maximizing the integrity of disseminated Privacy Act information.

CCI-003478

The organization requests the individual or individual^s authorized representative validate personally identifiable information (PII) during the collection process.

CCI-003479

The organization defines the frequency on which it will request the individual, or individual^s authorized representative, revalidate that personally identifiable information (PII) collected is still accurate.

CCI-003480

On an organization-defined frequency, the organization requests the individual, or individual^s authorized representative, revalidate that personally identifiable information (PII) collected is still accurate.

CCI-003481

The organization documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls.

CCI-003482

The organization, when appropriate, establishes a Data Integrity Board.

CCI-003483

The organization^s Data Integrity Board oversees the organizational Computer Matching Agreements.

CCI-003484

The organization^s Data Integrity Board ensures the Computer Matching Agreements comply with the computer matching provisions of the Privacy Act.

CCI-003485

The organization publishes Computer Matching Agreements on its public website.

CCI-003271

The organization defines the acceptance criteria that must be met when vulnerability analysis of the information system is performed by the developer.

CCI-003272

The organization requires the developer of the information system, system component, or information system service to reduce attack surfaces to organization-defined thresholds.

CCI-003273

The organization defines the thresholds to which the developer of the information system, system component, or information system service is required to reduce attack surfaces.

CCI-003274

The organization requires the developer of the information system, system component, or information system service to implement an explicit process to continuously improve the development process.

CCI-003275

The organization requires the developer of the information system, system component, or information system services to perform an automated vulnerability analysis using organization-defined tools.

CCI-003276

The organization defines the tools the developer of the information system, system component, or information system services uses to perform an automated vulnerability analysis.

CCI-003277

The organization requires the developer of the information system, system component, or information system services to determine the exploitation potential for discovered vulnerabilities.

CCI-003278

The organization requires the developer of the information system, system component, or information system services to determine potential risk mitigations for delivered vulnerabilities.

CCI-003279

The organization requires the developer of the information system, system component, or information system services to deliver the outputs of the tools and results of the vulnerability analysis to organization-defined personnel or roles.

CCI-003280

The organization defines the personnel or roles to whom the outputs of the tools and results of the vulnerability analysis are delivered.

CCI-003281

The organization requires the developer of the information system, system component, or information system service to use threat modeling from similar systems, components, or services to inform the current development process.

CCI-003282

The organization requires the developer of the information system, system component, or information system service to use vulnerability analysis from similar systems, components, or services to inform the current development process.

CCI-003283

The organization approves the use of live data in development environments for the information system, system component, or information system service.

CCI-003284

The organization approves the use of live data in test environments for the information system, system component, or information system service.

CCI-003285

The organization documents the use of live data in development environments for the information system, system component, or information system service.

CCI-003286

The organization documents the use of live data in test environments for the information system, system component, or information system service.

CCI-003287

The organization controls the use of live data in development environments for the information system, system component, or information system service.

CCI-003288

The organization controls the use of live data in test environments for the information system, system component, or information system service.

CCI-003289

The organization requires the developer of the information system, system component, or information system service to provide an incident response plan.

CCI-003290

The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.

CCI-003291

The organization requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

CCI-003292

The organization defines the training the developer of the information system, system component, or information system service is required to provide on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

CCI-003293

The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture.

CCI-003294

The design specification and security architecture is consistent with and supportive of the organization^s security architecture which is established within and is an integrated part of the organization^s enterprise architecture.

CCI-003295

The design specification and security architecture accurately and completely describes the required security functionality.

CCI-003296

The design specification and security architecture accurately and completely describes the allocation of security controls among physical and logical components.

CCI-003297

The design specification and security architecture expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection.

CCI-003298

The organization requires the developer of the information system, system component, or information system to produce, as an integral part of the development process, a formal policy model describing the organization-defined elements of organizational security policy to be enforced.

CCI-003299

The organization defines the elements of organization security policy to be described in the formal policy model for enforcement on the information system, system component, or information system service.

CCI-003300

The organization requires the developer of the information system, system component, or information system service to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented.

CCI-003301

The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.

CCI-003302

The organization requires the developer of the information system, system component, or information system service to define security-relevant hardware.

CCI-003303

The organization requires the developer of the information system, system component, or information system service to define security-relevant software.

CCI-003304

The organization requires the developer of the information system, system component, or information system service to define security-relevant firmware.

CCI-003305

The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant hardware is complete.

CCI-003306

The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant software is complete.

CCI-003307

The organization requires the developer of the information system, system component, or information system service to provide a rationale that the definition for security-relevant firmware is complete.

CCI-003308

The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.

CCI-003309

The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.

CCI-003310

The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.

CCI-003311

The organization requires the developer of the information system, system component, or information system service to show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model.

CCI-003312

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware.

CCI-003313

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant software.

CCI-003314

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant firmware.

CCI-003315

The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware.

CCI-003316

The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant software.

CCI-003317

The organization requires the developer of the information system, system component, or information system service to show that the formal top-level specification is an accurate description of the implemented security-relevant firmware.

CCI-003318

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware.

CCI-003319

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant software.

CCI-003320

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant firmware.

CCI-003321

The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware in terms of exceptions, error messages, and effects.

CCI-003322

The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.

CCI-003323

The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.

CCI-003324

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model.

CCI-003325

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware.

CCI-003326

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant software.

CCI-003327

The organization requires the developer of the information system, system component, or information system service to show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant firmware.

CCI-003328

The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware.

CCI-003329

The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant software.

CCI-003330

The organization requires the developer of the information system, system component, or information system service to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant firmware.

CCI-003331

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant hardware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware.

CCI-003332

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant software mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant software.

CCI-003333

The organization requires the developer of the information system, system component, or information system service to describe the security-relevant firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant firmware.

CCI-003334

The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant hardware to use a complete, conceptually simple protection mechanism with precisely defined semantics.

CCI-003335

The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant software to use a complete, conceptually simple protection mechanism with precisely defined semantics.

CCI-003336

The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics.

CCI-003337

The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.

CCI-003338

The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant software with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.

CCI-003339

The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant firmware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.

CCI-003340

The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate testing.

CCI-003341

The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate testing.

CCI-003342

The organization requires the developer of the information system, component, or information system service to structure security-relevant firmware to facilitate testing.

CCI-003343

The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate controlling access with least privilege.

CCI-003344

The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate controlling access with least privilege.

CCI-003345

The organization requires the developer of the information system, component, or information system service to structure security-relevant firmware to facilitate controlling access with least privilege.

CCI-003346

The organization implements a tamper protection program for the information system, system component, or information system service.

CCI-003347

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including design.

CCI-003348

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including development.

CCI-003349

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including integration.

CCI-003350

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including operations.

CCI-003351

The organization employs anti-tamper technologies and techniques during multiple phases in the system development life cycle including maintenance.

CCI-003352

The organization inspects organization-defined information systems, system components, or devices at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.

CCI-003353

The organization defines the information systems, system components, or devices to inspect at random, at an organization-defined frequency, and/or upon organization-defined indications of need for inspection to detect tampering.

CCI-003354

The organization defines the frequency on which to inspect organization-defined information systems, system components, or devices to detect tampering.

CCI-003355

The organization defines indications of need for inspection to detect tampering during inspections of organization-defined information systems, system components, or devices.

CCI-003356

The organization develops an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.

CCI-003357

The organization develops an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.

CCI-003358

The organization develops anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.

CCI-003359

The organization develops anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.

CCI-003360

The organization implements an anti-counterfeit policy that includes the means to detect counterfeit components from entering the information system.

CCI-003361

The organization implements an anti-counterfeit policy that includes the means to prevent counterfeit components from entering the information system.

CCI-003362

The organization implements anti-counterfeit procedures that include the means to detect counterfeit components from entering the information system.

CCI-003363

The organization implements anti-counterfeit procedures that include the means to prevent counterfeit components from entering the information system.

CCI-003364

The organization reports counterfeit information system components to the source of the counterfeit component, organization-defined external reporting organizations, and/or organization-defined personnel or roles.

CCI-003365

The organization defines the external reporting organizations to which counterfeit information system components are to be reported.

CCI-003366

The organization defines the personnel or roles to whom counterfeit information system components are to be reported.

CCI-003367

The organization trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware).

CCI-003368

The organization defines the personnel or roles to be trained to detect counterfeit information system components (including hardware, software, and firmware).

CCI-003369

The organization maintains configuration control over organization-defined information system components awaiting service/repair.

CCI-003370

The organization defines the information system components awaiting service/repair over which configuration control must be maintained.

CCI-003371

The organization maintains configuration control over serviced/repaired components awaiting return to service.

CCI-003372

The organization defines the support from external providers to be provided for unsupported information system components.

CCI-003373

The organization provides in-house support and/or organization-defined support from external providers for unsupported information system components.

CCI-003374

The organization documents approval for the continued use of unsupported system components required to satisfy mission/business needs.

CCI-003375

The organization provides justification for the continued use of unsupported system components required to satisfy mission/business needs.

CCI-003376

The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer.

CCI-003377

The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required screening criteria are satisfied.

CCI-003378

The organization defines the actions the developer of the information system, system component, or information system service must take to ensure the required access authorizations are satisfied.

CCI-003379

The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required screening criteria are satisfied.

CCI-003380

The organization requires the developer of the information system, system component, or information system service take organization-defined actions to ensure the required access authorizations are satisfied.

CCI-003381

The organization defines additional personnel screening criteria that must be satisfied by the developer of an organization-defined information system, system component, or information system service.

CCI-003382

The organization requires that the developer of an organization-defined information system, system component, or information system service satisfy organization-defined additional personnel screening criteria.

CCI-003383

The organization defines the official government duties to be assigned to the developer of an organization-defined information system, system component, or information system service.

CCI-003384

The organization defines the information system, system component, or information system service which requires the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria.

CCI-003385

The organization requires that the developer of an organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties.

CCI-003386

The organization defines the critical information system components to re-implement or custom develop.

CCI-003387

The organization re-implements or custom develops organization-defined critical information system components.

CCI-003388

The organization defines the frequency on which to scan for counterfeit information system components.

CCI-003389

The organization scans for counterfeit information system components in accordance with organization-defined frequency.

CCI-003390

The organization defines the techniques and methods used to dispose of information system components.

CCI-003391

The organization disposes of information system components using organization-defined techniques and methods.

CCI-003124

The organization obtains administrator documentation for the information system, system component, or information system service that describes secure configuration of the system, component, or service.

CCI-003125

The organization obtains administrator documentation for the information system, system component, or information system service that describes secure installation of the system, component, or service.

CCI-003126

The organization obtains administrator documentation for the information system, system component, or information system service that describes secure operation of the system, component, or service.

CCI-003127

The organization obtains administrator documentation for the information system, system component, or information system services that describes effective use and maintenance of security functions/mechanisms.

CCI-003128

The organization obtains administrator documentation for the information system, system component, or information system service that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.

CCI-003129

The organization obtains user documentation for the information system, system component, or information system service that describes user-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms.

CCI-003130

The organization obtains user documentation for the information system, system component, or information system service that describes methods for user interaction which enables individuals to use the system, component, or service in a more secure manner.

CCI-003131

The organization obtains user documentation for the information system, system component, or information system service that describes user responsibilities in maintaining the security of the system, component, or service.

CCI-003132

The organization takes organization-defined actions in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service.

CCI-003133

The organization defines actions to be taken in response to attempts to obtain either unavailable or nonexistent documentation for the information system, system component, or information system service.

CCI-003134

The organization protects information system, system component, or information system service documentation as required, in accordance with the risk management strategy.

CCI-003135

The organization distributes information system, system component, or information system service documentation to organization-defined personnel or roles.

CCI-003136

The organization defines the personnel or roles to whom information system, system component, or information system service documentation is to be distributed.

CCI-003137

The organization defines security controls that providers of external information system services employ in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

CCI-003138

The organization employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis.

CCI-003139

The organization defines processes, methods, and techniques to employ to monitor security control compliance by external service providers on an ongoing basis.

CCI-003140

The organization conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services.

CCI-003141

The organization ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.

CCI-003142

The organization defines the personnel or roles authorized to approve the acquisition or outsourcing of dedicated information security services.

CCI-003143

The organization requires providers of organization-defined external information system services to identify the functions, ports, protocols, and other services required for the use of such services.

CCI-003144

The organization defines the external information system services for which the providers are required to identify the functions, ports, protocols, and other services required for the use of such services.

CCI-003145

The organization establishes trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.

CCI-003146

The organization documents trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.

CCI-003147

The organization maintains trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.

CCI-003148

The organization defines security requirements, properties, factors, or conditions defining acceptable trust relationships with external service providers.

CCI-003149

The organization employs organization-defined security safeguards to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.

CCI-003150

The organization defines security safeguards to employ to ensure that the interests of organization-defined external service providers are consistent with and reflect organizational interests.

CCI-003151

The organization defines external service providers whose interests are consistent with and reflect organizational interests.

CCI-003152

The organization restricts the location of information processing, information/data, and/or information system services to organization-defined locations based on organization-defined requirements or conditions.

CCI-003153

The organization defines the locations for which to restrict information processing, information/data, and/or information system services based on organization-defined requirements or conditions.

CCI-003154

The organization defines the requirements or conditions on which to base restricting the location of information processing, information/data, and/or information system services to organization-defined locations.

CCI-003155

The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service design, development, implementation and/or operation.

CCI-003156

The organization requires the developer of the information system, system component, or information system service to document the integrity of changes to organization-defined configuration items under configuration management.

CCI-003157

The organization requires the developer of the information system, system component, or information system service to manage the integrity of changes to organization-defined configuration items under configuration management.

CCI-003158

The organization requires the developer of the information system, system component, or information system service to control the integrity of changes to organization-defined configuration items under configuration management.

CCI-003159

The organization defines the configuration items under configuration management that require the integrity of changes to be documented, managed and controlled.

CCI-003160

The organization requires the developer of the information system, system component, or information system service to document the potential security impacts of approved changes to the system, component, or service.

CCI-003161

The organization requires the developer of the information system, system component, or information system service to track security flaws within the system, component, or service.

CCI-003162

The organization requires the developer of the information system, system component, or information system service to track flaw resolution within the system, component, or service.

CCI-003163

The organization requires the developer of the information system, system component, or information system service to report findings of security flaws and flaw resolution within the system, component, or service to organization-defined personnel.

CCI-003164

The organization defines the personnel to whom security flaw findings and flaw resolution within the system, component, or service are reported.

CCI-003165

The organization requires the developer of the information system, system component, or information system service to enable integrity verification of hardware components.

CCI-003166

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions.

CCI-003167

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of software/firmware source code with previous versions.

CCI-003168

The organization requires the developer of the information system, system component, or information system service to employ tools for comparing newly generated versions of object code with previous versions.

CCI-003169

The organization requires the developer of the information system, system component, or information system service to maintain the integrity of the mapping between the master build data (hardware drawings and software/firmware code) describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

CCI-003170

The organization requires the developer of the information system, system component, or information system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

CCI-003171

The organization requires the developer of the information system, system component, or information system service to create a security assessment plan.

CCI-003172

The organization requires the developer of the information system, system component, or information system service to implement a security assessment plan.

CCI-003173

The organization requires the developer of the information system, system component, or information system service to perform unit, integration, system, and/or regression testing/evaluation at an organization-defined depth and coverage.

CCI-003174

The organization defines the depth and coverage at which to perform unit, integration, system, and/or regression testing/evaluation.

CCI-003175

The organization requires the developer of the information system, system component, or information system service to produce evidence of the execution of the security assessment plan.

CCI-003176

The organization requires the developer of the information system, system component, or information system service to produce the results of the security testing/evaluation.

CCI-003177

The organization requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process.

CCI-003178

The organization requires the developer of the information system, system component, or information system service to correct flaws identified during security testing/evaluation.

CCI-003179

The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws.

CCI-003180

The organization requires the developer of the information system, system component, or information system service to document the results of static code analysis.

CCI-003181

The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analysis.

CCI-003182

The organization requires the developer of the information system, system component, or information system service to perform testing/evaluation of the as-built system, component, or service subsequent to threat and vulnerability analysis.

CCI-003183

The organization requires an independent agent satisfying organization-defined independence criteria to verify the correct implementation of the developer security assessment plan.

CCI-003184

The organization requires an independent agent satisfying organization-defined independence criteria to verify the evidence produced during security testing/evaluation.

CCI-003185

The organization defines the independence criteria the independent agent must satisfy prior to verifying the correct implementation of the developer security assessment plan and the evidence produced during security testing/evaluation.

CCI-003186

The organization ensures that the independent agent either is provided with sufficient information to complete the verification process or has been granted the authority to obtain such information.

CCI-003187

The organization requires the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code using organization-defined processes, procedures, and/or techniques.

CCI-003188

The organization defines the specific code for which the developer of the information system, system component, or information system service is required to perform a manual code review using organization-defined process, procedures, and/or techniques.

CCI-003189

The organization defines the processes, procedures, and/or techniques to be used by the developer of the information system, system component, or information system service to perform a manual code review of organization-defined specific code.

CCI-003190

The organization requires the developer of the information system, system component, or information system service to perform penetration testing at an organization-defined breadth/depth and with organization-defined constraints.

CCI-003191

The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform penetration testing.

CCI-003192

The organization defines the constraints on penetration testing performed by the developer of the information system, system component, or information system service.

CCI-003193

The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.

CCI-003194

The organization requires the developer of the information system, system component, or information system service to verify that the scope of security testing/evaluation provides complete coverage of required security controls at an organization-defined depth of testing/evaluation.

CCI-003195

The organization defines the depth of testing/evaluation to which the developer of the information system, system component, or information system service is required to verify that the scope of security testing/evaluation provides complete coverage of the required security controls.

CCI-003196

The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws.

CCI-003197

The organization requires the developer of the information system, system component, or information system service to document the results of the dynamic code analysis.

CCI-003198

The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.

CCI-003199

The organization defines tailored acquisition strategies, contract tools, and procurement methods to employ for the purchase of the information system, system component, or information system service from suppliers.

CCI-003200

The organization conducts a supplier review prior to entering into a contractual agreement to acquire the information system, system component, or information system service.

CCI-003201

The organization employs organization-defined security safeguards to limit harm from potential adversaries identifying and targeting the organizational supply chain.

CCI-003202

The organization defines security safeguards to employ to limit harm from potential adversaries identifying and targeting the organizational supply chain.

CCI-003203

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

CCI-003204

The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update.

CCI-003205

The organization uses all-source intelligence analysis of suppliers and potential suppliers of the information system, system component, or information system service.

CCI-003206

The organization employs organization-defined Operations Security (OPSEC) safeguards in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

CCI-003207

The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.

CCI-003208

The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.

CCI-003209

The organization employs organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.

CCI-003210

The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

CCI-003211

The organization defines the Operations Security (OPSEC) safeguards to be employed in accordance with classification guides to protect supply chain-related information for the information system, system component, or information system service.

CCI-003212

The organization employs organization-defined security safeguards to validate that the information system or system component received is genuine and has not been altered.

CCI-003213

The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered.

