{ "catalog" : { "uuid" : "5b66e3dc-f9cb-46ca-8cb7-3c480ac7a33b", "metadata" : { "title" : "NIST SP 800-171 Requirements", "last-modified" : "2022-10-01T15:54:08.020493Z", "version" : "2.0.0", "oscal-version" : "1.0.0", "props" : [ { "name" : "keywords", "value" : "Assessment, assessment plan, assurance, availability, computer security, confidentiality, control, control assessment, cybersecurity, FISMA, information security, information system, integrity, personally identifiable information, OSCAL, Open Security Controls Assessment Language, Privacy Act, privacy controls, privacy functions, privacy requirements, Risk Management Framework, security controls, security functions, security requirements, system, system security" } ], "links" : [ { "href" : "#c3397cc9-83c6-4459-adb2-836739dc1b94", "rel" : "alternate" }, { "href" : "#f7cf488d-bc64-4a91-a994-810e153ee481", "rel" : "canonical" } ], "roles" : [ { "id" : "creator", "title" : "Document creator" }, { "id" : "contact", "title" : "Contact" } ], "parties" : [ { "uuid" : "41a93829-b76b-43ec-b9e7-250553511549", "type" : "organization", "name" : "Joint Task Force, Interagency Working Group", "email-addresses" : [ "sec-cert@nist.gov" ], "addresses" : [ { "addr-lines" : [ "National Institute of Standards and Technology", "Attn: Computer Security Division", "Information Technology Laboratory", "100 Bureau Drive (Mail Stop 8930)" ], "city" : "Gaithersburg", "state" : "MD", "postal-code" : "20899-8930" } ] }, { "uuid" : "bf46e14e-c0e6-45a1-8ce5-37704efd40f7", "type" : "person", "name" : "Matt Wiseman", "links" : [ { "href" : "#40309802-71cd-43b9-b807-5fbd634c0217" } ] } ], "responsible-parties" : [ { "role-id" : "creator", "party-uuids" : [ "bf46e14e-c0e6-45a1-8ce5-37704efd40f7" ] }, { "role-id" : "contact", "party-uuids" : [ "41a93829-b76b-43ec-b9e7-250553511549" ] } ] }, "groups" : [ { "id" : "3.1", "class" : "family", "title" : "Access Control", "controls" : [ { "id" : "3.1.1", "class" : "SP800-171", "title" : "Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).", "props" : [ { "name" : "label", "value" : "3.1.1" }, { "name" : "label", "value" : "3.1.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.1" } ], "parts" : [ { "id" : "3.1.1_smt", "name" : "statement", "prose" : "Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)." }, { "id" : "3.1.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1[a]", "class" : "sp800-171a" } ], "prose" : "authorized users are identified." }, { "id" : "3.1.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1[b]", "class" : "sp800-171a" } ], "prose" : "processes acting on behalf of authorized users are identified." }, { "id" : "3.1.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1[c]", "class" : "sp800-171a" } ], "prose" : "devices (and other systems) authorized to connect to the system are identified." }, { "id" : "3.1.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1[d]", "class" : "sp800-171a" } ], "prose" : "system access is limited to authorized users." }, { "id" : "3.1.1_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1[e]", "class" : "sp800-171a" } ], "prose" : "system access is limited to processes acting on behalf of authorized users." }, { "id" : "3.1.1_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.1[f]", "class" : "sp800-171a" } ], "prose" : "system access is limited to authorized devices (including other systems)." } ] } ] }, { "id" : "3.1.2", "class" : "SP800-171", "title" : "Limit system access to the types of transactions and functions that authorized users are permitted to execute.", "props" : [ { "name" : "label", "value" : "3.1.2" }, { "name" : "label", "value" : "3.1.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.2" } ], "parts" : [ { "id" : "3.1.2_smt", "name" : "statement", "prose" : "Limit system access to the types of transactions and functions that authorized users are permitted to execute." }, { "id" : "3.1.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.2[a]", "class" : "sp800-171a" } ], "prose" : "the types of transactions and functions that authorized users are permitted to execute are defined." }, { "id" : "3.1.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.2[b]", "class" : "sp800-171a" } ], "prose" : "system access is limited to the defined types of transactions and functions for authorized users." } ] } ] }, { "id" : "3.1.3", "class" : "SP800-171", "title" : "Control the flow of CUI in accordance with approved authorizations.", "props" : [ { "name" : "label", "value" : "3.1.3" }, { "name" : "label", "value" : "3.1.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.3" } ], "parts" : [ { "id" : "3.1.3_smt", "name" : "statement", "prose" : "Control the flow of CUI in accordance with approved authorizations." }, { "id" : "3.1.