CCI-003214

The organization employs organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing of organization-defined supply chain elements, processes, and actors associated with the information system, system component, or information system service.

CCI-003215

The organization defines the supply chain elements, processes, and actors associated with the information system, system component, or information system service for organizational analysis, independent third-party analysis, organizational penetration testing and/or independent third-party penetration testing.

CCI-003216

The organization establishes inter-organizational agreements with entities involved in the supply chain for the information system, system component, or information system service.

CCI-003217

The organization establishes inter-organizational procedures with entities involved in the supply chain for the information system, system component, or information system service.

CCI-003218

The organization employs organization-defined security safeguards to ensure an adequate supply of organization-defined critical information system components.

CCI-003219

The organization defines the security safeguards to be employed to ensure an adequate supply of organization-defined critical information system components.

CCI-003220

The organization defines the critical information system components for which organization-defined security safeguards are employed to ensure adequate supply.

CCI-003221

The organization establishes unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.

CCI-003222

The organization retains unique identification of organization-defined supply chain elements, processes, and actors for the information system, system component, or information system service.

CCI-003223

The organization defines the supply chain elements, processes, and actors for the information system, system component, or information system service to establish and retain unique identification.

CCI-003224

The organization establishes a process to address weaknesses or deficiencies in supply chain elements identified during independent or organizational assessments of such elements.

CCI-003225

The organization describes the trustworthiness required in the organization-defined information system, information system component, or information system service supporting its critical missions/business functions.

CCI-003226

The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.

CCI-003227

The organization implements an organization-defined assurance overlay to achieve trustworthiness required to support its critical missions/business functions.

CCI-003228

The organization defines an assurance overlay to be implemented to achieve trustworthiness required to support its critical missions/business functions.

CCI-003229

The organization identifies critical information system components by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.

CCI-003230

The organization identifies critical information system functions by performing a criticality analysis for organization-defined information systems, information system components, or information system services at organization-defined decision points in the system development life cycle.

CCI-003231

The organization defines the information systems, information system components, or information system services for which the organization identifies critical information system components and functions for criticality analysis.

CCI-003232

The organization defines the decision points in the system development life cycle at which to perform a criticality analysis to identify critical information system components and functions for organization-defined information systems, information system components, or information system services.

CCI-003233

The organization requires the developer of the information system, system component, or information system service to follow a documented development process.

CCI-003234

The documented information system, system component, or information system service development process explicitly addresses security requirements.

CCI-003235

The documented information system, system component, or information system service development process identifies the standards used in the development process.

CCI-003236

The documented information system, system component, or information system service development process identifies the tools used in the development process.

CCI-003237

The documented information system, system component, or information system service development process documents the specific tool options and tool configurations used in the development process.

CCI-003238

The documented information system, system component, or information system service development process documents changes to the process and/or tools used in development.

CCI-003239

The documented information system, system component, or information system service development process manages changes to the process and/or tools used in development.

CCI-003240

The documented information system, system component, or information system service development process ensures the integrity of changes to the process and/or tools used in development.

CCI-003241

The organization reviews the development process in accordance with organization-defined frequency to determine if the development process selected and employed can satisfy organization-defined security requirements.

CCI-003242

The organization reviews the development standards in accordance with organization-defined frequency to determine if the development standards selected and employed can satisfy organization-defined security requirements.

CCI-003243

The organization reviews the development tools in accordance with organization-defined frequency to determine if the development tools selected and employed can satisfy organization-defined security requirements.

CCI-003244

The organization reviews the development tool options/configurations in accordance with organization-defined frequency to determine if the development tool options/configurations selected and employed can satisfy organization-defined security requirements.

CCI-003245

The organization defines the frequency on which to review the development process, standards, tools, and tool options/configurations to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy organization-defined security requirements.

CCI-003246

The organization defines the security requirements that must be satisfied by conducting a review of the development process, standards, tools, and tool options/configurations.

CCI-003247

The organization requires the developer of the information system, system component, or information system service to define quality metrics at the beginning of the development process.

CCI-003248

The organization requires the developer of the information system, system component, or information system service to provide evidence of meeting the quality metrics in accordance with organization-defined frequency, organization-defined program review milestones and/or upon delivery.

CCI-003249

The organization defines the frequency on which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.

CCI-003250

The organization defines the program review milestones at which the developer of the information system, system component, or information system service is required to provide evidence of meeting the quality metrics.

CCI-003251

The organization requires the developer of the information system, system component, or information system service to select a security tracking tool for use during the development process.

CCI-003252

The organization requires the developer of the information system, system component, or information system service to employ a security tracking tool for use during the development process.

CCI-003253

The organization requires the developer of the information system, system component, or information system service to perform a criticality analysis at an organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.

CCI-003254

The organization defines the breadth/depth at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.

CCI-003255

The organization defines decision points in the system development life cycle at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.

CCI-003256

The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.

CCI-003257

The organization requires that developers perform a vulnerability analysis for the information system at an organization-defined breadth/depth.

CCI-003258

The organization defines the breadth/depth at which threat modeling for the information system must be performed by developers.

CCI-003259

The organization defines the breadth/depth at which vulnerability analysis for the information system must be performed by developers.

CCI-003260

Threat modeling performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.

CCI-003261

Vulnerability analysis performed by the developer for the information system uses organization-defined information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels.

CCI-003262

The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform threat modeling for the information system by the developer.

CCI-003263

The organization defines information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used to perform a vulnerability analysis for the information system by the developer.

CCI-003264

The organization requires the threat modeling performed by the developers employ organization-defined tools and methods.

CCI-003265

The organization requires the vulnerability analysis performed by the developers employ organization-defined tools and methods.

CCI-003266

The organization defines tools and methods to be employed to perform threat modeling for the information system by the developer.

CCI-003267

The organization defines tools and methods to be employed to perform a vulnerability analysis for the information system by the developer.

CCI-003268

The organization requires that developers performing threat modeling for the information system produce evidence that meets organization-defined acceptance criteria.

CCI-003269

The organization requires that developers performing vulnerability analysis for the information system produce evidence that meets organization-defined acceptance criteria.

CCI-003270

The organization defines the acceptance criteria that must be met when threat modeling of the information system is performed by the developer.

CCI-003123

The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

CCI-003047

The organization defines the personnel or roles to whom a security planning policy is disseminated.

CCI-003048

The organization defines the personnel or roles to whom the security planning procedures are disseminated.

CCI-003049

The organization develops a security plan for the information system.

CCI-003050

The organization^s security plan for the information system is consistent with the organization^s enterprise architecture.

CCI-003051

The organization^s security plan for the information system explicitly defines the authorization boundary for the system.

CCI-003052

The organization^s security plan for the information system describes the operational context of the information system in terms of missions and business processes.

CCI-003053

The organization^s security plan for the information system provides the security categorization of the information system, including supporting rationale.

CCI-003054

The organization^s security plan for the information system describes the operational environment for the information system and relationships with, or connections to, other information systems.

CCI-003055

The organization^s security plan for the information system provides an overview of the security requirements for the system.

CCI-003056

The organization^s security plan for the information system identifies any relevant overlays, if applicable.

CCI-003057

The organization^s security plan for the information system describes the security controls in place or planned for meeting those requirements, including a rationale for the tailoring decisions.

CCI-003058

The organization distributes copies of the security plan to organization-defined personnel or roles.

CCI-003059

The organization distributes copies of the security plan to organization-defined personnel or roles.

CCI-003060

The organization defines the personnel or roles to whom copies of the security plan are distributed.

CCI-003061

The organization communicates subsequent changes to the security plan to organization-defined personnel or roles.

CCI-003062

The organization defines the personnel or roles to whom changes to the security plan are communicated.

CCI-003063

The organization protects the security plan from unauthorized disclosure.

CCI-003064

The organization protects the security plan from unauthorized modification.

CCI-003065

The organization plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities.

CCI-003066

The organization defines the individuals or groups with whom security-related activities are planned and coordinated.

CCI-003067

The organization defines the individuals or groups with whom security-related activities are planned and coordinated.

CCI-003068

The organization reviews and updates the rules of behavior in accordance with organization-defined frequency.

CCI-003069

The organization defines the frequency with which to review and update the rules of behavior.

CCI-003070

The organization requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.

CCI-003071

The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum, how the organization intends to operate the system from the perspective of information security.

CCI-003072

The organization develops an information security architecture for the information system.

CCI-003073

The organization^s information security architecture for the information system describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information.

CCI-003074

The organization^s information security architecture for the information system describes how the information security architecture is integrated into and supports the enterprise architecture.

CCI-003075

The organization^s information security architecture for the information system describes any information security assumptions about, and dependencies on, external services.

CCI-003076

The organization reviews and updates the information security architecture in accordance with organization-defined frequency to reflect updates in the enterprise architecture.

CCI-003077

The organization defines the frequency with which to review and update the information system architecture.

CCI-003078

The organization ensures that planned information security architecture changes are reflected in the security plan.

CCI-003079

The organization ensures that planned information security architecture changes are reflected in the security Concept of Operations (CONOPS).

CCI-003080

The organization ensures that planned information security architecture changes are reflected in organizational procurements/acquisitions.

CCI-003081

The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined locations.

CCI-003082

The organization designs its security architecture using a defense-in-depth approach that allocates organization-defined security safeguards to organization-defined architectural layers.

CCI-003083

The organization defines the security safeguards to be allocated to organization-defined locations.

CCI-003084

The organization defines the security safeguards to be allocated to organization-defined architectural layers.

CCI-003085

The organization defines the locations to which it allocates organization-defined security safeguards in the security architecture.

CCI-003086

The organization defines the architectural layers to which it allocates organization-defined security safeguards in the security architecture.

CCI-003087

The organization designs its security architecture using a defense-in-depth approach that ensures that the allocated security safeguards operate in a coordinated and mutually reinforcing manner.

CCI-003088

The organization requires that organization-defined security safeguards allocated to organization-defined locations and architectural layers be obtained from different suppliers.

CCI-003089

The organization defines the personnel or roles to whom the system and services acquisition policy is disseminated.

CCI-003090

The organization defines the personnel or roles to whom procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are disseminated.

CCI-003091

The organization determines information security requirements for the information system or information system service in mission/business process planning.

CCI-003092

The organization defines a system development life cycle that is used to manage the information system.

CCI-003093

The organization integrates the organizational information security risk management process into system development life cycle activities.

CCI-003094

The organization includes the security functional requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003095

The organization includes the security strength requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003096

The organization includes the security assurance requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003097

The organization includes the security-related documentation requirements, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003098

The organization includes requirements for protecting security-related documentation, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003099

The organization includes description of the information system development environment and environment in which the system is intended to operate, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003100

The organization includes acceptance criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs.

CCI-003101

The organization requires the developer of the information system, system component, or information system service to provide design information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined design information at an organization-defined level of detail.

CCI-003102

The organization requires the developer of the information system, system component, or information system service to provide implementation information for the security controls to be employed that includes security-relevant external system interfaces, high-level design, low-level design, source code, hardware schematics, and/or organization-defined implementation information at an organization-defined level of detail.

CCI-003103

The organization defines the design information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.

CCI-003104

The organization defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.

CCI-003105

The organization defines the level of detail for the design information of the security controls that is required to be provided by the developer of the information system, system component, or information system services.

CCI-003106

The organization defines the level of detail for the implementation information of the security controls that is required to be provided by the developer of the information system, system component, or information system services.

CCI-003107

The organization requires the developer of the information system, system component, or information system service to demonstrate the use of a system development life cycle that includes organization-defined state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes.

CCI-003108

The organization defines the state-of-the-practice system/security engineering methods, software development methods, testing/evaluation/validation techniques, and quality control processes that the developer of the information system, system component, or information system service is required to include when demonstrating the use of a system development life cycle.

CCI-003109

The organization requires the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented.

CCI-003110

The organization defines the security configurations required to be implemented when the developer delivers the information system, system component, or information system service.

CCI-003111

The organization requires the developer of the information system, system component, or information system service to use the organization-defined security configurations as the default for any subsequent system, component, or service reinstallation or upgrade.

CCI-003112

The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains an organization-defined level of detail.

CCI-003113

The organization defines the level of detail to be contained in the plan for the continuous monitoring of security control effectiveness that the developer of the information system, system component, or information system services is required to produce.

CCI-003114

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

CCI-003115

The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.

CCI-003116

The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems.

CCI-003117

The organization centrally manages organization-defined security controls and related processes.

CCI-003118

The organization defines security controls and related processes to be centrally managed.

CCI-003119

The organization employs a technical surveillance countermeasures survey at organization-defined locations on an organization-defined frequency or when organization-defined events or indicators occur.

CCI-003120

The organization defines the locations where technical surveillance countermeasures surveys are to be employed.

CCI-003121

The organization defines the frequency on which to employ technical surveillance countermeasures surveys.

CCI-003122

The organization defines the events or indicators upon which technical surveillance countermeasures surveys are to be employed.

CCI-003016

The organization, upon termination of individual employment, notifies organization-defined personnel or roles within an organization-defined time period.

CCI-003017

The organization defines the personnel or roles to whom a personnel security policy is disseminated.

CCI-003018

The organization defines the personnel or roles to whom the personnel security procedures are disseminated.

CCI-003019

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties.

CCI-003020

The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection satisfy organization-defined additional personnel screening criteria.

CCI-003021

The organization defines additional personnel screening criteria that individuals accessing an information system processing, storing, or transmitting information requiring protection must satisfy.

CCI-003022

The organization defines the time period within which to disable information system access upon termination of individual employment.

CCI-003023

The organization, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual.

CCI-003024

The organization defines information security topics to be discussed while conducting exit interviews.

CCI-003025

The organization defines personnel or roles to notify upon termination of individual employment.

CCI-003026

The organization defines the time period within which to notify organization-defined personnel or roles upon termination of individual employment.

CCI-003027

The organization notifies terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information.

CCI-003028

The organization requires terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process.

CCI-003029

The organization employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual.

CCI-003030

The organization defines the personnel or roles to be notified by automated mechanism upon termination of an individual.

CCI-003031

The organization modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer.

CCI-003032

The organization notifies organization-defined personnel or roles within an organization-defined time period when individuals are transferred or reassigned to other positions within the organization.

CCI-003033

The organization defines personnel or roles to be notified when individuals are transferred or reassigned to other positions within the organization.

CCI-003034

The organization defines the time period within which organization-defined personnel or roles are to be notified when individuals are transferred or reassigned to other positions within the organization.

CCI-003035

The organization develops and documents access agreements for organizational information systems.

CCI-003036

The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.

CCI-003037

The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements.

CCI-003038

The organization notifies individuals of applicable, legally binding post-employment requirements for protection of organizational information.

CCI-003039

The organization requires individuals to sign an acknowledgement of legally binding post-employment requirements for protection of organizational information, if applicable, as part of granting initial access to covered information.

CCI-003040

The organization requires third-party providers to comply with personnel security policies and procedures established by the organization.

CCI-003041

The organization requires third-party providers to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within an organization-defined time period.

CCI-003042

The organization defines personnel or roles whom third-party providers are to notify when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated.

CCI-003043

The organization defines the time period for third-party providers to notify organization-defined personnel or roles when third-party personnel who possess organizational credentials and /or badges or who have information system privileges are transferred or terminated.

CCI-003044

The organization notifies organization-defined personnel or roles within an organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

CCI-003045

The organization defines personnel or roles who are to be notified when a formal employee sanctions process is initiated.

CCI-003046

The organization defines the time period within which to notify organization-defined personnel or roles when a formal employee sanctions process is initiated.

CCI-003014

The information system enforces organization-defined mandatory access control policies over all subjects and objects.

CCI-003015

The mandatory access control policy specifies that organization-defined subjects may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.

CCI-002955

The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to long-term alternate power in the event of a primary power source loss.

CCI-002956

The organization provides a long-term alternate power supply for the information system that is self-contained.

CCI-002957

The organization provides a long-term alternate power supply for the information system that is not reliant on external power generation.

CCI-002958

The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source.

CCI-002959

The organization provides emergency lighting for all areas within the facility supporting essential missions.

CCI-002960

The organization provides emergency lighting for all areas within the facility supporting essential business functions.

CCI-002961

The organization employs fire detection devices/systems for the information system that activate automatically.

CCI-002962

The organization employs fire detection devices/systems for the information system that automatically activate to notify organization-defined personnel or roles and organization-defined emergency responders in the event of a fire.

CCI-002963

The organization defines the personnel or roles to be notified in the event of a fire.

CCI-002964

The organization defines the emergency responders to be notified in the event of a fire.

CCI-002965

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to organization-defined personnel or roles and organization-defined emergency responders.

CCI-002966

The organization defines the personnel or roles to be automatically notified of any activation of fire suppression devices/systems for the information system.

CCI-002967

The organization defines the emergency responders to be automatically notified of any activation of fire suppression devices/systems for the information system.

CCI-002968

The organization ensures that the facility undergoes, on an organization-defined frequency, fire protection inspections by authorized and qualified inspectors.

CCI-002969

The organization defines a frequency with which the facility undergoes fire protection inspections.

CCI-002970

The organization resolves deficiencies identified during facility fire protection inspections within an organization-defined time period.

CCI-002971

The organization defines the time period within which to resolve deficiencies identified during facility fire protection inspections.

CCI-002972

The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts organization-defined personnel or roles.

CCI-002973

The organization defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system.

CCI-002974

The organization defines types of information system components to authorize, monitor, and control entering and exiting the facility and to maintain records.

CCI-002975

The organization defines security controls to employ at alternate work sites.

CCI-002976

The organization defines physical and environmental hazards that could cause potential damage to information system components within the facility.

CCI-002977

The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards.

CCI-002978

The organization considers the physical and environmental hazards in its risk mitigation strategy for existing facilities.

CCI-002979

The organization employs organization-defined asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.

CCI-002980

The organization defines asset location technologies to track and monitor the location and movement of organization-defined assets within organization-defined controlled areas.

CCI-002981

The organization defines the assets within the organization-defined controlled areas which are to be tracked and monitored for their location and movement.

CCI-002982

The organization defines controlled areas where the location and movement of organization-defined assets are tracked and monitored.

CCI-002983

The organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

CCI-002984

The organization develops an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).

CCI-002985

The organization disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

CCI-002986

The organization disseminates an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI-002987

The organization disseminates an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).

CCI-002988

The organization disseminates an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

CCI-002989

The organization protects the information security program plan from unauthorized disclosure.

CCI-002990

The organization protects the information security program plan from unauthorized modification.

CCI-002991

The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are developed.

CCI-002992

The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements.

CCI-002993

The organization reviews plans of action and milestones for the security program and associated organization information systems for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

CCI-002994

The organization reviews and updates the risk management strategy in accordance with organization-defined frequency or as required, to address organizational changes.

CCI-002995

The organization defines the frequency with which to review and update the risk management strategy to address organizational changes.

CCI-002996

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

CCI-002997

The organization establishes an information security workforce development and improvement program.

CCI-002998

The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed.

CCI-002999

The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained.

CCI-003000

The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are developed.

CCI-003001

The organization implements a process for ensuring that organizational plans for conducting security training activities associated with organizational information systems are maintained.

CCI-003002

The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are developed.

CCI-003003

The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems are maintained.

CCI-003004

The organization implements a process for ensuring that organizational plans for conducting security testing associated with organizational information systems continue to be executed in a timely manner.

CCI-003005

The organization implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner.

CCI-003006

The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner.

CCI-003007

The organization reviews testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

CCI-003008

The organization reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

CCI-003009

The organization reviews monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

CCI-003010

The organization establishes and institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel.

CCI-003011

The organization establishes and institutionalizes contact with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies.

CCI-003012

The organization establishes and institutionalizes contact with selected groups and associations within the security community to share current security-related information including threats, vulnerabilities, and incidents.

CCI-003013

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

CCI-002908

The organization defines the personnel or roles to whom a physical and environmental protection policy is disseminated.

CCI-002909

The organization defines the personnel or roles to whom the physical and environmental protection procedures are disseminated.

CCI-002910

The organization approves a list of individuals with authorized access to the facility where the information system resides.

CCI-002911

The organization maintains a list of individuals with authorized access to the facility where the information system resides.

CCI-002912

The organization defines a list of acceptable forms of identification for visitor access to the facility where the information system resides.

CCI-002913

The organization restricts unescorted access to the facility where the information system resides to personnel with one or more of the following: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; organization-defined credentials.

CCI-002914

The organization defines the credentials required for personnel to have unescorted access to the facility where the information system resides.

CCI-002915

The organization defines the entry/exit points to the facility where the information system resides.

CCI-002916

The organization defines the physical access control systems/devices or guards that control ingress/egress to the facility where the information system resides.

CCI-002917

The organization maintains physical access audit logs for organization-defined entry/exit points to the facility where the information system resides.

CCI-002918

The organization defines entry/exit points to the facility where the information system resides that require physical access audit logs be maintained.

CCI-002919

The organization provides organization-defined security safeguards to control access to areas within the facility where the information system resides officially designated as publicly accessible.

CCI-002920

The organization defines security safeguards to control access to areas within the facility where the information system resides officially designated as publicly accessible.

CCI-002921

The organization escorts visitors in the facility where the information system resides during organization-defined circumstances requiring visitor escorts.

CCI-002922

The organization defines circumstances requiring visitor escorts in the facility where the information system resides.

CCI-002923

The organization monitors visitor activity in the facility where the information system resides during organization-defined circumstances requiring visitor monitoring.

CCI-002924

The organization defines circumstances requiring visitor monitoring in the facility where the information system resides.

CCI-002925

The organization defines the physical access devices to inventory.

CCI-002926

The organization defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility where the information system resides.

CCI-002927

The organization defines the frequency with which to perform security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.

CCI-002928

The organization defines security safeguards to detect and prevent physical tampering or alteration of organization-defined hardware components within the information system.

CCI-002929

The organization defines hardware components within the information system for which to employ organization-defined security safeguards to detect and prevent physical tampering or alteration.

CCI-002930

The organization defines information system distribution and transmission lines within organizational facilities to control physical access to using organization-defined security safeguards.

CCI-002931

The organization defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities.

CCI-002932

The organization controls physical access to output from organization-defined output devices.

CCI-002933

The organization defines output devices for which physical access to output is controlled.

CCI-002934

The organization ensures that only authorized individuals receive output from organization-defined output devices.

CCI-002935

The information system controls physical access to output from organization-defined output devices.

CCI-002936

The information system links individual identity to receipt of output from organization-defined output devices.

CCI-002937

The organization marks organization-defined information system output devices indicating the appropriate security marking of the information permitted to be output from the device.

CCI-002938

The organization defines the information system output devices marked indicating the appropriate security marking of the information permitted to be output from the device.

CCI-002939

The organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents.

CCI-002940

The organization reviews physical access logs upon occurrence of organization-defined events or potential indications of events.

CCI-002941

The organization defines events or potential indications of events requiring review of physical access logs.

CCI-002942

The organization employs automated mechanisms to recognize organization-defined classes/types of intrusions.

CCI-002943

The organization defines classes/types of intrusions to recognize using automated mechanisms.

CCI-002944

The organization employs automated mechanisms to initiate organization-defined response actions to organization-defined classes/types of intrusions.

CCI-002945

The organization defines response actions to initiate when organization-defined classes/types of intrusions are recognized.

CCI-002946

The organization employs video surveillance of organization-defined operational areas.

CCI-002947

The organization defines the operational areas in which to employ video surveillance.

CCI-002948

The organization retains video surveillance recordings for an organization-defined time period.

CCI-002949

The organization defines the time period to retain video surveillance recordings.

CCI-002950

The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as organization-defined physical spaces containing one or more components of the information system.

CCI-002951

The organization defines physical spaces containing one or more components of the information system in which physical access is monitored.

CCI-002952

The organization defines the time period to maintain visitor access records to the facility where the information system resides.

CCI-002953

The organization employs redundant power cabling paths that are physically separated by an organization-defined distance.

CCI-002954

The organization defines the distance by which to physically separate redundant power cabling paths.

CCI-002907

The organization defines the system mode to be invoked, such as a full system shutdown, a partial system shutdown, or a degraded operational mode with limited mission/business functionality available, in the event of organization-defined audit failures.

CCI-002906

The organization defines the vulnerability scanning activities in which the information system implements privileged access authorization to organization-identified information system components.

CCI-002905

The organization employs automated mechanisms to schedule, conduct, and document maintenance.

CCI-002861

The organization defines the personnel or roles to whom a system maintenance policy is disseminated.

CCI-002862

The organization defines the personnel or roles to whom system maintenance procedures are to be disseminated.

CCI-002863

The organization employs automated mechanisms to schedule, conduct, and document repairs.

CCI-002864

The organization produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed.

CCI-002865

The organization produces up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed.

CCI-002866

The organization schedules maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002867

The organization performs maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002868

The organization documents maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002869

The organization reviews records of maintenance on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002870

The organization schedules repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002871

The organization performs repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002872

The organization documents repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002873

The organization reviews records of repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.

CCI-002874

The organization defines the personnel or roles who can explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.

CCI-002875

The organization includes organization-defined maintenance-related information in organizational maintenance records.

CCI-002876

The organization defines the maintenance-related information to include in organizational maintenance records.

CCI-002877

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment.

CCI-002878

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by sanitizing or destroying the equipment.

CCI-002879

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.

CCI-002880

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.

CCI-002881

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.

CCI-002882

The organization defines the personnel or roles who can provide an exemption that explicitly authorizes removal of equipment from the facility.

CCI-002883

The information system restricts the use of maintenance tools to authorized personnel only.

CCI-002884

The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.

CCI-002885

The organization defines the nonlocal maintenance and diagnostic session audit events to audit.

CCI-002886

The organization reviews the records of the nonlocal maintenance and diagnostic sessions.

CCI-002887

The organization defines the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions.

CCI-002888

The organization defines the personnel or roles authorized to approve each nonlocal maintenance session.

CCI-002889

The organization notifies organization-defined personnel or roles of the date and time of planned nonlocal maintenance.

CCI-002890

The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.

CCI-002891

The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.

CCI-002892

The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.

CCI-002893

The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorization.

CCI-002894

The organization ensures that non-escorted personnel performing maintenance on the information system have required access authorizations.

CCI-002895

The organization designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

CCI-002896

The organization defines the information system components for which it obtains maintenance support and/or spare parts.

CCI-002897

The organization defines a time period for obtaining maintenance support and/or spare parts for organization-defined information system components after a failure.

CCI-002898

The organization performs preventive maintenance on organization-defined information system components at organization-defined time intervals.

CCI-002899

The organization defines information system components on which to perform preventive maintenance.

CCI-002900

The organization defines time intervals at which to perform preventive maintenance on organization-defined information system components.

CCI-002901

The organization performs predictive maintenance on organization-defined information system components at organization-defined intervals.

CCI-002902

The organization defines information system components on which to perform predictive maintenance.

CCI-002903

The organization defines time intervals at which to perform predictive maintenance on organization-defined information system components.

CCI-002904

The organization employs automated mechanisms to transfer predictive maintenance data to a computerized maintenance management system.

CCI-002825

The organization defines personnel or roles to whom the contingency planning policy is to be disseminated.

CCI-002826

The organization defines personnel or roles to whom the contingency planning procedures are disseminated.

CCI-002827

The organization coordinates its contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

CCI-002828

The organization identifies critical information system assets supporting essential missions.

CCI-002829

The organization identifies critical information system assets supporting essential business functions.

CCI-002830

The organization defines the personnel or roles who review and approve the contingency plan for the information system.

CCI-002831

The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated.

CCI-002832

The organization protects the contingency plan from unauthorized disclosure and modification.

CCI-002833

The organization defines the time period that contingency training is to be provided to information system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility.

CCI-002834

The organization provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes.

CCI-002835

The organization tests the contingency plan at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.

CCI-002836

The organization ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site.

CCI-002837

The organization plans for circumstances that preclude returning to the primary processing site.

CCI-002838

The organization prepares for circumstances that preclude returning to the primary processing site.

CCI-002839

The organization defines information system operations that are permitted to transfer and resume at an alternate processing site for essential missions/business functions when the primary processing capabilities are unavailable.

CCI-002840

The organization defines the information system operations to be resumed for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CCI-002841

The organization defines the information system operations to be resumed for essential business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CCI-002842

The organization reviews provider contingency plans to ensure that the plans meet organizational contingency requirements.

CCI-002843

The organization defines the frequency with which to obtain evidence of contingency testing by providers.

CCI-002844

The organization defines the frequency with which to obtain evidence of contingency training by providers.

CCI-002845

The organization obtains evidence of contingency testing by providers in accordance with organization-defined frequency.

CCI-002846

The organization obtains evidence of contingency training by providers in accordance with organization-defined frequency.

CCI-002847

The organization defines the frequency with which to test alternate telecommunication services.

CCI-002848

The organization tests alternate telecommunication services per organization-defined frequency.

CCI-002849

The organization defines critical information system software and other security-related information, of which backup copies must be stored in a separate facility or in a fire-rated container.

CCI-002850

The organization stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.

CCI-002851

The organization defines the backup information that requires dual authorization for deletion or destruction.

CCI-002852

The organization enforces dual authorization for the deletion or destruction of organization-defined backup information.

CCI-002853

The information system provides the capability to employ organization-defined alternative communications protocols in support of maintaining continuity of operations.

CCI-002854

The organization defines the alternative communications protocols the information system must be capable of providing in support of maintaining continuity of operations.

CCI-002855

The information system, when organization-defined conditions are detected, enters a safe mode of operation with organization-defined restrictions of safe mode of operation.

CCI-002856

The organization defines the conditions that, when detected, the information system enters a safe mode of operation with organization-defined restrictions of safe mode of operation.

CCI-002857

The organization defines the restrictions of the safe mode of operation that the information system will enter when organization-defined conditions are detected.

CCI-002858

The organization employs organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.

CCI-002859

The organization defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.

CCI-002860

The organization defines the security functions that must be satisfied when the primary means of implementing the security function is unavailable or compromised.

CCI-002776

The organization defines the personnel or roles to whom the incident response policy is disseminated.

CCI-002777

The organization defines the personnel or roles to whom the incident response procedures are disseminated.

CCI-002778

The organization defines the time period in which information system users who assume an incident response role or responsibility receive incident response training.

CCI-002779

The organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes.

CCI-002780

The organization coordinates incident response testing with organizational elements responsible for related plans.

CCI-002781

The organization defines the information system components for dynamic reconfiguration as part of the incident response capability.

CCI-002782

The organization implements an incident handling capability for insider threats.

CCI-002783

The organization coordinates an incident handling capability for insider threats across organization-defined components or elements of the organization.

CCI-002784

The organization defines components or elements of the organization across which an incident handling capability for insider threats will be coordinated.

CCI-002785

The organization coordinates with organization-defined external organizations to correlate and share organization-defined incident information to achieve a cross-organization perspective on incident awareness and more effective incident responses.

CCI-002786

The organization defines external organizations with which to correlate and share organization-defined incident information.

CCI-002787

The organization defines incident information to correlate and share with organization-defined external organizations.

CCI-002788

The organization employs organization-defined dynamic response capabilities to effectively respond to security incidents.

CCI-002789

The organization defines dynamic response capabilities to effectively respond to security incidents.

CCI-002790

The organization coordinates incident handling activities involving supply chain events with other organizations involved in the supply chain.

CCI-002791

The organization defines authorities to whom security incident information is reported.

CCI-002792

The organization defines personnel or roles to whom information system vulnerabilities associated with reported security incident information are reported.

CCI-002793

The organization provides security incident information to other organizations involved in the supply chain for information systems or information system components related to the incident.

CCI-002794

The organization develops an incident response plan.

CCI-002795

The organization^s incident response plan provides the organization with a roadmap for implementing its incident response capability.

CCI-002796

The organization^s incident response plan describes the structure and organization of the incident response capability.

CCI-002797

The organization^s incident response plan provides a high-level approach for how the incident response capability fits into the overall organization.

CCI-002798

The organization^s incident response plan meets the unique requirements of the organization, which relate to mission, size, structure, and functions.

CCI-002799

The organization^s incident response plan defines reportable incidents.

CCI-002800

The organization^s incident response plan provides metrics for measuring the incident response capability within the organization.

CCI-002801

The organization^s incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability.

CCI-002802

The organization defines personnel or roles to review and approve the incident response plan.

CCI-002803

The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated.

CCI-002804

The organization protects the incident response plan from unauthorized disclosure and modification.

CCI-002805

The organization responds to information spills by identifying the specific information involved in the information system contamination.

CCI-002806

The organization responds to information spills by alerting organization-defined personnel or roles of the information spill using a method of communication not associated with the spill.

CCI-002807

The organization defines personnel or roles to be alerted of information spills using a method of communication not associated with the spill.

CCI-002808

The organization responds to information spills by isolating the contaminated information system or system component.

CCI-002809

The organization responds to information spills by eradicating the information from the contaminated information system or component.

CCI-002810

The organization responds to information spills by identifying other information systems or system components that may have been subsequently contaminated.

CCI-002811

The organization responds to information spills by performing other organization-defined actions.

CCI-002812

The organization defines other actions required to respond to information spills.

CCI-002813

The organization assigns organization-defined personnel or roles with responsibility for responding to information spills.

CCI-002814

The organization assigns organization-defined personnel or roles with responsibility for responding to information spills.

CCI-002815

The organization defines personnel or roles to whom responsibility for responding to information spills will be assigned.

CCI-002816

The organization provides information spillage response training according to an organization-defined frequency.

CCI-002817

The organization defines the frequency with which to provide information spillage response training.

CCI-002818

The organization implements organization-defined procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

CCI-002819

The organization defines procedures to implement to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

CCI-002820

The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.

CCI-002821

The organization defines security safeguards to employ for personnel exposed to information not within assigned access authorizations.

CCI-002822

The organization establishes an integrated team of forensic/malicious code analysts, tool developers, and real-time operations personnel.

CCI-002823

The organization defines the security safeguards to be implemented to protect the information system^s memory from unauthorized code execution.

CCI-002824

The information system implements organization-defined security safeguards to protect its memory from unauthorized code execution.

CCI-002601

The organization defines the personnel or roles to whom the system and information integrity policy and procedures are to be disseminated.

CCI-002602

The organization tests firmware updates related to flaw remediation for effectiveness before installation.

CCI-002603

The organization tests firmware updates related to flaw remediation for potential side effects before installation.

CCI-002604

The organization defines the time period following the release of updates within which security-related software updates are to be installed.

CCI-002605

The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.

CCI-002606

The organization defines the time period following the release of updates within which security-related firmware updates are to be installed.

CCI-002607

The organization installs security-relevant firmware updates within an organization-defined time period of the release of the updates.

CCI-002608

The organization establishes organization-defined benchmarks for the time taken to apply corrective actions after flaw identification.

CCI-002609

The organization defines the information system components on which organization-defined security-relevant software updates will be automatically installed.

CCI-002610

The organization defines the information system components on which organization-defined security-relevant firmware updates will be automatically installed.

CCI-002611

The organization defines the security-relevant software updates to be automatically installed on organization-defined information system components.

CCI-002612

The organization defines the security-relevant firmware updates to be automatically installed on organization-defined information system components.

CCI-002613

The organization installs organization-defined security-relevant software updates automatically to organization-defined information system components.

CCI-002614

The organization installs organization-defined security-relevant firmware updates automatically to organization-defined information system components.

CCI-002615

The organization defines the software components to be removed (e.g., previous versions) after updated versions have been installed.

CCI-002616

The organization defines the firmware components to be removed (e.g., previous versions) after updated versions have been installed.

CCI-002617

The organization removes organization-defined software components (e.g., previous versions) after updated versions have been installed.

CCI-002618

The organization removes organization-defined firmware components (e.g., previous versions) after updated versions have been installed.

CCI-002619

The organization employs malicious code protection mechanisms at information system entry points to detect malicious code.

CCI-002620

The organization employs malicious code protection mechanisms at information system exit points to detect malicious code.

CCI-002621

The organization employs malicious code protection mechanisms at information system entry points to eradicate malicious code.

CCI-002622

The organization employs malicious code protection mechanisms at information system exit points to eradicate malicious code.

CCI-002623

The organization defines the frequency for performing periodic scans of the information system for malicious code.

CCI-002624

The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources at network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.

CCI-002625

The organization, when testing malicious code protection mechanisms, verifies the detection of the test case occurs.

CCI-002626

The organization, when testing malicious code protection mechanisms, verifies the incident reporting of the test case occurs.

CCI-002627

The information system implements nonsignature-based malicious code detection mechanisms.

CCI-002628

The organization defines the unauthorized operating system commands that are to be detected through the kernel application programming interface by organization-defined information system hardware components.

CCI-002629

The organization defines the information system hardware components that are to detect organization-defined unauthorized operating system commands through the kernel programming application interface.

CCI-002630

The information system detects organization-defined unauthorized operating system commands through the kernel application programming interface at organization-defined information system hardware components.

CCI-002631

The information system issues a warning, audits the command execution, or prevents the execution of the command when organization-defined unauthorized operating system commands are detected.

CCI-002632

The organization defines the remote commands that are to be authenticated using organization-defined safeguards for malicious code protection.

CCI-002633

The organization defines the security safeguards to be implemented to authenticate organization-defined remote commands for malicious code protection.

CCI-002634

The organization defines the tools to be employed to analyze the characteristics and behavior of malicious code.

CCI-002635

The organization defines the techniques to be employed to analyze the characteristics and behavior of malicious code.

CCI-002636

The organization employs organization-defined tools to analyze the characteristics and behavior of malicious code.

CCI-002637

The information system implements organization-defined security safeguards to authenticate organization-defined remote commands for malicious code protection.

CCI-002638

The organization employs organization-defined techniques to analyze the characteristics and behavior of malicious code.

CCI-002639

The organization incorporates the results from malicious code analysis into organizational incident response processes.

CCI-002640

The organization incorporates the results from malicious code analysis into organizational flaw remediation processes.