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.3[a]", "class" : "sp800-171a" } ], "prose" : "information flow control policies are defined." }, { "id" : "3.1.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.3[b]", "class" : "sp800-171a" } ], "prose" : "methods and enforcement mechanisms for controlling the flow of CUI are defined." }, { "id" : "3.1.3_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.3[c]", "class" : "sp800-171a" } ], "prose" : "designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified." }, { "id" : "3.1.3_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.3[d]", "class" : "sp800-171a" } ], "prose" : "authorizations for controlling the flow of CUI are defined." }, { "id" : "3.1.3_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.3[e]", "class" : "sp800-171a" } ], "prose" : "approved authorizations for controlling the flow of CUI are enforced." } ] } ] }, { "id" : "3.1.4", "class" : "SP800-171", "title" : "Separate the duties of individuals to reduce the risk of malevolent activity without collusion.", "props" : [ { "name" : "label", "value" : "3.1.4" }, { "name" : "label", "value" : "3.1.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.4" } ], "parts" : [ { "id" : "3.1.4_smt", "name" : "statement", "prose" : "Separate the duties of individuals to reduce the risk of malevolent activity without collusion." }, { "id" : "3.1.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.4_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.4[a]", "class" : "sp800-171a" } ], "prose" : "the duties of individuals requiring separation are defined." }, { "id" : "3.1.4_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.4[b]", "class" : "sp800-171a" } ], "prose" : "responsibilities for duties that require separation are assigned to separate individuals." }, { "id" : "3.1.4_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.4[c]", "class" : "sp800-171a" } ], "prose" : "access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals." } ] } ] }, { "id" : "3.1.5", "class" : "SP800-171", "title" : "Employ the principle of least privilege, including for specific security functions and privileged accounts.", "props" : [ { "name" : "label", "value" : "3.1.5" }, { "name" : "label", "value" : "3.1.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.5" } ], "parts" : [ { "id" : "3.1.5_smt", "name" : "statement", "prose" : "Employ the principle of least privilege, including for specific security functions and privileged accounts." }, { "id" : "3.1.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.5[a]", "class" : "sp800-171a" } ], "prose" : "privileged accounts are identified." }, { "id" : "3.1.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.5[b]", "class" : "sp800-171a" } ], "prose" : "access to privileged accounts is authorized in accordance with the principle of least privilege." }, { "id" : "3.1.5_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.5[c]", "class" : "sp800-171a" } ], "prose" : "security functions are identified." }, { "id" : "3.1.5_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.5[d]", "class" : "sp800-171a" } ], "prose" : "access to security functions is authorized in accordance with the principle of least privilege." } ] } ] }, { "id" : "3.1.6", "class" : "SP800-171", "title" : "Use non-privileged accounts or roles when accessing non-security functions.", "props" : [ { "name" : "label", "value" : "3.1.6" }, { "name" : "label", "value" : "3.1.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.6" } ], "parts" : [ { "id" : "3.1.6_smt", "name" : "statement", "prose" : "Use non-privileged accounts or roles when accessing non-security functions." }, { "id" : "3.1.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.6[a]", "class" : "sp800-171a" } ], "prose" : "nonsecurity functions are identified." }, { "id" : "3.1.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.6[b]", "class" : "sp800-171a" } ], "prose" : "users are required to use non-privileged accounts or roles when accessing nonsecurity functions." } ] } ] }, { "id" : "3.1.7", "class" : "SP800-171", "title" : "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.", "props" : [ { "name" : "label", "value" : "3.1.7" }, { "name" : "label", "value" : "3.1.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.7" } ], "parts" : [ { "id" : "3.1.7_smt", "name" : "statement", "prose" : "Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs." }, { "id" : "3.1.