CCI-002641

The organization monitors the information system to detect attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives.

CCI-002642

The organization monitors the information system to detect unauthorized local connections.

CCI-002643

The organization monitors the information system to detect unauthorized network connections.

CCI-002644

The organization monitors the information system to detect unauthorized remote connections.

CCI-002645

The organization defines the techniques and methods to be used to identify unauthorized use of the information system.

CCI-002646

The organization identifies unauthorized use of the information system through organization-defined techniques and methods.

CCI-002647

The organization protects information obtained from intrusion-monitoring tools from unauthorized access.

CCI-002648

The organization protects information obtained from intrusion-monitoring tools from unauthorized modification.

CCI-002649

The organization protects information obtained from intrusion-monitoring tools from unauthorized deletion.

CCI-002650

The organization defines the information system monitoring information that is to be provided the organization-defined personnel or roles.

CCI-002651

The organization defines the personnel or roles that are to be provided organization-defined information system monitoring information.

CCI-002652

The organization defines the frequency at which the organization will provide the organization-defined information system monitoring information to organization-defined personnel or roles.

CCI-002653

The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.

CCI-002654

The organization provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or per organization-defined frequency.

CCI-002655

The organization connects individual intrusion detection tools into an information system-wide intrusion detection system.

CCI-002656

The organization configures individual intrusion detection tools into an information system-wide intrusion detection system.

CCI-002657

The organization employs automated tools to integrate intrusion detection tools into access control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

CCI-002658

The organization employs automated tools to integrate intrusion detection tools into flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

CCI-002659

The organization defines the frequency on which it will monitor inbound communications for unusual or unauthorized activities or conditions.

CCI-002660

The organization defines the frequency on which it will monitor outbound communications for unusual or unauthorized activities or conditions.

CCI-002661

The information system monitors inbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.

CCI-002662

The information system monitors outbound communications traffic per organization-defined frequency for unusual or unauthorized activities or conditions.

CCI-002663

The organization defines the personnel or roles to receive information system alerts when organization-defined indicators of compromise or potential compromise occur.

CCI-002664

The information system alerts organization-defined personnel or roles when organization-defined compromise indicators reflect the occurrence of a compromise or a potential compromise.

CCI-002665

The organization defines the encrypted communications traffic that is to be visible to organization-defined information system monitoring tools.

CCI-002666

The organization defines the information system monitoring tools that will have visibility into organization-defined encrypted communications traffic.

CCI-002667

The organization makes provisions so that organization-defined encrypted communications traffic is visible to organization-defined information system monitoring tools.

CCI-002668

The organization defines the interior points within the information system (e.g., subnetworks, subsystems) where outbound communications will be analyzed to discover anomalies.

CCI-002669

The organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and false negatives.

CCI-002670

The organization defines the interior points within the system (e.g., subsystems, subnetworks) where outbound communications will be analyzed to detect covert exfiltration of information.

CCI-002671

The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) to detect covert exfiltration of information.

CCI-002672

The organization analyzes outbound communications traffic at organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information.

CCI-002673

The organization defines the additional monitoring to be implemented for individuals identified as posing an increased level of risk.

CCI-002674

The organization defines the sources that may be used to identify individuals who pose an increased level of risk.

CCI-002675

The organization implements organization-defined additional monitoring of individuals who have been identified by organization-defined sources as posing an increased level of risk.

CCI-002676

The organization defines additional monitoring to be implemented for privileged users.

CCI-002677

The organization implements organization-defined additional monitoring of privileged users.

CCI-002678

The organization defines additional monitoring to be implemented for individuals during an organization-defined probationary period.

CCI-002679

The organization defines the probationary period during which additional monitoring will be implemented for individuals.

CCI-002680

The organization implements organization-defined additional monitoring of individuals during an organization-defined probationary period.

CCI-002681

The organization defines the authorization or approval process for network services.

CCI-002682

The organization defines the personnel or roles to be alerted when unauthorized or unapproved network services are detected.

CCI-002683

The information system detects network services that have not been authorized or approved by the organization-defined authorization or approval processes.

CCI-002684

The information system audits and/or alerts organization-defined personnel when unauthorized network services are detected.

CCI-002685

The organization defines the host-based monitoring mechanisms to be implemented at organization-defined information system components.

CCI-002686

The organization defines the information system components at which organization-defined host-based monitoring mechanisms are to be implemented.

CCI-002687

The organization implements organization-defined host-based monitoring mechanisms at organization-defined information system components.

CCI-002688

The information system discovers indicators of compromise.

CCI-002689

The information system collects indicators of compromise.

CCI-002690

The information system distributes indicators of compromise.

CCI-002691

The information system uses indicators of compromise.

CCI-002692

The organization defines the external organizations from which it receives information system security alerts, advisories, and directives.

CCI-002693

The organization defines the elements within the organization to whom the organization will disseminate security alerts, advisories, and directives.

CCI-002694

The organization defines the external organizations to which the organization will disseminate security alerts, advisories, and directives.

CCI-002695

The organization defines the security functions that require verification of correct operation.

CCI-002696

The information system verifies correct operation of organization-defined security functions.

CCI-002697

The organization defines the frequency at which it will verify correct operation of organization-defined security functions.

CCI-002698

The organization defines the system transitional states when the information system will verify correct operation of organization-defined security functions.

CCI-002699

The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.

CCI-002700

The organization defines the personnel or roles to be notified when security verification tests fail.

CCI-002701

The organization defines alternative action(s) to be taken when the information system discovers anomalies in the operation of organization-defined security functions.

CCI-002702

The information system shuts the information system down, restarts the information system, and/or initiates organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.

CCI-002703

The organization defines the software, firmware, and information which will be subjected to integrity verification tools to detect unauthorized changes.

CCI-002704

The organization employs integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information.

CCI-002705

The organization defines the software on which integrity checks will be performed.

CCI-002706

The organization defines the firmware on which integrity checks will be performed.

CCI-002707

The organization defines the information on which integrity checks will be performed.

CCI-002708

The organization defines the transitional state or security-relevant events when the information system will perform integrity checks on software, firmware, and information.

CCI-002709

The organization defines the frequency at which it will perform integrity checks of software, firmware, and information.

CCI-002710

The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.

CCI-002711

The information system performs an integrity check of organization-defined firmware at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.

CCI-002712

The information system performs an integrity check of organization-defined information at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.

CCI-002713

The organization defines the personnel or roles to be notified when discrepancies are discovered during integrity verification.

CCI-002714

The organization defines the security safeguards that are to be employed when integrity violations are discovered.

CCI-002715

The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered.

CCI-002716

The information system implements cryptographic mechanisms to detect unauthorized changes to software.

CCI-002717

The information system implements cryptographic mechanisms to detect unauthorized changes to firmware.

CCI-002718

The information system implements cryptographic mechanisms to detect unauthorized changes to information.

CCI-002719

The organization defines the unauthorized security-relevant changes to the information system that are to be incorporated into the organizational incident response capability.

CCI-002720

The organization incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability.

CCI-002721

The organization defines the personnel or roles that are to be alerted by the information system when it detects a potential integrity violation.

CCI-002722

The organization defines other actions that can be taken when the information system detects a potential integrity violation.

CCI-002723

The information system, upon detection of a potential integrity violation, provides the capability to audit the event.

CCI-002724

The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions.

CCI-002725

The organization defines the devices which will have the integrity of the boot process verified.

CCI-002726

The information system verifies the integrity of the boot process of organization-defined devices.

CCI-002727

The organization defines the security safeguards to be implemented to protect the integrity of the boot firmware in organization-defined devices.

CCI-002728

The organization defines the devices on which organization-defined security safeguards will be implemented to protect the integrity of the boot firmware.

CCI-002729

The information system implements organization-defined security safeguards to protect the integrity of boot firmware in organization-defined devices.

CCI-002730

The organization defines the user-installed software that is to be executed in a confined physical or virtual machine environment with limited privileges.

CCI-002731

The organization requires that organization-defined user-installed software execute in a confined physical or virtual machine environment with limited privileges.

CCI-002732

The organization defines the user-installed software that is to have its integrity verified prior to execution.

CCI-002733

The organization requires that the integrity of organization-defined user-installed software be verified prior to execution.

CCI-002734

The organization defines the personnel or roles which have the authority to explicitly approve binary or machine-executable code.

CCI-002735

The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments.

CCI-002736

The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only with the explicit approval of organization-defined personnel or roles.

CCI-002737

The organization prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code.

CCI-002738

The organization provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

CCI-002739

The organization defines the software or firmware components on which cryptographic mechanisms are to be implemented to support authentication prior to installation.

CCI-002740

The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation.

CCI-002741

The organization employs spam protection mechanisms at information system entry points to detect and take action on unsolicited messages.

CCI-002742

The organization employs spam protection mechanisms at information system exit points to detect and take action on unsolicited messages.

CCI-002743

The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

CCI-002744

The organization defines the inputs on which the information system is to conduct validity checks.

CCI-002745

The organization defines the inputs for which the information system provides a manual override capability for input validation.

CCI-002746

The information system provides a manual override capability for input validation of organization-defined inputs.

CCI-002747

The organization defines the individuals who have the authorization to use the manual override capability for input validation.

CCI-002748

The information system restricts the use of the manual override capability to only organization-defined authorized individuals.

CCI-002749

The information system audits the use of the manual override capability.

CCI-002750

The organization defines the time period within which input validation errors are to be reviewed.

CCI-002751

The organization defines the time period within which input validation errors are to be resolved.

CCI-002752

The organization ensures that input validation errors are reviewed within an organization-defined time period.

CCI-002753

The organization ensures that input validation errors are resolved within an organization-defined time period.

CCI-002754

The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

CCI-002755

The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.

CCI-002756

The organization defines the trusted sources to which the usage of information inputs will be restricted (e.g., whitelisting).

CCI-002757

The organization defines the acceptable formats to which information inputs are restricted.

CCI-002758

The organization restricts the use of information inputs to organization-defined trusted sources and/or organization-defined formats.

CCI-002759

The organization defines the personnel or roles to whom error messages are to be revealed.

CCI-002760

The organization determines mean time to failure (MTTF) for organization-defined information system components in specific environments of operation.

CCI-002761

The organization defines the system components in specific environments of operation for which the mean time to failure (MTTF) is to be determined.

CCI-002762

The organization defines the mean time to failure (MTTF) substitution criteria to be employed as a means to determine the need to exchange active and standby components.

CCI-002763

The organization provides a means to exchange active and standby components in accordance with the organization-defined mean time to failure (MTTF) substitution criteria.

CCI-002764

The organization defines non-persistent information system components and services to be implemented.

CCI-002765

The organization defines the frequency at which it will terminate organization-defined non-persistent information system components and services.

CCI-002766

The organization implements organization-defined non-persistence information system components and services that are initiated in a known state.

CCI-002767

The organization implements organization-defined non-persistence information system components and services that are terminated upon end of session of use and/or periodically at an organization-defined frequency.

CCI-002768

The organization defines the trusted sources from which it obtains software and data employed during the refreshing of non-persistent information system components and services.

CCI-002769

The organization ensures that software and data employed during non-persistent information system component and service refreshes are obtained from organization-defined trusted sources.

CCI-002770

The organization defines the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content.

CCI-002771

The information system validates information output from organization-defined software programs and/or applications to ensure that the information is consistent with the expected content.

CCI-002772

The organization defines the security safeguards to be implemented to protect the information system^s memory from unauthorized code execution.

CCI-002773

The organization defines the fail-safe procedures to be implemented by the information system when organization-defined failure conditions occur.

CCI-002774

The organization defines the failure conditions which, when they occur, will result in the information system implementing organization-defined fail-safe procedures.

CCI-002775

The information system implements organization-defined fail-safe procedures when organization-defined failure conditions occur.

CCI-002566

The organization defines personnel or roles to whom a documented media protection policy and procedures will be disseminated.

CCI-002567

The organization reviews and approves media sanitization.

CCI-002568

The organization tracks and documents media sanitization.

CCI-002569

The organization verifies media sanitization.

CCI-002570

The organization reviews and approves media disposal actions.

CCI-002571

The organization tracks and documents media disposal actions.

CCI-002572

The organization verifies media disposal actions.

CCI-002573

The organization enforces dual authorization for the sanitization of organization-defined information system media.

CCI-002574

The organization defines the information system media that dual authorization is enforced for sanitization.

CCI-002575

The organization defines information systems, system components, or devices from which information is to be purged/wiped, either remotely or under the organization-defined conditions.

CCI-002576

The organization defines conditions under which information from organization-defined information systems, system components, or devices should be purged/wiped.

CCI-002577

The organization provides the capability to purge/wipe information from organization-defined information systems, system components, or devices either remotely or under organization-defined conditions.

CCI-002578

The organization defines information system media to sanitize prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies.

CCI-002579

The organization defines the sanitization techniques and procedures to be used to sanitize organization-defined information system media prior to disposal, release out of organizational control, or release for reuse in accordance with applicable federal and organization standards and policies.

CCI-002580

The organization employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

CCI-002581

The organization defines the types of information system media to restrict or prohibit on organization-defined information systems or system components using organization-defined security safeguards.

CCI-002582

The organization defines the information systems or system components on which to restrict or prohibit the use of organization-defined types of information system media using organization-defined security safeguards.

CCI-002583

The organization defines the security safeguards to use for restricting or prohibiting the use of organization-defined types of information system media on organization-defined information systems or system components.

CCI-002584

The organization restricts or prohibits the use of organization-defined types of information system media on organization-defined information systems or system components using organization-defined security safeguards.

CCI-002585

The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

CCI-002586

The organization prohibits the use of sanitization-resistant media in organizational information systems.

CCI-002587

The organization documents information system media downgrading actions.

CCI-002588

The organization employs organization-defined tests of downgrading equipment in accordance with organization-defined frequency.

CCI-002589

The organization employs procedures to verify correct performance of organization-defined tests of downgrading equipment in accordance with organization-defined frequency.

CCI-002590

The organization defines tests to employ for downgrading equipment.

CCI-002591

The organization defines the frequency with which to employ tests of downgrading equipment and procedures to verify correct performance.

CCI-002592

The organization defines Controlled Unclassified Information (CUI).

CCI-002593

The organization downgrades information system media containing organization-defined Controlled Unclassified Information (CUI) prior to public release in accordance with applicable federal and organizational standards and policies.

CCI-002594

The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.

CCI-002595

The organization establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.

CCI-002596

The organization establishes and defines an information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity.

CCI-002597

The organization defines strength and integrity for downgrading mechanisms to establish an organization-defined information system media downgrading process.

CCI-002598

The organization ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information.

CCI-002599

The organization defines and identifies the information system media requiring downgrading.

CCI-002600

The organization downgrades the identified information system media using the established process.

CCI-002375

The organization takes organization-defined corrective actions when information about the information system is discoverable by adversaries.

CCI-002376

The organization defines the personnel or roles with whom the information obtained from the vulnerability scanning process and security control assessments will be shared.

CCI-002377

The organization documents the system and communications protection policy.

CCI-002378

The organization defines the personnel or roles to be recipients of the system and communications protection policy.

CCI-002379

The organization documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

CCI-002380

The organization defines the personnel or roles to be recipients of the procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

CCI-002381

The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.

CCI-002382

The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

CCI-002383

The organization defines the procedures to be employed to prevent unauthorized information transfer via shared resources when system processing explicitly switches between different information classification levels or security categories.

CCI-002384

The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.

CCI-002385

The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

CCI-002386

The organization defines the security safeguards to be employed to protect the information system against, or limit the effects of, denial of service attacks.

CCI-002387

The organization defines the denial of service attacks against other information systems that the information system is to restrict the ability of individuals to launch.

CCI-002388

The organization defines a list of monitoring tools to be employed to detect indicators of denial of service attacks against the information system.

CCI-002389

The organization employs an organization-defined list of monitoring tools to detect indicators of denial of service attacks against the information system.

CCI-002390

The organization defines the information system resources to be monitored to determine if sufficient resources exist to prevent effective denial of service attacks.

CCI-002391

The organization monitors organization-defined information system resources to determine if sufficient resources exist to prevent effective denial of service attacks.

CCI-002392

The organization defines the resources to be allocated to protect the availability of information system resources.

CCI-002393

The organization defines the security safeguards to be employed to protect the availability of information system resources.

CCI-002394

The information system protects the availability of resources by allocating organization-defined resources based on priority, quota, and/or organization-defined security safeguards.

CCI-002395

The information system implements subnetworks for publicly accessible system components that are physically and/or logically separated from internal organizational networks.

CCI-002396

The organization protects the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service.

CCI-002397

The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.

CCI-002398

The information system detects outgoing communications traffic posing a threat to external information systems.

CCI-002399

The information system denies outgoing communications traffic posing a threat to external information systems.

CCI-002400

The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.

CCI-002401

The organization defines the authorized sources from which the information system will allow incoming communications.

CCI-002402

The organization defines the authorized destinations for routing inbound communications.

CCI-002403

The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.

CCI-002404

The organization defines the host-based boundary protection mechanisms that are to be implemented at organization-defined information system components.

CCI-002405

The organization defines the information system components at which organization-defined host-based boundary protection mechanisms will be implemented.

CCI-002406

The organization implements organization-defined host-based boundary protection mechanisms at organization-defined information system components.

CCI-002407

The organization defines the managed interfaces at which the organization protects against unauthorized physical connections.

CCI-002408

The organization defines the independently configured communication clients, which are configured by end users and external service providers, between which the information system will block both inbound and outbound communications traffic.

CCI-002409

The information system blocks both inbound and outbound communications traffic between organization-defined communication clients that are independently configured by end users and external service providers.

CCI-002410

The organization defines information system components that are to be dynamically isolated/segregated from other components of the information system.

CCI-002411

The information system provides the capability to dynamically isolate/segregate organization-defined information system components from other components of the system.

CCI-002412

The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.

CCI-002413

The organization defines the information system components supporting organization-defined missions and/or business functions that are to be separated using boundary protection mechanisms.

CCI-002414

The organization defines the missions and/or business functions for which boundary protection mechanisms will be employed to separate the supporting organization-defined information system components.

CCI-002415

The organization employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions.

CCI-002416

The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.

CCI-002417

The information system disables feedback to senders on protocol format validation failure.

CCI-002418

The information system protects the confidentiality and/or integrity of transmitted information.

CCI-002419

The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented to protect information during transmission.

CCI-002420

The information system maintains the confidentiality and/or integrity of information during preparation for transmission.

CCI-002421

The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.

CCI-002422

The information system maintains the confidentiality and/or integrity of information during reception.

CCI-002423

The information system implements cryptographic mechanisms to protect message externals (e.g., message headers and routing information) unless otherwise protected by organization-defined alternative physical safeguards.

CCI-002424

The organization defines the alternative physical safeguards to be employed when cryptographic mechanisms are not implemented by the information system.

CCI-002425

The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by organization-defined alternative physical safeguards.

CCI-002426

The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.

CCI-002427

The organization defines the alternative physical safeguards to be employed to protect message externals (e.g., message headers and routing information) when cryptographic mechanisms are not implemented.

CCI-002428

The organization defines the requirements for cryptographic key generation to be employed within the information system.

CCI-002429

The organization defines the requirements for cryptographic key distribution to be employed within the information system.

CCI-002430

The organization defines the requirements for cryptographic key storage to be employed within the information system.

CCI-002431

The organization defines the requirements for cryptographic key access to be employed within the information system.

CCI-002432

The organization defines the requirements for cryptographic key destruction to be employed within the information system.

CCI-002433

The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation.

CCI-002434

The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.

CCI-002435

The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage.

CCI-002436

The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access.

CCI-002437

The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction.

CCI-002438

The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation.

CCI-002439

The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.

CCI-002440

The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key storage.

CCI-002441

The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key access.

CCI-002442

The organization manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key destruction.

CCI-002443

The organization produces symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.

CCI-002444

The organization controls symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.

CCI-002445

The organization distributes symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.

CCI-002446

The organization produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key.

CCI-002447

The organization controls asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key.

CCI-002448

The organization distributes asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key.

CCI-002449

The organization defines the cryptographic uses, and type of cryptography required for each use, to be implemented by the information system.

CCI-002450

The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

CCI-002451

The organization defines the information systems or information system components from which collaborative computing devices in organization-defined secure work areas are to be disabled or removed.

CCI-002452

The organization defines the online meetings and teleconferences for which the information system provides an explicit indication of current participants.

CCI-002453

The information system provides an explicit indication of current participants in organization-defined online meetings and teleconferences.

CCI-002454

The organization defines the security attributes the information system is to associate with the information being exchanged between information systems and between information system components.

CCI-002455

The information system associates organization-defined security attributes with information exchanged between information system components.

CCI-002456

The organization defines the certificate policy employed to issue public key certificates.

CCI-002457

The organization defines the corrective actions to be taken when organization-defined unacceptable mobile code is identified.

CCI-002458

The organization defines what constitutes unacceptable mobile code for its information systems.

CCI-002459

The organization defines the unacceptable mobile code of which the information system is to prevent download and execution.

CCI-002460

The information system enforces organization-defined actions prior to executing mobile code.

CCI-002461

The organization allows execution of permitted mobile code only in confined virtual machine environments.

CCI-002462

The information system provides additional data integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.

CCI-002463

The information system provides data origin artifacts for internal name/address resolution queries.

CCI-002464

The information system provides data integrity protection artifacts for internal name/address resolution queries.

CCI-002465

The information system requests data origin authentication verification on the name/address resolution responses the system receives from authoritative sources.

CCI-002466

The information system requests data integrity verification on the name/address resolution responses the system receives from authoritative sources.

CCI-002467

The information system performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

CCI-002468

The information system performs data origin verification authentication on the name/address resolution responses the system receives from authoritative sources.

CCI-002469

The organization defines the certificate authorities the information system will allow to be used on the information system.

CCI-002470

The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

CCI-002471

The organization defines the information system components, with minimal functionality and information storage, to be employed.

CCI-002472

The organization defines the information at rest that is to be protected by the information system.

CCI-002473

The organization defines the information at rest for which cryptographic mechanisms will be implemented.

CCI-002474

The organization defines the information system components which require the implementation of cryptographic mechanisms to prevent unauthorized disclosure and modification of organization-defined information at rest.

CCI-002475

The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.

CCI-002476

The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

CCI-002477

The organization defines the information at rest to be removed from online storage and stored in an off-line secure location.

CCI-002478

The organization removes organization-defined information at rest from online storage.

CCI-002479

The organization stores organization-defined information at rest in an off-line secure location.

CCI-002480

The organization defines the information system components for which a diverse set of information technologies are to be employed.

CCI-002481

The organization employs virtualization techniques to support the deployment of a diversity of applications that are changed per organization-defined frequency.

CCI-002482

The organization defines the concealment and misdirection techniques employed for organization-defined information systems to confuse and mislead adversaries.

CCI-002483

The organization defines the information systems for which organization-defined concealment and misdirection techniques are to be employed.

CCI-002484

The organization defines the time periods at which it will employ organization-defined concealment and misdirection techniques on organization-defined information systems.

CCI-002485

The organization employs organization-defined concealment and misdirection techniques for organization-defined information systems at organization-defined time periods to confuse and mislead adversaries.

CCI-002486

The organization defines the techniques to be employed to introduce randomness into organizational operations and assets.

CCI-002487

The organization employs organization-defined techniques to introduce randomness into organizational operations.

CCI-002488

The organization employs organization-defined techniques to introduce randomness into organizational assets.

CCI-002489

The organization defines the processing and/or storage locations to be changed at random intervals or at an organization-defined frequency.

CCI-002490

The organization defines the frequency at which it changes the location of organization-defined processing and/or storage.

CCI-002491

The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals.

CCI-002492

The organization changes the location of organization-defined processing and/or storage at an organization-defined time frequency or at random time intervals.

CCI-002493

The organization defines the information system components in which it will employ realistic but misleading information regarding its security state or posture.

CCI-002494

The organization employs realistic, but misleading, information in organization-defined information system components with regard to its security state or posture.

CCI-002495

The organization defines the techniques to be employed to hide or conceal organization-defined information system components.

CCI-002496

The organization defines the information system components to be hidden or concealed.

CCI-002497

The organization employs organization-defined techniques to hide or conceal organization-defined information system components.

CCI-002498

The organization performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert storage and/or timing channels.

CCI-002499

The organization estimates the maximum bandwidth of the covert storage and timing channels.

CCI-002500

The organization defines the maximum bandwidth values to which covert storage and/or timing channels are to be reduced.

CCI-002501

The organization reduces the maximum bandwidth for identified covert storage and/or timing channels to organization-defined values.

CCI-002502

The organization defines the subset of identified covert channels in the operational environment of the information system that are to have the bandwidth measured.

CCI-002503

The organization measures the bandwidth of an organization-defined subset of identified covert channels in the operational environment of the information system.

CCI-002504

The organization defines the information system components into which the information system is partitioned.

CCI-002505

The organization defines the circumstances under which the information system components are to be physically separated to support partitioning.

CCI-002506

The organization partitions the information system into organization-defined information system components residing in separate physical domains or environments based on organization-defined circumstances for physical separation of components.

CCI-002507

The organization controls read-only media after information has been recorded onto the media.

CCI-002508

The organization defines the information system firmware components for which hardware-based, write-protect is employed.

CCI-002509

The organization employs hardware-based, write-protect for organization-defined information system firmware components.

CCI-002510

The organization defines the individuals authorized to manually disable hardware-based, write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

CCI-002511

The organization implements specific procedures for organization-defined authorized individuals to manually disable hardware-based, write-protect for firmware modifications.

CCI-002512

The organization implements specific procedures for organization-defined authorized individuals to manually re-enable hardware write-protect prior to returning to operational mode.

CCI-002513

The organization defines the processing that is to be distributed across multiple physical locations.

CCI-002514

The organization defines the storage that is to be distributed across multiple physical locations.

CCI-002515

The organization distributes organization-defined processing across multiple physical locations.

CCI-002516

The organization distributes organization-defined storage across multiple physical locations.

CCI-002517

The organization defines the distributed processing components that are to be polled to identify potential faults, errors, or compromises.

CCI-002518

The organization defines the distributed storage components that are to be polled to identify potential faults, errors, or compromises.

CCI-002519

The organization employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed processing components.

CCI-002520

The organization employs polling techniques to identify potential faults, errors, or compromises to organization-defined distributed storage components.

CCI-002521

The organization defines the out-of-band channels to be employed for the physical delivery or electronic transmission of organization-defined information, information system components, or devices.

CCI-002522

The organization defines the information, information system components, or devices that are to be electronically transmitted or physically delivered via organization-defined out-of-band channels.

CCI-002523

The organization defines the individuals or information systems authorized to be recipients of organization-defined information, information system components, or devices to be delivered by employing organization-defined out-of-band channels for electronic transmission or physical delivery.

CCI-002524

The organization employs organization-defined out-of-band channels for the electronic transmission or physical delivery of organization-defined information, information system components, or devices to organization-defined individuals or information systems.

CCI-002525

The organization defines the security safeguards to be employed to ensure only organization-defined individuals or information systems receive organization-defined information, information system components, or devices.

CCI-002526

The organization defines the information, information system components, or devices which are to be received only by organization-defined individuals or information systems.

CCI-002527

The organization employs organization-defined security safeguards to ensure only organization-defined individuals or information systems receive the organization-defined information, information system components, or devices.

CCI-002528

The organization defines the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle.

CCI-002529

The organization employs organization-defined operations security safeguards to protect key organizational information throughout the system development life cycle.

CCI-002530

The information system maintains a separate execution domain for each executing process.

CCI-002531

The information system implements underlying hardware separation mechanisms to facilitate process separation.

CCI-002532

The organization defines the multi-threaded processing in which a separate execution domain is maintained by the information system for each thread.

CCI-002533

The information system maintains a separate execution domain for each thread in organization-defined multi-threaded processing.

CCI-002534

The organization defines types of signal parameter attacks or references to sources for such attacks from which the information system protects organization-defined wireless links.

CCI-002535

The organization defines the external and internal wireless links the information system is to protect from organization-defined types of signal parameter attacks or references to sources for such attacks.

CCI-002536

The information system protects organization-defined external and internal wireless links from organization-defined types of signal parameter attacks or references to sources for such attacks.

CCI-002537

The organization defines the level of protection against the effects of intentional electromagnetic interference to be achieved by implemented cryptographic mechanisms.

CCI-002538

The information system implements cryptographic mechanisms that achieve an organization-defined level of protection against the effects of intentional electromagnetic interference.

CCI-002539

The organization defines the level of reduction the information system is to implement to reduce the detection potential of wireless links.

CCI-002540

The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to an organization-defined level of reduction.

CCI-002541

The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

CCI-002542

The organization defines the wireless transmitters that are to have cryptographic mechanisms implemented by the information system to prevent the identification of the wireless transmitters.

CCI-002543

The information system implements cryptographic mechanisms to prevent the identification of organization-defined wireless transmitters by using the transmitter signal parameters.

CCI-002544

The organization defines the information systems or information system components on which organization-defined connection ports or input/output devices are to be physically disabled or removed.

CCI-002545

The organization defines the connection ports or input/output devices that are to be physically disabled or removed from organization-defined information systems or information system components.

CCI-002546

The organization physically disables or removes organization-defined connection ports or input/output devices on organization-defined information systems or information system components.

CCI-002547

The organization defines the exceptions where remote activation of sensors is allowed.

CCI-002548

The information system prohibits the remote activation of environmental sensing capabilities except for the organization-defined exceptions where remote activation of sensors is allowed.

CCI-002549

The organization defines the class of users to receive explicit indication of sensor use.

CCI-002550

The information system provides an explicit indication of sensor use to the organization-defined class of users.

CCI-002551

The organization defines the sensors to be configured so that collected data or information is reported only to authorized individuals or roles.

CCI-002552

The organization ensures that the information system is configured so that data or information collected by the organization-defined sensors is only reported to authorized individuals or roles.

CCI-002553

The organization defines the measures to be employed to ensure data or information collected by organization-defined sensors is used only for authorized purposes.

CCI-002554

The organization defines the sensors that are to collect data or information for authorized purposes.

CCI-002555

The organization employs organization-defined measures, so that data or information collected by organization-defined sensors is only used for authorized purposes.

CCI-002556

The organization defines the environmental sensing capabilities prohibited on devices used in organization-defined facilities, areas, or systems.

CCI-002557

The organization defines the facilities, areas, or systems where devices processing organization-defined environmental sensing capabilities are prohibited.

CCI-002558

The organization prohibits the use of devices possessing organization-defined environmental sensing capabilities in organization-defined facilities, areas, or systems.

CCI-002559

The organization defines the information system components for which usage restrictions and implementation guidance are to be established.

CCI-002560

The organization establishes usage restrictions and implementation guidance for organization-defined information system components based on the potential to cause damage to the information system if used maliciously.

CCI-002561

The organization authorizes the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.

CCI-002562

The organization monitors the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.

CCI-002563

The organization controls the use of organization-defined information system components which have the potential to cause damage to the information system if used maliciously.

CCI-002564

The organization defines the information system, system component, or location where a detonation chamber (i.e., dynamic execution environments) capability is employed.

CCI-002565

The organization employs a detonation chamber (i.e., dynamic execution environments) capability within an organization-defined information system, system component, or location.

CCI-002368

The organization defines the personnel or roles to whom the risk assessment policy is disseminated.

CCI-002369

The organization defines the personnel or roles to whom the risk assessment procedures are disseminated.

CCI-002370

The organization disseminates risk assessment results to organization-defined personnel or roles.

CCI-002371

The organization defines the personnel or roles to whom the risk assessment results will be disseminated.

CCI-002372

The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

CCI-002373

The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).

CCI-002374

The organization defines the corrective actions when information about the information system is discoverable by adversaries.

CCI-002360

The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.

CCI-002361

The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

CCI-002362

The organization defines the resources requiring information system authentication in order to gain access.

CCI-002363

The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.

CCI-002364

The information system displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions.

CCI-002365

The organization manages information system authenticators by requiring individuals to take specific security safeguards to protect authenticators.

CCI-002366

The organization manages information system authenticators by having devices implement specific security safeguards to protect authenticators.

CCI-002367

The organization ensures unencrypted static authenticators are not embedded in applications.

CCI-002341

The organization defines the information sharing restrictions to be enforced by the information system for information search and retrieval services.

CCI-002342

The information system implements information search and retrieval services that enforce organization-defined information sharing restrictions.

CCI-002343

The organization defines the data mining prevention techniques to be employed to adequately protect organization-defined data storage objects against data mining.

CCI-002344

The organization defines the data mining detection techniques to be employed to adequately detect data mining attempts against organization-defined data storage objects.

CCI-002345

The organization defines the data storage objects that are to be protected against data mining attempts.

CCI-002346

The organization employs organization-defined data mining prevention techniques for organization-defined data storage objects to adequately protect against data mining.

CCI-002347

The organization employs organization-defined data mining detection techniques for organization-defined data storage objects to adequately detect data mining attempts.

CCI-002348

The organization defines the access control decisions that are to be applied to each access request prior to access enforcement.

CCI-002349

The organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access enforcement.

CCI-002350

The organization defines the access authorization information that is to be transmitted using organization-defined security safeguards to organization-defined information systems that enforce access control decisions.

CCI-002351

The organization defines the security safeguards to be employed when transmitting organization-defined access authorization information to organization-defined information systems that enforce access control decisions.

CCI-002352

The organization defines the information systems that are to be recipients of organization-defined access authorization information using organization-defined security safeguards.

CCI-002353

The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.

CCI-002354

The organization defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.

CCI-002355

The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.

CCI-002356

The organization defines the access control policies to be implemented by the information system^s reference monitor.

CCI-002357

The information system implements a reference monitor for organization-defined access control policies that is tamperproof.

CCI-002358

The information system implements a reference monitor for organization-defined access control policies that is always invoked.

CCI-002359

The information system implements a reference monitor for organization-defined access control policies that is small enough to be subject to analysis and testing, the completeness of which can be assured.

CCI-002106

The organization documents the access control policy.

CCI-002107

The organization defines the personnel or roles to be recipients of the access control policy necessary to facilitate the implementation of the access control policy and associated access controls.

CCI-002108

The organization defines the personnel or roles to be recipients of the procedures necessary to facilitate the implementation of the access control policy and associated access controls.

CCI-002109

The organization documents procedures to facilitate the implementation of the access control policy and associated access controls.

CCI-002110

The organization defines the information system account types that support the organizational missions/business functions.

CCI-002111

The organization identifies and selects the organization-defined information system account types of information system accounts which support organizational missions/business functions.

CCI-002112

The organization assigns account managers for information system accounts.

CCI-002113

The organization establishes conditions for role membership.

CCI-002114

The organization specifies authorized users of the information system for each account.

CCI-002115

The organization specifies authorized users of the information system.

CCI-002116

The organization specifies authorized group membership on the information system.

CCI-002117

The organization specifies authorized role membership on the information system.

CCI-002118

The organization specifies access authorizations (i.e., privileges) for each account on the information system.

CCI-002119

The organization specifies other attributes for each account on the information system.

CCI-002120

The organization defines the personnel or roles authorized to approve the creation of information system accounts.

CCI-002121

The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.

CCI-002122

The organization monitors the use of information system accounts.

CCI-002123

The organization notifies account managers when accounts are no longer required.

CCI-002124

The organization notifies account managers when users are terminated or transferred.

CCI-002125

The organization notifies account managers when individual information system usage or need-to-know changes.

CCI-002126

The organization authorizes access to the information system based on a valid access authorization.

CCI-002127

The organization authorizes access to the information system based on intended system usage.

CCI-002128

The organization authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions.

CCI-002129

The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

CCI-002130

The information system automatically audits account enabling actions.

CCI-002131

The organization defines the personnel or roles to be notified on account creation, modification, enabling, disabling, and removal actions.

CCI-002132

The information system notifies organization-defined personnel or roles for account enabling actions.

CCI-002133

The organization defines other conditions when users are required to log out.

CCI-002134

The organization defines a list of dynamic privilege management capabilities to be implemented by the information system.

CCI-002135

The information system implements the organization-defined list of dynamic privilege management capabilities.

CCI-002136

The organization defines the actions to be taken when privileged role assignments are no longer appropriate.

CCI-002137

The organization takes organization-defined actions when privileged role assignments are no longer appropriate.

CCI-002138

The organization defines the information system accounts that can be dynamically created.

CCI-002139

The information system creates organization-defined information system accounts dynamically.

CCI-002140

The organization defines the conditions for establishing shared/group accounts.

CCI-002141

The organization only permits the use of shared/group accounts that meet organization-defined conditions for establishing shared/group accounts.

CCI-002142

The information system terminates shared/group account credentials when members leave the group.

CCI-002143

The organization defines the circumstances and/or usage conditions that are to be enforced for organization-defined information system accounts.

CCI-002144

The organization defines the information system accounts that are to be subject to the enforcement of organization-defined circumstances and/or usage conditions.

CCI-002145

The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.

CCI-002146

The organization defines atypical usage for which the information system accounts are to be monitored.

CCI-002147

The organization monitors information system accounts for organization-defined atypical use.

CCI-002148

The organization defines the personnel or roles to whom atypical usage of information system accounts are to be reported.

CCI-002149

The organization reports atypical usage of information system accounts to organization-defined personnel or roles.

CCI-002150

The organization defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk.

CCI-002151

The organization disables accounts of users posing a significant risk within an organization-defined time period of discovery of the risk.

CCI-002152

The organization defines other actions necessary for which dual authorization is to be enforced.

CCI-002153

The organization defines the mandatory access control policies that are to be enforced over all subjects and objects.

CCI-002154

The mandatory access control policy specifies that the policy is uniformly enforced across all subjects and objects within the boundary of the information system.

CCI-002155

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects.

CCI-002156

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from granting its privileges to other subjects.

CCI-002157

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing one or more security attributes on subjects, objects, the information system, or information system components.

CCI-002158

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.

CCI-002159

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.