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.7_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.7[a]", "class" : "sp800-171a" } ], "prose" : "privileged functions are defined." }, { "id" : "3.1.7_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.7[b]", "class" : "sp800-171a" } ], "prose" : "non-privileged users are defined." }, { "id" : "3.1.7_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.7[c]", "class" : "sp800-171a" } ], "prose" : "non-privileged users are prevented from executing privileged functions." }, { "id" : "3.1.7_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.7[d]", "class" : "sp800-171a" } ], "prose" : "the execution of privileged functions is captured in audit logs." } ] } ] }, { "id" : "3.1.8", "class" : "SP800-171", "title" : "Limit unsuccessful logon attempts.", "props" : [ { "name" : "label", "value" : "3.1.8" }, { "name" : "label", "value" : "3.1.8", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.8" } ], "parts" : [ { "id" : "3.1.8_smt", "name" : "statement", "prose" : "Limit unsuccessful logon attempts." }, { "id" : "3.1.8_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.8", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.8_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.8[a]", "class" : "sp800-171a" } ], "prose" : "the means of limiting unsuccessful logon attempts is defined." }, { "id" : "3.1.8_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.8[b]", "class" : "sp800-171a" } ], "prose" : "the defined means of limiting unsuccessful logon attempts is implemented." } ] } ] }, { "id" : "3.1.9", "class" : "SP800-171", "title" : "Provide privacy and security notices consistent with applicable CUI rules.", "props" : [ { "name" : "label", "value" : "3.1.9" }, { "name" : "label", "value" : "3.1.9", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.9" } ], "parts" : [ { "id" : "3.1.9_smt", "name" : "statement", "prose" : "Provide privacy and security notices consistent with applicable CUI rules." }, { "id" : "3.1.9_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.9", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.9_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.9[a]", "class" : "sp800-171a" } ], "prose" : "privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category." }, { "id" : "3.1.9_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.9[b]", "class" : "sp800-171a" } ], "prose" : "privacy and security notices are displayed." } ] } ] }, { "id" : "3.1.10", "class" : "SP800-171", "title" : "Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.", "props" : [ { "name" : "label", "value" : "3.1.10" }, { "name" : "label", "value" : "3.1.10", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.10" } ], "parts" : [ { "id" : "3.1.10_smt", "name" : "statement", "prose" : "Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity." }, { "id" : "3.1.10_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.10", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.10_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.10[a]", "class" : "sp800-171a" } ], "prose" : "the period of inactivity after which the system initiates a session lock is defined." }, { "id" : "3.1.10_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.10[b]", "class" : "sp800-171a" } ], "prose" : "access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity." }, { "id" : "3.1.10_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.10[c]", "class" : "sp800-171a" } ], "prose" : "previously visible information is concealed via a pattern-hiding display after the defined period of inactivity." } ] } ] }, { "id" : "3.1.11", "class" : "SP800-171", "title" : "Terminate (automatically) a user session after a defined condition.", "props" : [ { "name" : "label", "value" : "3.1.11" }, { "name" : "label", "value" : "3.1.11", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.11" } ], "parts" : [ { "id" : "3.1.11_smt", "name" : "statement", "prose" : "Terminate (automatically) a user session after a defined condition." }, { "id" : "3.1.11_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.11", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.11_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.11[a]", "class" : "sp800-171a" } ], "prose" : "conditions requiring a user session to terminate are defined." }, { "id" : "3.1.11_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.11[b]", "class" : "sp800-171a" } ], "prose" : "a user session is automatically terminated after any of the defined conditions occur." } ] } ] }, { "id" : "3.1.12", "class" : "SP800-171", "title" : "Monitor and control remote access sessions.", "props" : [ { "name" : "label", "value" : "3.1.12" }, { "name" : "label", "value" : "3.1.12", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.12" } ], "parts" : [ { "id" : "3.1.12_smt", "name" : "statement", "prose" : "Monitor and control remote access sessions." }, { "id" : "3.1.12_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.12", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.12_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.12[a]", "class" : "sp800-171a" } ], "prose" : "remote access sessions are permitted." }, { "id" : "3.1.12_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.12[b]", "class" : "sp800-171a" } ], "prose" : "the