CCI-002160

The mandatory access control policy specifies that a subject that has been granted access to information is constrained from changing the rules governing access control.

CCI-002161

The organization defines subjects which may explicitly be granted organization-defined privileges such that they are not limited by some or all of the mandatory access control constraints.

CCI-002162

The organization defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints.

CCI-002163

The organization defines the discretionary access control policies the information system is to enforce over subjects and objects.

CCI-002164

The organization specifies in the discretionary access control policies that a subject that has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system^s components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control.

CCI-002165

The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

CCI-002166

The organization defines the role-based access control policies the information system is to enforce over all subjects and objects.

CCI-002167

The organization defines the subjects over which the information system will enforce a role-based access control policy.

CCI-002168

The organization defines the objects over which the information system will enforce a role-based access control policy.

CCI-002169

The information system enforces a role-based access control policy over defined subjects and objects.

CCI-002170

The information system controls access based upon organization-defined roles and users authorized to assume such roles.

CCI-002171

The information system enforces a role-based access control policy over organization-defined subjects.

CCI-002172

The information system enforces a role-based access control policy over organization-defined objects.

CCI-002173

The organization defines the roles for which the information system will control access based upon the organization-defined role-based access control policy.

CCI-002174

The organization defines the users for which the information system will control access based upon the organization-defined role-based access control policy.

CCI-002175

The information system controls access based upon organization-defined roles authorized to assume such roles, employing the organization-defined role-based access control policy.

CCI-002176

The information system controls access based upon organization-defined users authorized to assume such roles, employing the organization-defined role-based access control policy.

CCI-002177

The organization defines the rules which will govern the timing of revocation of access authorizations.

CCI-002178

The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.

CCI-002179

The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.

CCI-002180

The organization defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.

CCI-002181

The organization defines information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.

CCI-002182

The information system does not release information outside of the established system boundary unless the receiving organization-defined information system or system component provides organization-defined security safeguards.

CCI-002183

The organization defines the security safeguards to be used to validate the appropriateness of the information designated for release.

CCI-002184

The information system does not release information outside of the established system boundary unless organization-defined security safeguards are used to validate the appropriateness of the information designated for release.

CCI-002185

The organization defines the conditions on which it will employ an audited override of automated access control mechanisms.

CCI-002186

The organization employs an audited override of automated access control mechanisms under organization-defined conditions.

CCI-002187

The organization defines the security attributes to be used to enforce organization-defined information flow control policies.

CCI-002188

The organization defines the information, source, and destination objects with which the organization-defined security attributes are to be associated.

CCI-002189

The organization defines the information flow control policies to be enforced for flow control decisions.

CCI-002190

The information system uses organization-defined security attributes associated with organization-defined information, source, and destination objects to enforce organization-defined information flow control policies as a basis for flow control decisions.

CCI-002191

The organization defines the information flow control policies to be enforced by the information system using protected processing domains.

CCI-002192

The organization defines the policies the information system is to enforce to achieve dynamic information flow control.

CCI-002193

The organization defines procedures or methods to be employed by the information system to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information.

CCI-002194

The organization defines the metadata the information system uses to enforce information flow control.

CCI-002195

The organization defines the information flows against which the organization-defined security policy filters are to be enforced.

CCI-002196

The organization defines the information flows for which the information system will enforce the use of human reviews under organization-defined conditions.

CCI-002197

The organization defines the conditions which will require the use of human reviews of organization-defined information flows.

CCI-002198

The information system enforces the use of human reviews for organization-defined information flows under organization-defined conditions.

CCI-002199

The organization defines the conditions under which the information system provides the capability for privileged administrators to enable/disable organization-defined security policy filters.

CCI-002200

The organization defines the data type identifiers to be used to validate data being transferred between different security domains.

CCI-002201

The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.

CCI-002202

The organization defines the policy-relevant subcomponents into which information being transferred between different security domains is to be decomposed for submission to policy enforcement mechanisms.

CCI-002203

The organization defines the unsanctioned information the information system is to examine when transferring information between different security domains.

CCI-002204

The organization defines a security policy which prohibits the transfer of unsanctioned information between different security domains.

CCI-002205

The information system uniquely identifies and authenticates source by organization, system, application, and/or individual for information transfer.

CCI-002206

The information system uniquely authenticates source by organization, system, application, and/or individual for information transfer.

CCI-002207

The information system uniquely identifies and authenticates destination by organization, system, application, and/or individual for information transfer.

CCI-002208

The information system uniquely authenticates destination by organization, system, application, and/or individual for information transfer.

CCI-002209

The organization defines the techniques to be used to bind security attributes to information.

CCI-002210

The information system binds security attributes to information using organization-defined binding techniques to facilitate information flow policy enforcement.

CCI-002211

The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.

CCI-002212

The organization defines the solutions in approved configurations to be employed to control the flow of organization-defined information across security domains.

CCI-002213

The organization defines the information to be subjected to flow control across security domains.

CCI-002214

The organization employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains.

CCI-002215

The organization defines the mechanisms and/or techniques to be used to logically or physically separate information flows.

CCI-002216

The organization defines the types of information required to accomplish logical or physical separation of information flows.

CCI-002217

The information system separates information flows logically or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information.

CCI-002218

The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.

CCI-002219

The organization defines the duties of individuals that are to be separated.

CCI-002220

The organization defines information system access authorizations to support separation of duties.

CCI-002221

The organization defines the security-relevant information for which access must be explicitly authorized.

CCI-002222

The organization explicitly authorizes access to organization-defined security functions.

CCI-002223

The organization explicitly authorizes access to organization-defined security-relevant information.

CCI-002224

The organization defines the compelling operational needs that must be met in order to be authorized network access to organization-defined privileged commands.

CCI-002225

The information system provides separate processing domains to enable finer-grained allocation of user privileges.

CCI-002226

The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system.

CCI-002227

The organization restricts privileged accounts on the information system to organization-defined personnel or roles.

CCI-002228

The organization defines the frequency on which it conducts reviews of the privileges assigned to organization-defined roles or classes of users.

CCI-002229

The organization defines the roles or classes of users that are to have their privileges reviewed on an organization-defined frequency.

CCI-002230

The organization reviews the privileges assigned to organization-defined roles or classes of users on an organization-defined frequency to validate the need for such privileges.

CCI-002231

The organization reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.

CCI-002232

The organization defines software that is restricted from executing at a higher privilege than users executing the software.

CCI-002233

The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

CCI-002234

The information system audits the execution of privileged functions.

CCI-002235

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

CCI-002236

The organization defines the time period the information system will automatically lock the account or node when the maximum number of unsuccessful logon attempts is exceeded.

CCI-002237

The organization defines the delay algorithm to be employed by the information system to delay the next logon prompt when the maximum number of unsuccessful logon attempts is exceeded.

CCI-002238

The information system automatically locks the account or node for either an organization-defined time period, until the locked account or node is released by an administrator, or delays the next logon prompt according to the organization-defined delay algorithm when the maximum number of unsuccessful logon attempts is exceeded.

CCI-002239

The organization defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.

CCI-002240

The organization defines the purging/wiping requirements/techniques to be used by the information system on organization-defined mobile devices after an organization-defined number of consecutive, unsuccessful device logon attempts.

CCI-002241

The organization defines the number of consecutive, unsuccessful device logon attempts after which the information system will purge/wipe organization-defined mobile devices.

CCI-002242

The information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after an organization-defined number of consecutive, unsuccessful device logon attempts.

CCI-002243

The organization-defined information system use notification message or banner is to state that users are accessing a U.S. Government information system.

CCI-002244

The organization-defined information system use notification message or banner is to state that information system usage may be monitored, recorded, and subject to audit.

CCI-002245

The organization-defined information system use notification message or banner is to state that unauthorized use of the information system is prohibited and subject to criminal and civil penalties.

CCI-002246

The organization-defined information system use notification message or banner is to state that use of the information system indicates consent to monitoring and recording.

CCI-002247

The organization defines the use notification message or banner the information system displays to users before granting access to the system.

CCI-002248

The organization defines the conditions of use which are to be displayed to users of the information system before granting further access.

CCI-002249

The organization defines the information, in addition to the date and time of the last logon (access), to be included in the notification to the user upon successful logon (access).

CCI-002250

The information system notifies the user, upon successful logon (access), of the organization-defined information to be included in addition to the date and time of the last logon (access).

CCI-002251

The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access).

CCI-002252

The organization defines the accounts and/or account types for which the information system will limit the number of concurrent sessions.

CCI-002253

The organization defines the account types for which the information system will limit the number of concurrent sessions.

CCI-002254

The organization defines the conditions or trigger events requiring session disconnect to be employed by the information system when automatically terminating a user session.

CCI-002255

The organization defines the user actions that can be performed on the information system without identification and authentication.

CCI-002256

The organization defines security attributes having organization-defined types of security attribute values which are associated with information in storage.

CCI-002257

The organization defines security attributes having organization-defined types of security attribute values which are associated with information in process.

CCI-002258

The organization defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission.

CCI-002259

The organization defines security attribute values associated with organization-defined types of security attributes for information in storage.

CCI-002260

The organization defines security attribute values associated with organization-defined types of security attributes for information in process.

CCI-002261

The organization defines security attribute values associated with organization-defined types of security attributes for information in transmission.

CCI-002262

The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.

CCI-002263

The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.

CCI-002264

The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.

CCI-002265

The organization ensures that the security attribute associations are made with the information.

CCI-002266

The organization ensures that the security attribute associations are retained with the information.

CCI-002267

The organization defines the security attributes that are permitted for organization-defined information systems.

CCI-002268

The organization defines the information systems for which permitted organization-defined attributes are to be established.

CCI-002269

The organization establishes the permitted organization-defined security attributes for organization-defined information systems.

CCI-002270

The organization defines the values or ranges permitted for each of the established security attributes.

CCI-002271

The organization determines the permitted organization-defined values or ranges for each of the established security attributes.

CCI-002272

The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined.

CCI-002273

The organization defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.

CCI-002274

The organization defines the subjects with which the information system is to dynamically associate security attributes as information is created and combined.

CCI-002275

The organization defines the objects with which the information system is to dynamically associate security attributes as information is created and combined.

CCI-002276

The organization identifies the individuals authorized to define the value of associated security attributes.

CCI-002277

The information system provides authorized individuals (or processes acting on behalf of individuals) the capability to define the value of associated security attributes.

CCI-002278

The organization defines security attributes for which the association and integrity to organization-defined subjects and objects is maintained by the information system.

CCI-002279

The organization defines subjects for which the association and integrity of organization-defined security attributes is maintained by the information system.

CCI-002280

The organization defines objects for which the association and integrity of organization-defined security attributes is maintained by the information system.

CCI-002281

The information system maintains the association of organization-defined security attributes to organization-defined subjects.

CCI-002282

The information system maintains the association of organization-defined security attributes to organization-defined objects.

CCI-002283

The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects.

CCI-002284

The information system maintains the integrity of organization-defined security attributes associated with organization-defined objects.

CCI-002285

The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined subjects.

CCI-002286

The organization defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).

CCI-002287

The organization defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).

CCI-002288

The organization defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.

CCI-002289

The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals).

CCI-002290

The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).

CCI-002291

The organization defines the security policies to be followed by personnel when associating organization-defined security attributes with organization-defined subjects and objects.

CCI-002292

The organization defines the security attributes which are to be associated with organization-defined subjects and objects.

CCI-002293

The organization defines the subjects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.

CCI-002294

The organization defines the objects to be associated, and that association maintained, with organization-defined security attributes in accordance with organization-defined security policies.

CCI-002295

The organization allows personnel to associate organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies.

CCI-002296

The organization allows personnel to associate organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies.

CCI-002297

The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined subjects in accordance with organization-defined security policies.

CCI-002298

The organization allows personnel to maintain the association of organization-defined security attributes with organization-defined objects in accordance with organization-defined security policies.

CCI-002299

The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.

CCI-002300

The organization defines the techniques or technologies to be implemented when associating security attributes with information.

CCI-002301

The organization defines the level of assurance to be provided when implementing organization-defined techniques or technologies in associating security attributes to information.

CCI-002302

The information system implements organization-defined techniques or technologies with an organization-defined level of assurance in associating security attributes to information.

CCI-002303

The organization defines the techniques or procedures to be employed to validate re-grading mechanisms.

CCI-002304

The organization ensures security attributes associated with information are reassigned only via re-grading mechanisms validated using organization-defined techniques or procedures.

CCI-002305

The organization identifies individuals authorized to define or change the type and value of security attributes available for association with subjects and objects.

CCI-002306

The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects.

CCI-002307

The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects.

CCI-002308

The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects.

CCI-002309

The information system provides authorized individuals the capability to define or change the value of security attributes available for association with objects.

CCI-002310

The organization establishes and documents usage restrictions for each type of remote access allowed.

CCI-002311

The organization establishes and documents configuration/connection requirements for each type of remote access allowed.

CCI-002312

The organization establishes and documents implementation guidance for each type of remote access allowed.

CCI-002313

The information system controls remote access methods.

CCI-002314

The information system controls remote access methods.

CCI-002315

The organization defines the number of managed network access control points through which the information system routes all remote access.

CCI-002316

The organization authorizes access to security-relevant information via remote access only for organization-defined needs.

CCI-002317

The organization defines the operational needs for when the execution of privileged commands via remote access is to be authorized.

CCI-002318

The organization defines the operational needs for when access to security-relevant information via remote access is to be authorized.

CCI-002319

The organization documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access.

CCI-002320

The organization documents in the security plan for the information system the rationale for authorization of access to security-relevant information via remote access.

CCI-002321

The organization defines the time period within which it disconnects or disables remote access to the information system.

CCI-002322

The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.

CCI-002323

The organization establishes configuration/connection requirements for wireless access.

CCI-002324

The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.

CCI-002325

The organization establishes configuration requirements for organization-controlled mobile devices.

CCI-002326

The organization establishes connection requirements for organization-controlled mobile devices.

CCI-002327

The organization defines the security policies which restrict the connection of classified mobile devices to classified information systems.

CCI-002328

The organization restricts the connection of classified mobile devices to classified information systems in accordance with organization-defined security policies.

CCI-002329

The organization defines the mobile devices that are to employ full-device or container encryption to protect the confidentiality and integrity of the information on the device.

CCI-002330

The organization employs full-device encryption or container encryption to protect the confidentiality of information on organization-defined mobile devices.

CCI-002331

The organization employs full-device encryption or container encryption to protect the integrity of information on organization-defined mobile devices.

CCI-002332

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process, store, or transmit organization-controlled information using the external information systems.

CCI-002333

The organization permits authorized individuals to use an external information system to access the information system only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.

CCI-002334

The organization permits authorized individuals to use an external information system to process organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.

CCI-002335

The organization permits authorized individuals to use an external information system to store organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.

CCI-002336

The organization permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.

CCI-002337

The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system.

CCI-002338

The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.

CCI-002339

The organization defines the network accessible storage devices that are to be prohibited from being used in external information systems.

CCI-002340

The organization prohibits the use of organization-defined network accessible storage devices in external information systems.

CCI-002060

The organization develops and documents a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI-002061

The organization defines the personnel or roles to whom security assessment and authorization policy is to be disseminated.

CCI-002062

The organization defines the personnel or roles to whom the security assessment and authorization procedures are to be disseminated.

CCI-002063

The organization defines the level of independence for assessors or assessment teams to conduct security control assessments of organizational information systems.

CCI-002064

The organization selects one or more security assessment techniques to be conducted.

CCI-002065

The organization defines the frequency at which to conduct security control assessments.

CCI-002066

The organization accepts the results of an assessment of the organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements.

CCI-002067

The organization defines the information systems for which they will accept the results of an assessment performed by an external organization.

CCI-002068

The organization defines the external organizations from which assessment results for organization-defined information systems will be accepted.

CCI-002069

The organization defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.

CCI-002070

The organization^s security assessment plan describes the assessment team, and assessment roles and responsibilities.

CCI-002071

The organization defines the individuals or roles to whom the results of the security control assessment are to be provided.

CCI-002072

The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.

CCI-002073

The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.

CCI-002074

The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network.

CCI-002075

The organization prohibits the direct connection of an organization-defined unclassified, non-national security system to an external network without the use of organization-defined boundary protection device.

CCI-002076

The organization defines the unclassified, non-national security system that is prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.

CCI-002077

The organization defines the boundary protection device to be used to directly connect an organization-defined unclassified, non-national security system to an external network.

CCI-002078

The organization prohibits the direct connection of an organization-defined information system to a public network.

CCI-002079

The organization defines the information system that is prohibited from directly connecting to a public network.

CCI-002080

The organization employs either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.

CCI-002081

The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems.

CCI-002082

The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.

CCI-002083

The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency.

CCI-002084

The organization defines the frequency at which reviews and updates to the Interconnection Security Agreements must be conducted.

CCI-002085

The organization defines the level of independence the assessors or assessment teams must have to monitor the security controls in the information system on an ongoing basis.

CCI-002086

The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data.

CCI-002087

The organization establishes and defines the metrics to be monitored for the continuous monitoring program.

CCI-002088

The organization establishes and defines the frequencies for continuous monitoring.

CCI-002089

The organization establishes and defines the frequencies for assessments supporting continuous monitoring.

CCI-002090

The organization implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy.

CCI-002091

The organization implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring.

CCI-002092

The organization implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information.

CCI-002093

The organization conducts penetration testing in accordance with organization-defined frequency on organization-defined information systems or system components.

CCI-002094

The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components.

CCI-002095

The organization defines the information systems or system components on which penetration testing will be conducted.

CCI-002096

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

CCI-002097

The organization defines red team exercises to simulate attempts by adversaries to compromise organizational information systems.

CCI-002098

The organization defines rules of engagement for red team exercises to simulate attempts by adversaries to compromise organizational information systems.

CCI-002099

The organization employs organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement.

CCI-002100

The information system performs security compliance checks on constituent components prior to the establishment of the internal connection.

CCI-002101

The organization authorizes internal connections of organization-defined information system components or classes of components to the information system.

CCI-002102

The organization defines the information system components or classes of components that are authorized internal connections to the information system.

CCI-002103

The organization documents, for each internal connection, the interface characteristics.

CCI-002104

The organization documents, for each internal connection, the security requirements.

CCI-002105

The organization documents, for each internal connection, the nature of the information communicated.

CCI-002056

The organization defines the time period the records of configuration-controlled changes are to be retained.

CCI-002057

The organization defines the personnel to be notified when approved changes to the information system are completed.

CCI-002058

The organization employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed.

CCI-002059

The organization defines the information system components for which the organization will employ automated mechanisms to centrally manage, apply, and verify configuration settings.

CCI-002048

The organization defines the personnel or roles to whom the security awareness and training policy is disseminated.

CCI-002049

The organization defines the personnel or roles to whom the security awareness and training procedures are disseminated.

CCI-002050

The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.

CCI-002051

The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.

CCI-002052

The organization includes practical exercises in security training that reinforce training objectives.

CCI-002053

The organization provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.

CCI-002054

The organization defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.

CCI-002055

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

CCI-002044

The organization defines measures to be employed to ensure that long-term audit records generated by the information system can be retrieved.

CCI-002045

The organization employs organization-defined measures to ensure that long-term audit records generated by the information system can be retrieved.

CCI-002046

The information system synchronizes the internal system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.

CCI-002047

The organization defines the information system components on which the auditing that is to be performed can be changed by organization-defined individuals or roles.

CCI-001932

The organization documents an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI-001933

The organization defines the personnel or roles to be recipients of the identification and authentication policy and the procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

CCI-001934

The organization documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.

CCI-001935

The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to privileged accounts.

CCI-001936

The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

CCI-001937

The device used in the information system implementation of multifactor authentication for network access to privileged accounts meets organization-defined strength of mechanism requirements.

CCI-001938

The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access to non-privileged accounts.

CCI-001939

The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

CCI-001940

The device used in the information system implementation of multifactor authentication for network access to non-privileged accounts meets organization-defined strength of mechanism requirements.

CCI-001941

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

CCI-001942

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

CCI-001943

The organization defines the information system accounts for which single sign-on capability will be provided.

CCI-001944

The organization defines the information system services for which single sign-on capability will be provided.

CCI-001945

The information system provides a single sign-on capability for an organization-defined list of information system accounts.

CCI-001946

The information system provides a single sign-on capability for an organization-defined list of information system services.

CCI-001947

The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to privileged accounts.

CCI-001948

The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

CCI-001949

The device used in the information system implementation of multifactor authentication for remote access to privileged accounts meets organization-defined strength of mechanism requirements.

CCI-001950

The organization defines the strength of mechanism requirements for the device that is separate from the system gaining access and is to provide one factor of a multifactor authentication for remote access to non-privileged accounts.

CCI-001951

The information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

CCI-001952

The device used in the information system implementation of multifactor authentication for remote access to non-privileged accounts meets organization-defined strength of mechanism requirements.

CCI-001953

The information system accepts Personal Identity Verification (PIV) credentials.

CCI-001954

The information system electronically verifies Personal Identity Verification (PIV) credentials.

CCI-001955

The organization defines the out-of-band authentication to be implemented by the information system under organization-defined conditions.

CCI-001956

The organization defines the conditions for which the information system implements organization-defined out-of-band authentication.

CCI-001957

The information system implements organization-defined out-of-band authentication under organization-defined conditions.

CCI-001958

The information system authenticates an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.

CCI-001959

The organization defines the specific devices and/or type of devices the information system is to authenticate before establishing a connection.

CCI-001960

The organization defines the lease information to be assigned to devices.

CCI-001961

The organization defines the lease duration to be assigned to devices.

CCI-001962

The organization standardizes dynamic address allocation lease information assigned to devices in accordance with organization-defined lease information.

CCI-001963

The organization standardizes dynamic address allocation lease duration assigned to devices in accordance with organization-defined lease duration.

CCI-001964

The organization defines the configuration management process that is to handle the device identification procedures.

CCI-001965

The organization defines the configuration management process that is to handle the device authentication procedures.

CCI-001966

The organization ensures that device identification based on attestation is handled by the organization-defined configuration management process.

CCI-001967

The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.

CCI-001968

The organization defines the configuration management process that is to handle the device identification procedures.

CCI-001969

The organization ensures that device authentication based on attestation is handled by the organization-defined configuration management process.

CCI-001970

The organization defines the personnel or roles that authorize the assignment of individual, group, role, and device identifiers.

CCI-001971

The organization manages information system identifiers by receiving authorization from organization-defined personnel or roles to assign an individual, group, role, or device identifier.

CCI-001972

The organization manages information system identifiers by selecting an identifier that identifies an individual, group, role, or device.

CCI-001973

The organization manages information system identifiers by assigning the identifier to the intended individual, group, role, or device.

CCI-001974

The organization defines the time period for which the reuse of identifiers is prohibited.

CCI-001975

The organization manages information system identifiers by preventing reuse of identifiers for an organization-defined time period.

CCI-001976

The information system dynamically manages identifiers.

CCI-001977

The organization defines the external organizations with which it will coordinate for cross-management of identifiers.

CCI-001978

The organization coordinates with organization-defined external organizations for cross-organization management of identifiers.

CCI-001979

The organization requires the registration process to receive an individual identifier be conducted in person before a designated registration authority.

CCI-001980

The organization manages information system authenticators by verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator.

CCI-001981

The organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution.

CCI-001982

The organization manages information system authenticators by establishing administrative procedures for lost/compromised authenticators.

CCI-001983

The organization manages information system authenticators by establishing administrative procedures for damaged authenticators.

CCI-001984

The organization manages information system authenticators by establishing administrative procedures for revoking authenticators.

CCI-001985

The organization manages information system authenticators by implementing administrative procedures for initial authenticator distribution.

CCI-001986

The organization manages information system authenticators by implementing administrative procedures for lost/compromised authenticators.

CCI-001987

The organization manages information system authenticators by implementing administrative procedures for damaged authenticators.

CCI-001988

The organization manages information system authenticators by implementing administrative procedures for revoking authenticators.

CCI-001989

The organization manages information system authenticators by changing default content of authenticators prior to information system installation.

CCI-001990

The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.

CCI-001991

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

CCI-001992

The organization defines the personnel or roles responsible for authorizing the organization^s registration authority accountable for the authenticator registration process.

CCI-001993

The organization defines the registration authority accountable for the authenticator registration process.

CCI-001994

The organization defines the types of and/or specific authenticators that are subject to the authenticator registration process.

CCI-001995

The organization requires that the registration process, to receive organization-defined types of and/or specific authenticators, be conducted in person, or by a trusted third-party, before an organization-defined registration authority with authorization by organization-defined personnel or roles.

CCI-001996

The organization defines the requirements required by the automated tools to determine if password authenticators are sufficiently strong.

CCI-001997

The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy organization-defined requirements.

CCI-001998

The organization requires developers/installers of information system components to provide unique authenticators or change default authenticators prior to delivery/installation.

CCI-001999

The organization defines the external organizations to be coordinated with for cross-organization management of credentials.

CCI-002000

The organization coordinates with organization-defined external organizations for cross-organization management of credentials.

CCI-002001

The information system dynamically provisions identities.

CCI-002002

The organization defines the token quality requirements to be employed by the information system mechanisms for token-based authentication.

CCI-002003

The information system, for token-based authentication, employs mechanisms that satisfy organization-defined token quality requirements.

CCI-002004

The organization defines the biometric quality requirements to be employed by the information system mechanisms for biometric-based authentication.

CCI-002005

The information system, for biometric-based authentication, employs mechanisms that satisfy organization-defined biometric quality requirements.

CCI-002006

The organization defines the time period after which the use of cached authenticators is prohibited.

CCI-002007

The information system prohibits the use of cached authenticators after an organization-defined time period.

CCI-002008

The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.

CCI-002009

The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.

CCI-002010

The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.

CCI-002011

The information system accepts FICAM-approved third-party credentials.

CCI-002012

The organization defines the information systems which will employ only FICAM-approved information system components.

CCI-002013

The organization employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials.

CCI-002014

The information system conforms to FICAM-issued profiles.

CCI-002015

The information system accepts Personal Identity Verification-I (PIV-I) credentials.

CCI-002016

The information system electronically verifies Personal Identity Verification-I (PIV-I) credentials.

CCI-002017

The organization defines the information system services requiring identification.

CCI-002018

The organization defines the information system services requiring authentication.

CCI-002019

The organization defines the security safeguards to be used when identifying information system services.

CCI-002020

The organization defines the security safeguards to be used when authenticating information system services.

CCI-002021

The organization identifies organization-defined information system services using organization-defined security safeguards.

CCI-002022

The organization authenticates organization-defined information system services using organization-defined security safeguards.

CCI-002023

The organization ensures that service providers receive identification information.

CCI-002024

The organization ensures that service providers validate identification information.

CCI-002025

The organization ensures that service providers transmit identification information.

CCI-002026

The organization ensures that service providers receive authentication information.

CCI-002027

The organization ensures that service providers validate authentication information.

CCI-002028

The organization ensures that service providers transmit authentication information.

CCI-002029

The organization defines the services between which identification decisions are to be transmitted.

CCI-002030

The organization defines the services between which authentication decisions are to be transmitted.

CCI-002031

The organization ensures that identification decisions are transmitted between organization-defined services consistent with organizational policies.

CCI-002032

The organization ensures that authentication decisions are transmitted between organization-defined services consistent with organizational policies.

CCI-002033

The organization defines the specific circumstances or situations when individuals accessing an information system employ organization-defined supplemental authentication techniques or mechanisms.

CCI-002034

The organization defines the supplemental authentication techniques or mechanisms to be employed in specific organization-defined circumstances or situations by individuals accessing the information system.

CCI-002035

The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.

CCI-002036

The organization defines the circumstances or situations under which users will be required to reauthenticate.

CCI-002037

The organization defines the circumstances or situations under which devices will be required to reauthenticate.

CCI-002038

The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

CCI-002039

The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

CCI-002040

The organization requires that the registration process to receive an individual identifier includes supervisor authorization.

CCI-002041

The information system allows the use of a temporary password for system logons with an immediate change to a permanent password.

CCI-002042

The organization manages information system authenticators by protecting authenticator content from unauthorized modification.

CCI-002043

The organization uses only FICAM-approved path discovery and validation products and services.

CCI-001930

The organization defines the organizational personnel or roles to whom the audit and accountability policy is to be disseminated.

CCI-001931

The organization defines the organizational personnel or roles to whom the audit and accountability procedures are to be disseminated.

CCI-001862

The organization defines the types of inappropriate or unusual activity to be reviewed and analyzed in the audit records.

CCI-001863

The organization defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity.

CCI-001864

The organization employs automated mechanisms to integrate audit review and analysis to support organizational processes for investigation of and response to suspicious activities.

CCI-001865

The organization employs automated mechanisms to integrate reporting processes to support organizational investigation of and response to suspicious activities.

CCI-001866

The organization defines the data/information to be collected from other sources to enhance its ability to identify inappropriate or unusual activity.

CCI-001867

The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, information system monitoring information, and/or organization-defined data/information collected from other sources to further enhance its ability to identify inappropriate or unusual activity.

CCI-001868

The organization specifies the permitted actions for each information system process, role, and/or user associated with the review and analysis of audit information.

CCI-001869

The organization specifies the permitted actions for each information system process, role, and/or user associated with the reporting of audit information.

CCI-001870

The organization performs a full-text analysis of audited privileged commands in a physically-distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.

CCI-001871

The organization correlates information from non-technical sources with audit information to enhance organization-wide situational awareness.

CCI-001872

The organization adjusts the level of audit review and analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

CCI-001873

The organization adjusts the level of audit analysis within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

CCI-001874

The organization adjusts the level of audit reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

CCI-001875

The information system provides an audit reduction capability that supports on-demand audit review and analysis.

CCI-001876

The information system provides an audit reduction capability that supports on-demand reporting requirements.

CCI-001877

The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.

CCI-001878

The information system provides a report generation capability that supports on-demand audit review and analysis.

CCI-001879

The information system provides a report generation capability that supports on-demand reporting requirements.

CCI-001880

The information system provides a report generation capability that supports after-the-fact investigations of security incidents.

CCI-001881

The information system provides an audit reduction capability that does not alter original content or time ordering of audit records.

CCI-001882

The information system provides a report generation capability that does not alter original content or time ordering of audit records.

CCI-001883

The organization defines the audit fields within audit records to be processed for events of interest by the information system.

CCI-001884

The organization defines the audit fields within audit records to be sorted for events of interest by the information system.

CCI-001885

The organization defines the audit fields within audit records to be searched for events of interest by the information system.

CCI-001886

The information system provides the capability to sort audit records for events of interest based on the content of organization-defined audit fields within audit records.

CCI-001887

The information system provides the capability to search audit records for events of interest based on the content of organization-defined audit fields within audit records.

CCI-001888

The organization defines the granularity of time measurement for time stamps generated for audit records.

CCI-001889

The information system records time stamps for audit records that meet organization-defined granularity of time measurement.

CCI-001890

The information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).

CCI-001891

The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

CCI-001892

The organization defines the time difference which, when exceeded, will require the information system to synchronize the internal information system clocks to the organization-defined authoritative time source.

CCI-001893

The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.

CCI-001894

The organization defines the subset of privileged users who will be authorized access to the management of audit functionality.

CCI-001895

The organization defines the audit information requiring dual authorization for movement or deletion actions.

CCI-001896

The organization enforces dual authorization for movement and/or deletion of organization-defined audit information.

CCI-001897

The organization defines the subset of privileged users who will be authorized read-only access to audit information.

CCI-001898

The organization authorizes read-only access to audit information to an organization-defined subset of privileged users.

CCI-001899

The organization defines the actions to be covered by non-repudiation.

CCI-001900

The organization defines the strength of binding to be applied to the binding of the identity of the information producer with the information.

CCI-001901

The information system binds the identity of the information producer with the information to an organization-defined strength of binding.

CCI-001902

The information system provides the means for authorized individuals to determine the identity of the producer of the information.

CCI-001903

The organization defines the frequency on which the information system is to validate the binding of the information producer identity to the information.

CCI-001904

The information system validates the binding of the information producer identity to the information at an organization-defined frequency.

CCI-001905

The organization defines the actions to be performed in the event of an error when validating the binding of the information producer identity to the information.

CCI-001906

The information system performs organization-defined actions in the event of an error when validating the binding of the information producer identity to the information.

CCI-001907

The organization defines the security domains which will require the information system validate the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer.

CCI-001908

The organization defines the action the information system is to perform in the event of an information reviewer identity binding validation error.

CCI-001909

The information system performs organization-defined actions in the event of an information reviewer identity binding validation error.

CCI-001910

The organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system.

CCI-001911

The organization defines the selectable event criteria to be used as the basis for changes to the auditing to be performed on organization-defined information system components, by organization-defined individuals or roles, within organization-defined time thresholds.

CCI-001912

The organization defines the time thresholds for organization-defined individuals or roles to change the auditing to be performed based on organization-defined selectable event criteria.

CCI-001913

The organization defines the individuals or roles that are to be provided the capability to change the auditing to be performed based on organization-defined selectable event criteria, within organization-defined time thresholds.

CCI-001914

The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.

CCI-001915

The organization defines the open source information and/or information sites to be monitored for evidence of unauthorized exfiltration or disclosure of organizational information.

CCI-001916

The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.

CCI-001917

The organization defines the frequency for reviewing the open source information sites being monitored.

CCI-001918

The organization reviews the open source information sites being monitored per organization-defined frequency.

CCI-001919

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

CCI-001920

The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.

CCI-001921

The organization defines the alternative audit functionality to be provided in the event of a failure in the primary audit capability.

CCI-001922

The organization provides an alternative audit capability in the event of a failure in primary audit capability that provides organization-defined alternative audit functionality.

CCI-001923

The organization defines the audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries.

CCI-001924

The organization defines the methods to be employed when coordinating audit information among external organizations when audit information is transmitted across organizational boundaries.

CCI-001925

The organization employs organization-defined methods for coordinating organization-defined audit information among external organizations when audit information is transmitted across organizational boundaries.

CCI-001926

The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

CCI-001927

The organization defines the organizations that will be provided cross-organizational audit information.

CCI-001928

The organization defines the cross-organizational sharing agreements to be established with organization-defined organizations authorized to be provided cross-organizational sharing of audit information.

CCI-001929

The organization provides cross-organizational audit information to organization-defined organizations based on organization-defined cross organizational sharing agreements.

CCI-001831

The organization documents an audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI-001832

The organization disseminates the audit and accountability policy to organization-defined personnel or roles.

CCI-001833

The organization documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.

CCI-001834

The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.

CCI-001835

The organization defines the frequency on which it will review the audit and accountability policy.

CCI-001836

The organization defines the frequency on which it will update the audit and accountability policy.

CCI-001837

The organization reviews the audit and accountability policy on an organization-defined frequency.

CCI-001838

The organization updates the audit and accountability policy on an organization-defined frequency.

CCI-001839

The organization defines the frequency on which it will review the audit and accountability procedures.

CCI-001840

The organization defines the frequency on which it will update the audit and accountability procedures.

CCI-001841

The organization reviews the audit and accountability procedures on an organization-defined frequency.

CCI-001842

The organization updates the audit and accountability procedures on an organization-defined frequency.

CCI-001843

The organization defines a frequency for updating the list of organization-defined auditable events.

CCI-001844

The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components.

CCI-001845

The information system provides centralized configuration of the content to be captured in audit records generated by organization-defined information system components.

CCI-001846

The organization defines information system components that will generate the audit records which are to be captured for centralized management of the content.

CCI-001847

The organization defines information system components that will generate the audit records which are to be captured for centralized configuration of the content.

CCI-001848

The organization defines the audit record storage requirements.

CCI-001849

The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements.

CCI-001850

The organization defines the frequency on which the information system off-loads audit records onto a different system or media than the system being audited.

CCI-001851

The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

CCI-001852

The organization defines the personnel, roles and/or locations to receive a warning when allocated audit record storage volume reaches a defined percentage of maximum audit records storage capacity.

CCI-001853

The organization defines the time period within which organization-defined personnel, roles, and/or locations are to receive warnings when allocated audit record storage volume reaches an organization-defined percentage of maximum audit records storage capacity.

CCI-001854

The organization defines the percentage of maximum audit record storage capacity that is to be reached, at which time the information system will provide a warning to organization-defined personnel, roles, and/or locations.

CCI-001855

The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.

CCI-001856

The organization defines the real-time period within which the information system is to provide an alert when organization-defined audit failure events occur.

CCI-001857

The organization defines the personnel, roles, and/or locations to receive alerts when organization-defined audit failure events occur.

CCI-001858

The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

CCI-001859

The organization defines the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds.

CCI-001860

The organization defines the audit failures which, should they occur, will invoke an organization-defined system mode.

CCI-001861

The information system invokes an organization-defined system mode, in the event of organization-defined audit failures, unless an alternate audit capability exists.

CCI-001826

The organization defines the circumstances upon which the organization reviews the information system changes to determine whether unauthorized changes have occurred.

CCI-001827

The organization defines the frequency with which to review information system privileges.

CCI-001828

The organization defines the frequency with which to reevaluate information system privileges.

CCI-001829

The organization reviews information system privileges per an organization-defined frequency.

CCI-001830

The organization reevaluates information system privileges per an organization-defined frequency.

CCI-001781

The organization defines the frequency on which the information system component inventory is to be updated.

CCI-001782

The organization updates the information system component inventory per organization-defined frequency.

CCI-001783

The organization defines the personnel or roles to be notified when unauthorized hardware, software, and firmware components are detected within the information system.

CCI-001784

When unauthorized hardware, software, and firmware components are detected within the information system, the organization takes action to disable network access by such components, isolates the components, and/or notifies organization-defined personnel or roles.

CCI-001785

The organization provides a centralized repository for the inventory of information system components.

CCI-001786

The organization employs automated mechanisms to support tracking of information system components by geographic location.

CCI-001787

The organization defines the acquired information system components that are to be assigned to an information system.

CCI-001788

The organization assigns organization-defined acquired information system components to an information system.