types of permitted remote access are identified." }, { "id" : "3.1.12_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.12[c]", "class" : "sp800-171a" } ], "prose" : "remote access sessions are controlled." }, { "id" : "3.1.12_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.12[d]", "class" : "sp800-171a" } ], "prose" : "remote access sessions are monitored." } ] } ] }, { "id" : "3.1.13", "class" : "SP800-171", "title" : "Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.", "props" : [ { "name" : "label", "value" : "3.1.13" }, { "name" : "label", "value" : "3.1.13", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.13" } ], "parts" : [ { "id" : "3.1.13_smt", "name" : "statement", "prose" : "Employ cryptographic mechanisms to protect the confidentiality of remote access sessions." }, { "id" : "3.1.13_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.13", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.13_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.13[a]", "class" : "sp800-171a" } ], "prose" : "cryptographic mechanisms to protect the confidentiality of remote access sessions are identified." }, { "id" : "3.1.13_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.13[b]", "class" : "sp800-171a" } ], "prose" : "cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented." } ] } ] }, { "id" : "3.1.14", "class" : "SP800-171", "title" : "Route remote access via managed access control points.", "props" : [ { "name" : "label", "value" : "3.1.14" }, { "name" : "label", "value" : "3.1.14", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.14" } ], "parts" : [ { "id" : "3.1.14_smt", "name" : "statement", "prose" : "Route remote access via managed access control points." }, { "id" : "3.1.14_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.14", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.14_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.14[a]", "class" : "sp800-171a" } ], "prose" : "managed access control points are identified and implemented." }, { "id" : "3.1.14_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.14[b]", "class" : "sp800-171a" } ], "prose" : "remote access is routed through managed network access control points." } ] } ] }, { "id" : "3.1.15", "class" : "SP800-171", "title" : "Authorize remote execution of privileged commands and remote access to security- relevant information.", "props" : [ { "name" : "label", "value" : "3.1.15" }, { "name" : "label", "value" : "3.1.15", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.15" } ], "parts" : [ { "id" : "3.1.15_smt", "name" : "statement", "prose" : "Authorize remote execution of privileged commands and remote access to security- relevant information." }, { "id" : "3.1.15_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.15", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.15_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.15[a]", "class" : "sp800-171a" } ], "prose" : "privileged commands authorized for remote execution are identified." }, { "id" : "3.1.15_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.15[b]", "class" : "sp800-171a" } ], "prose" : "security-relevant information authorized to be accessed remotely is identified." }, { "id" : "3.1.15_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.15[c]", "class" : "sp800-171a" } ], "prose" : "the execution of the identified privileged commands via remote access is authorized." }, { "id" : "3.1.15_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.15[d]", "class" : "sp800-171a" } ], "prose" : "access to the identified security-relevant information via remote access is authorized." } ] } ] }, { "id" : "3.1.16", "class" : "SP800-171", "title" : "Authorize wireless access prior to allowing such connections.", "props" : [ { "name" : "label", "value" : "3.1.16" }, { "name" : "label", "value" : "3.1.16", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.16" } ], "parts" : [ { "id" : "3.1.16_smt", "name" : "statement", "prose" : "Authorize wireless access prior to allowing such connections." }, { "id" : "3.1.16_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.16", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.16_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.16[a]", "class" : "sp800-171a" } ], "prose" : "wireless access points are identified." }, { "id" : "3.1.16_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.16[b]", "class" : "sp800-171a" } ], "prose" : "wireless access is authorized prior to allowing such connections." } ] } ] }, { "id" : "3.1.17", "class" : "SP800-171", "title" : "Protect wireless access using authentication and encryption.", "props" : [ { "name" : "label", "value" : "3.1.17" }, { "name" : "label", "value" : "3.1.17", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.17" } ], "parts" : [ { "id" : "3.1.17_smt", "name" : "statement", "prose" : "Protect wireless access using authentication and encryption." }, { "id" : "3.1.17_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.17", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.17_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.17[a]", "class" : "sp800-171a" } ], "prose" : "wireless access to the system is protected using authentication." }, { "id" : "3.1.17_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.17[b]", "class" : "sp800-171a" } ], "prose" : "wireless access to the system is protected using encryption." } ] } ] }, { "id" : "3.1.18", "class" : "SP800-171", "title" : "Control connection of mobile devices.", "props" : [ { "name" : "label", "value" : "3.1.18" }, { "name" : "label", "value" : "3.1.18", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.18" } ], "parts" : [ { "id" : "3.1.18_smt", "name" : "statement", "prose" : "Control connection of mobile devices." }, { "id" : "3.1.18_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.18", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.18_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.18[a]", "class" : "sp800-171a" } ], "prose" : "mobile devices that process, store, or transmit CUI are identified." }, { "id" : "3.1.18_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.18[b]", "class" : "sp800-171a" } ], "prose" : "mobile device connections are authorized." }, { "id" : "3.1.18_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.18[c]", "class" : "sp800-171a" } ], "prose" : "mobile device connections are monitored and logged." } ] } ] }, { "id" : "3.1.19", "class" : "SP800-171", "title" : "Encrypt CUI on mobile devices and mobile computing platforms", "props" : [ { "name" : "label", "value" : "3.1.19" }, { "name" : "label", "value" : "3.1.19", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.19" } ], "parts" : [ { "id" : "3.1.19_smt", "name" : "statement", "prose" : "Encrypt CUI on mobile devices and mobile computing platforms" }, { "id" : "3.1.19_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.19", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.19_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.19[a]", "class" : "sp800-171a" } ], "prose" : "mobile devices and mobile computing platforms that process, store, or transmit CUI are identified." }, { "id" : "3.1.19_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.19[b]", "class" : "sp800-171a" } ], "prose" : "encryption is employed to protect CUI on identified mobile devices and mobile computing platforms." } ] } ] }, { "id" : "3.1.20", "class" : "SP800-171", "title" : "Verify and control/limit connections to and use of external systems.", "props" : [ { "name" : "label", "value" : "3.1.20" }, { "name" : "label", "value" : "3.1.20", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.20" } ], "parts" : [ { "id" : "3.1.20_smt", "name" : "statement", "prose" : "Verify and control/limit connections to and use of external systems." }, { "id" : "3.1.20_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.20_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20[a]", "class" : "sp800-171a" } ], "prose" : "connections to external systems are identified." }, { "id" : "3.1.20_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20[b]", "class" : "sp800-171a" } ], "prose" : "the use of external systems is identified." }, { "id" : "3.1.20_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20[c]", "class" : "sp800-171a" } ], "prose" : "connections to external systems are verified." }, { "id" : "3.1.20_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20[d]", "class" : "sp800-171a" } ], "prose" : "the use of external systems is verified." }, { "id" : "3.1.20_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20[e]", "class" : "sp800-171a" } ], "prose" : "connections to external systems are controlled/limited." }, { "id" : "3.1.20_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.20[f]", "class" : "sp800-171a" } ], "prose" : "the use of external systems is controlled/limited." } ] } ] }, { "id" : "3.1.21", "class" : "SP800-171", "title" : "Limit use of portable storage devices on external systems.", "props" : [ { "name" : "label", "value" : "3.1.21" }, { "name" : "label", "value" : "3.1.21", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.21" } ], "parts" : [ { "id" : "3.1.21_smt", "name" : "statement", "prose" : "Limit use of portable storage devices on external systems." }, { "id" : "3.1.21_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.21", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.21_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.21[a]", "class" : "sp800-171a" } ], "prose" : "the use of portable storage devices containing CUI on external systems is identified and