CCI-001789

The organization receives an acknowledgement from the information system owner of the assignment of the acquired information system components to an information system.

CCI-001790

The organization develops a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.

CCI-001791

The organization documents a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.

CCI-001792

The organization implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle.

CCI-001793

The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.

CCI-001794

The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.

CCI-001795

The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.

CCI-001796

The organization develops a configuration management plan for the information system that places the configuration items under configuration management.

CCI-001797

The organization documents a configuration management plan for the information system that places the configuration items under configuration management.

CCI-001798

The organization implements a configuration management plan for the information system that places the configuration items under configuration management.

CCI-001799

The organization develops and documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

CCI-001800

The organization documents a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

CCI-001801

The organization implements a configuration management plan for the information system that protects the configuration management plan from unauthorized disclosure and modification.

CCI-001802

The organization tracks the use of software documentation protected by quantity licenses to control copying of the software documentation.

CCI-001803

The organization tracks the use of software protected by quantity licenses to control distribution of the software.

CCI-001804

The organization defines the policies for governing the installation of software by users.

CCI-001805

The organization establishes organization-defined policies governing the installation of software by users.

CCI-001806

The organization defines methods to be employed to enforce the software installation policies.

CCI-001807

The organization enforces software installation policies through organization-defined methods.

CCI-001808

The organization defines the frequency on which it will monitor software installation policy compliance.

CCI-001809

The organization monitors software installation policy compliance per an organization-defined frequency.

CCI-001810

The organization defines the personnel or roles to be notified when unauthorized software is detected.

CCI-001811

The information system alerts organization-defined personnel or roles when the unauthorized installation of software is detected.

CCI-001812

The information system prohibits user installation of software without explicit privileged status.

CCI-001813

The information system enforces access restrictions.

CCI-001814

The Information system supports auditing of the enforcement actions.

CCI-001815

The organization defines the security safeguards to be applied to devices when they return from areas of significant risk.

CCI-001816

The organization applies organization-defined security safeguards to devices when individuals return from areas of significant risk.

CCI-001817

The organization, when analyzing changes to the information system, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CCI-001818

The organization analyzes changes to the information system in a separate test environment before installation in an operational environment.

CCI-001819

The organization implements approved configuration-controlled changes to the information system.

CCI-001820

The organization documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI-001821

The organization defines the organizational personnel or roles to whom the configuration management policy is to be disseminated.

CCI-001822

The organization disseminates the configuration management policy to organization-defined personnel or roles.

CCI-001823

The organization documents the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

CCI-001824

The organization defines the organizational personnel or roles to whom the configuration management procedures are to be disseminated.

CCI-001825

The organization disseminates to organization-defined personnel or roles the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

CCI-001726

The organization uses software in accordance with contract agreements.

CCI-001727

The organization uses software documentation in accordance with contract agreements.

CCI-001728

The organization uses software in accordance with copyright laws.

CCI-001729

The organization uses software documentation in accordance with copyright laws.

CCI-001730

The organization tracks the use of software protected by quantity licenses to control copying of the software.

CCI-001731

The organization tracks the use of software documentation protected by quantity licenses to control distribution of the software documentation.

CCI-001732

The organization controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

CCI-001733

The organization documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

CCI-001734

The organization defines the restrictions to be followed on the use of open source software.

CCI-001735

The organization establishes organization-defined restrictions on the use of open source software.

CCI-001736

The organization defines the previous versions of the baseline configuration of the information system required to support rollback.

CCI-001737

The organization defines the information systems, system components, or devices that are to have organization-defined configurations applied when located in areas of significant risk.

CCI-001738

The organization defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.

CCI-001739

The organization issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations the organization deems to be of significant risk.

CCI-001740

The organization reviews proposed configuration-controlled changes to the information system.

CCI-001741

The organization documents configuration change decisions associated with the information system.

CCI-001742

The organization defines the approval authorities to be notified when proposed changes to the information system are received.

CCI-001743

The organization defines the security responses to be automatically implemented by the information system if baseline configurations are changed in an unauthorized manner.

CCI-001744

The information system implements organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.

CCI-001745

The organization defines the security safeguards that are to be provided by the cryptographic mechanisms which are employed by the organization.

CCI-001746

The organization ensures that cryptographic mechanisms used to provide organization-defined security safeguards are under configuration management.

CCI-001747

The organization defines critical software components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.

CCI-001748

The organization defines critical firmware components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.

CCI-001749

The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.

CCI-001750

The information system prevents the installation of organization-defined firmware components without verification the firmware component has been digitally signed using a certificate that is recognized and approved by the organization.

CCI-001751

The organization defines system-level information requiring enforcement of a dual authorization for information system changes.

CCI-001752

The organization enforces dual authorization for changes to organization-defined system-level information.

CCI-001753

The organization limits privileges to change information system components within a production or operational environment.

CCI-001754

The organization limits privileges to change system-related information within a production or operational environment.

CCI-001755

The organization defines the information system components for which any deviation from the established configuration settings are to be identified, documented, and approved.

CCI-001756

The organization defines the operational requirements on which the configuration settings for the organization-defined information system components are to be based.

CCI-001757

The organization defines the security safeguards the organization is to employ when responding to unauthorized changes to the organization-defined configuration settings.

CCI-001758

The organization defines configuration settings for which the organization will employ organization-defined security safeguards in response to unauthorized changes.

CCI-001759

The organization employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings.

CCI-001760

The organization defines the frequency of information system reviews to identify unnecessary and/or nonsecure functions, ports, protocols, and services.

CCI-001761

The organization defines the functions, ports, protocols, and services within the information system that are to be disabled when deemed unnecessary and/or nonsecure.

CCI-001762

The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

CCI-001763

The organization defines the policies regarding software program usage and restrictions.

CCI-001764

The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.

CCI-001765

The organization defines the software programs not authorized to execute on the information system.

CCI-001766

The organization identifies the organization-defined software programs not authorized to execute on the information system.

CCI-001767

The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.

CCI-001768

The organization defines the frequency on which it will review and update the list of unauthorized software programs.

CCI-001769

The organization defines the frequency on which it will update the list of unauthorized software programs.

CCI-001770

The organization reviews and updates the list of unauthorized software programs per organization-defined frequency.

CCI-001771

The organization updates the list of unauthorized software programs per organization-defined frequency.

CCI-001772

The organization defines the software programs authorized to execute on the information system.

CCI-001773

The organization identifies the organization-defined software programs authorized to execute on the information system.

CCI-001774

The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.

CCI-001775

The organization defines the frequency on which it will review and update the list of authorized software programs.

CCI-001776

The organization defines the frequency on which it will update the list of authorized software programs.

CCI-001777

The organization reviews and updates the list of authorized software programs per organization-defined frequency.

CCI-001778

The organization updates the list of authorized software programs per organization-defined frequency.

CCI-001779

The organization defines the frequency on which the information system component inventory is to be reviewed and updated.

CCI-001780

The organization reviews and updates the information system component inventory per organization-defined frequency.

CCI-001690

The organization protects, as required, vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system.

CCI-001691

The organization makes available to authorized personnel vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.

CCI-001692

The organization makes available to authorized personnel vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.

CCI-001693

The information system enforces a Discretionary Access Control (DAC) policy that limits propagation of access rights.

CCI-001694

The information system enforces a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.

CCI-001695

The information system prevents the execution of organization-defined unacceptable mobile code.

CCI-001689

The organization, if an information system component failure is detected, automatically shuts down the information system.

CCI-001682

The information system automatically removes or disables emergency accounts after an organization-defined time period for each type of account.

CCI-001683

The information system notifies organization-defined personnel or roles for account creation actions.

CCI-001684

The information system notifies organization-defined personnel or roles for account modification actions.

CCI-001685

The information system notifies organization-defined personnel or roles for account disabling actions.

CCI-001686

The information system notifies organization-defined personnel or roles for account removal actions.

CCI-001687

The organization ensures the use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.

CCI-001688

The organization ensures the acquisition of mobile code to be deployed in information systems meets organization-defined mobile code requirements.

CCI-001681

The organization defines the frequency at which each form of security control assessment should be conducted.

CCI-001680

The organization develops an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

CCI-001585

The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system.

CCI-001586

The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities.

CCI-001587

The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CCI-001588

The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.

CCI-001589

The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked.

CCI-001590

The organization develops a list of software programs authorized to execute on the information system.

CCI-001591

The organization develops a list of software programs not authorized to execute on the information system.

CCI-001592

The organization defines the rules authorizing the terms and conditions of software program usage on the information system.

CCI-001593

The organization maintains a list of software programs authorized to execute on the information system.

CCI-001594

The organization maintains a list of software programs not authorized to execute on the information system.

CCI-001595

The organization maintains rules authorizing the terms and conditions of software program usage on the information system.

CCI-001596

The organization defines the frequency with which to review and update the current contingency planning procedures.

CCI-001597

The organization disseminates contingency planning procedures to organization-defined personnel or roles.

CCI-001598

The organization reviews and updates the current contingency planning procedures in accordance with the organization-defined frequency.

CCI-001599

The organization sustains operational continuity of essential missions until full information system restoration at primary processing and/or storage sites.

CCI-001600

The organization sustains operational continuity of essential business functions until full information system restoration at primary processing and/or storage sites.

CCI-001601

The organization sustains operational continuity of essential missions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites.

CCI-001602

The organization sustains operational continuity of essential business functions at alternate processing and/or storage sites until information system restoration at primary processing and/or storage sites.

CCI-001603

The contingency plan identifies the primary storage site hazards.

CCI-001604

The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.

CCI-001605

The contingency plan identifies the primary processing site hazards.

CCI-001606

The organization outlines explicit mitigation actions for organization-identified potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.

CCI-001607

The organization establishes alternate telecommunications services to support the information system.

CCI-001608

The organization identifies the primary provider’s telecommunications service hazards.

CCI-001609

The organization can activate the redundant secondary information system that is not collocated with the primary system without loss of information or disruption to operations.

CCI-001610

The organization defines the time period (by authenticator type) for changing/refreshing authenticators.

CCI-001611

The organization defines the minimum number of special characters for password complexity enforcement.

CCI-001612

The organization defines the minimum number of upper case characters for password complexity enforcement.

CCI-001613

The organization defines the minimum number of lower case characters for password complexity enforcement.

CCI-001614

The organization defines the minimum number of numeric characters for password complexity enforcement.

CCI-001615

The organization defines the minimum number of characters that are changed when new passwords are created.

CCI-001616

The organization defines minimum password lifetime restrictions.

CCI-001617

The organization defines maximum password lifetime restrictions.

CCI-001618

The organization defines the number of generations for which password reuse is prohibited.

CCI-001619

The information system enforces password complexity by the minimum number of special characters used.

CCI-001620

The organization defines the types of and/or specific authenticators for which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).

CCI-001621

The organization implements organization-defined security safeguards to manage the risk of compromise due to individuals having accounts on multiple information systems.

CCI-001622

The organization identifies personnel with incident response roles and responsibilities with respect to the information system.

CCI-001623

The incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities.

CCI-001624

The organization documents the results of incident response tests.

CCI-001625

The organization implements the resulting incident handling activity changes to incident response procedures, training, and testing/exercises accordingly.

CCI-001626

The organization employs automated mechanisms to assist in the collection of security incident information.

CCI-001627

The organization employs automated mechanisms to assist in the analysis of security incident information.

CCI-001628

The organization defines a frequency with which to review and update the current system maintenance procedures.

CCI-001629

The organization employs automated mechanisms to produce up-to-date, accurate, complete, and available records of all maintenance and repair actions needed, in process, and complete.

CCI-001630

Designated organizational personnel review the maintenance records of the non-local maintenance and diagnostic sessions.

CCI-001631

The organization, before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system.

CCI-001632

The organization protects nonlocal maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths or logically separated communications paths based upon encryption.

CCI-001633

The organization defines removable media types and information output requiring marking.

CCI-001634

The organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information.

CCI-001635

The organization removes individuals from the facility access list when access is no longer required.

CCI-001636

The organization defines the frequency with which to review and update the current security planning policy.

CCI-001637

The organization reviews and updates the current security planning policy in accordance with organization-defined frequency.

CCI-001638

The organization defines the frequency with which to review and update the current security planning procedures.

CCI-001639

The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage.

CCI-001640

The organization updates the critical infrastructure and key resources protection plan that addresses information security issues.

CCI-001641

The organization defines the process for conducting random vulnerability scans on the information system and hosted applications.

CCI-001642

The organization defines the organizational document in which risk assessment results are documented (e.g., security plan, risk assessment report).

CCI-001643

The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans.

CCI-001644

The organization employs vulnerability scanning procedures that can demonstrate the depth of coverage (i.e., vulnerabilities checked).

CCI-001645

The organization identifies the information system components to which privileged access is authorized for selected organization-defined vulnerability scanning activities.

CCI-001646

The organization defines the frequency with which to review and update the current system and services acquisition procedures.

CCI-001647

The organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type.

CCI-001648

The organization makes available to authorized personnel the source code for the information system to permit analysis and testing.

CCI-001649

The organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users.

CCI-001650

The organization requires the information system developers to manage and control changes to the information system during development.

CCI-001651

The organization requires the information system integrators to manage and control changes to the information system during development.

CCI-001652

The organization requires the information system developers to manage and control changes to the information system during implementation.

CCI-001653

The organization requires the information system integrators to manage and control changes to the information system during implementation.

CCI-001654

The organization requires the information system developers to manage and control changes to the information system during modification.

CCI-001655

The organization requires the information system integrators to manage and control changes to the information system during modification.

CCI-001656

The organization defines the security functions of the information system to be isolated from nonsecurity functions.

CCI-001657

The organization defines the external boundary of the information system.

CCI-001658

The organization defines key internal boundaries of the information system.

CCI-001659

The organization defines the mediation necessary for public access to the organization’s internal networks.

CCI-001660

The organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces.

CCI-001661

The organization defines the security functions, to minimally include information system authentication and re-authentication, within the information system to be included in a trusted communications path.

CCI-001662

The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified.

CCI-001663

The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

CCI-001664

The information system recognizes only session identifiers that are system-generated.

CCI-001665

The information system preserves organization-defined system state information in the event of a system failure.

CCI-001666

The organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures.

CCI-001667

The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.

CCI-001668

The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.

CCI-001669

The organization defines the frequency of testing malicious code protection mechanisms.

CCI-001670

The information system takes organization-defined least-disruptive actions to terminate suspicious events.

CCI-001671

The organization analyzes outbound communications traffic at selected organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies.

CCI-001672

The organization employs a wireless intrusion detection system to identify rogue wireless devices.

CCI-001673

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

CCI-001674

The information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s).

CCI-001675

The organization defines the personnel or roles that are to receive reports on the results of security function verification.

CCI-001676

The organization defines, for periodic security function verification, the frequency of the verifications.

CCI-001677

The organization employs spam protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.

CCI-001678

The organization retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

CCI-001679

The organization provides a mechanism to exchange active and standby roles of the components.

CCI-001545

The organization defines a frequency for reviewing and updating the access control policy.

CCI-001546

The organization defines a frequency for reviewing and updating the access control procedures.

CCI-001547

The organization defines the frequency on which it will review information system accounts for compliance with account management requirements.

CCI-001548

The organization defines the information flow control policies for controlling the flow of information within the system.

CCI-001549

The organization defines the information flow control policies for controlling the flow of information between interconnected systems.

CCI-001550

The organization defines approved authorizations for controlling the flow of information within the system.

CCI-001551

The organization defines approved authorizations for controlling the flow of information between interconnected systems.

CCI-001552

The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations.

CCI-001553

The organization defines the security policy filters that privileged administrators have the capability to enable/disable.

CCI-001554

The organization defines the security policy filters that privileged administrators have the capability to configure.

CCI-001555

The information system uniquely identifies destination domains for information transfer.

CCI-001556

The information system uniquely authenticates destination domains for information transfer.

CCI-001557

The information system tracks problems associated with the information transfer.

CCI-001558

The organization defines the security functions (deployed in hardware, software, and firmware) for which access must be explicitly authorized.

CCI-001559

The organization identifies the individuals authorized to change the value of associated security attributes.

CCI-001560

The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects.

CCI-001561

The organization defines managed access control points for remote access to the information system.

CCI-001562

The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered.

CCI-001563

The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.

CCI-001564

The organization defines the frequency of security awareness and training policy reviews and updates.

CCI-001565

The organization defines the frequency of security awareness and training procedure reviews and updates.

CCI-001566

The organization provides organization-defined personnel or roles with initial training in the employment and operation of physical security controls.

CCI-001567

The organization provides organization-defined personnel or roles with refresher training in the employment and operation of physical security controls in accordance with the organization-defined frequency.

CCI-001568

The organization defines a frequency for providing employees with refresher training in the employment and operation of physical security controls.

CCI-001569

The organization defines the frequency on which it will review and update the audit and accountability policy.

CCI-001570

The organization defines the frequency on which it will review and update the audit and accountability procedures.

CCI-001571

The organization defines the information system auditable events.

CCI-001572

The organization defines the personnel or roles to be alerted in the event of an audit processing failure.

CCI-001573

The organization defines whether to reject or delay network traffic that exceeds organization-defined thresholds.

CCI-001574

The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds.

CCI-001575

The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited.

CCI-001576

The information system produces a system-wide (logical or physical) audit trail of information system audit records.

CCI-001577

The organization defines the information system components from which audit records are to be compiled into the system-wide audit trail.

CCI-001578

The organization defines the frequency to review and update the current security assessment and authorization procedures.

CCI-001579

The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques.

CCI-001580

The organization identifies connections to external information systems (i.e., information systems outside of the authorization boundary).

CCI-001581

The organization defines personnel or roles to whom the security status of the organization and the information system should be reported.

CCI-001582

The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; and performance/load testing that should be included as part of security control assessments.

CCI-001583

The organization selects announced or unannounced assessments for each form of security control assessment.

CCI-001584

The organization defines the frequency with which to review and update configuration management procedures.

CCI-001544

The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.

CCI-000235

The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

CCI-000236

The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs are obtained.

CCI-000023

The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended.

CCI-000073

The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

CCI-000074

The organization develops an organization-wide information security program plan that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation.

CCI-000075

The organization reviews the organization-wide information security program plan on an organization-defined frequency.

CCI-000076

The organization defines the frequency with which to review the organization-wide information security program plan.

CCI-000077

The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments.

CCI-000078

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

CCI-000080

The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement.

CCI-000081

The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.

CCI-000141

The organization ensures that information security resources are available for expenditure as planned.

CCI-000142

The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained.

CCI-000170

The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation.

CCI-000207

The organization develops and maintains an inventory of its information systems.

CCI-000209

The organization develops the results of information security measures of performance.

CCI-000210

The organization monitors the results of information security measures of performance.

CCI-000211

The organization reports on the results of information security measures of performance.

CCI-000212

The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

CCI-000216

The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues.

CCI-000227

The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.

CCI-000228

The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization.

CCI-000229

The organization documents the security state of organizational information systems and the environments in which those systems operate through security authorization processes.