documented." }, { "id" : "3.1.21_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.21[b]", "class" : "sp800-171a" } ], "prose" : "limits on the use of portable storage devices containing CUI on external systems are defined." }, { "id" : "3.1.21_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.21[c]", "class" : "sp800-171a" } ], "prose" : "the use of portable storage devices containing CUI on external systems is limited as defined." } ] } ] }, { "id" : "3.1.22", "class" : "SP800-171", "title" : "Control CUI posted or processed on publicly accessible systems.", "props" : [ { "name" : "label", "value" : "3.1.22" }, { "name" : "label", "value" : "3.1.22", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.1.22" } ], "parts" : [ { "id" : "3.1.22_smt", "name" : "statement", "prose" : "Control CUI posted or processed on publicly accessible systems." }, { "id" : "3.1.22_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.22", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.1.22_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.22[a]", "class" : "sp800-171a" } ], "prose" : "individuals authorized to post or process information on publicly accessible systems are identified." }, { "id" : "3.1.22_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.22[b]", "class" : "sp800-171a" } ], "prose" : "procedures to ensure CUI is not posted or processed on publicly accessible systems are identified." }, { "id" : "3.1.22_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.22[c]", "class" : "sp800-171a" } ], "prose" : "a review process is in place prior to posting of any content to publicly accessible systems." }, { "id" : "3.1.22_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.22[d]", "class" : "sp800-171a" } ], "prose" : "content on publicly accessible systems is reviewed to ensure that it does not include CUI." }, { "id" : "3.1.22_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.1.22[e]", "class" : "sp800-171a" } ], "prose" : "mechanisms are in place to remove and address improper posting of CUI." } ] } ] } ] }, { "id" : "3.2", "class" : "family", "title" : "Awareness and Training", "controls" : [ { "id" : " 3.2.1 ", "class" : "SP800-171", "title" : "Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.", "props" : [ { "name" : "label", "value" : " 3.2.1 " }, { "name" : "label", "value" : " 3.2.1 ", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : " 3.2.1 " } ], "parts" : [ { "id" : " 3.2.1 _smt", "name" : "statement", "prose" : "Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems." }, { "id" : " 3.2.1 _obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : " 3.2.1 ", "class" : "sp800-171a" } ], "parts" : [ { "id" : " 3.2.1 _obj..", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : " 3.2.1 [.]", "class" : "sp800-171a" } ], "prose" : "1[a] security risks associated with organizational activities involving CUI are identified." }, { "id" : " 3.2.1 _obj..", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : " 3.2.1 [.]", "class" : "sp800-171a" } ], "prose" : "1[b] policies, standards, and procedures related to the security of the system are identified." }, { "id" : " 3.2.1 _obj..", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : " 3.2.1 [.]", "class" : "sp800-171a" } ], "prose" : "1[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities." }, { "id" : " 3.2.1 _obj..", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : " 3.2.1 [.]", "class" : "sp800-171a" } ], "prose" : "1[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system." } ] } ] }, { "id" : "3.2.2", "class" : "SP800-171", "title" : "Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities.", "props" : [ { "name" : "label", "value" : "3.2.2" }, { "name" : "label", "value" : "3.2.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.2.2" } ], "parts" : [ { "id" : "3.2.2_smt", "name" : "statement", "prose" : "Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities." }, { "id" : "3.2.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.2.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.2[a]", "class" : "sp800-171a" } ], "prose" : "information security-related duties, roles, and responsibilities are defined." }, { "id" : "3.2.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.2[b]", "class" : "sp800-171a" } ], "prose" : "information security-related duties, roles, and responsibilities are assigned to designated personnel." }, { "id" : "3.2.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.2[c]", "class" : "sp800-171a" } ], "prose" : "personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities." } ] } ] }, { "id" : "3.2.3", "class" : "SP800-171", "title" : "Provide security awareness training on recognizing and reporting potential indicators of insider threat.", "props" : [ { "name" : "label", "value" : "3.2.3" }, { "name" : "label", "value" : "3.2.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.2.3" } ], "parts" : [ { "id" : "3.2.3_smt", "name" : "statement", "prose" : "Provide security awareness training on recognizing and reporting potential indicators of insider threat." }, { "id" : "3.2.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.2.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.3[a]", "class" : "sp800-171a" } ], "prose" : "potential indicators associated with insider threats are identified." }, { "id" : "3.2.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.2.3[b]", "class" : "sp800-171a" } ], "prose" : "security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees." } ] } ] } ] }, { "id" : "3.3", "class" : "family", "title" : "Audit and Accountability", "controls" : [ { "id" : "3.3.1", "class" : "SP800-171", "title" : "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.", "props" : [ { "name" : "label", "value" : "3.3.1" }, { "name" : "label", "value" : "3.3.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.1" } ], "parts" : [ { "id" : "3.3.1_smt", "name" : "statement", "prose" : "Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity." }, { "id" : "3.3.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1[a]", "class" : "sp800-171a" } ], "prose" : "audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified." }, { "id" : "3.3.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1[b]", "class" : "sp800-171a" } ], "prose" : "the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined." }, { "id" : "3.3.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1[c]", "class" : "sp800-171a" } ], "prose" : "audit records are created (generated)." }, { "id" : "3.3.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1[d]", "class" : "sp800-171a" } ], "prose" : "audit records, once created, contain the defined content." }, { "id" : "3.3.1_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1[e]", "class" : "sp800-171a" } ], "prose" : "retention requirements for audit records are defined." }, { "id" : "3.3.1_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.1[f]", "class" : "sp800-171a" } ], "prose" : "audit records are retained as defined." } ] } ] }, { "id" : "3.3.2", "class" : "SP800-171", "title" : "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.", "props" : [ { "name" : "label", "value" : "3.3.2" }, { "name" : "label", "value" : "3.3.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.2" } ], "parts" : [ { "id" : "3.3.2_smt", "name" : "statement", "prose" : "Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions." }, { "id" : "3.3.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.2[a]", "class" : "sp800-171a" } ], "prose" : "the content of the audit records needed to support the ability to uniquely trace users to their actions is defined." }, { "id" : "3.3.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.2[b]", "class" : "sp800-171a" } ], "prose" : "audit records, once created, contain the defined content." } ] } ] }, { "id" : "3.3.3", "class" : "SP800-171", "title" : "Review and update logged events.", "props" : [ { "name" : "label", "value" : "3.3.3" }, { "name" : "label", "value" : "3.3.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.3" } ], "parts" : [ { "id" : "3.3.3_smt", "name" : "statement", "prose" : "Review and update logged events." }, { "id" : "3.3.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.3[a]", "class" : "sp800-171a" } ], "prose" : "a process for determining when to review logged events is defined." }, { "id" : "3.3.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.3[b]", "class" : "sp800-171a" } ], "prose" : "event types being logged are reviewed in accordance with the defined review process." }, { "id" : "3.3.3_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.3[c]", "class" : "sp800-171a" } ], "prose" : "event types being logged are updated based on the review." } ] } ] }, { "id" : "3.3.4", "class" : "SP800-171", "title" : "Alert in the event of an audit logging process failure.", "props" : [ { "name" : "label", "value" : "3.3.4" }, { "name" : "label", "value" : "3.3.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.4" } ], "parts" : [ { "id" : "3.3.4_smt", "name" : "statement", "prose" : "Alert in the event of an audit logging process failure." }, { "id" : "3.3.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.4_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.4[a]", "class" : "sp800-171a" } ], "prose" : "personnel or roles to be alerted in the event of an audit logging process failure are identified." }, { "id" : "3.3.4_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.4[b]", "class" : "sp800-171a" } ], "prose" : "types of audit logging process failures for which alert will be generated are defined." }, { "id" : "3.3.4_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.4[c]", "class" : "sp800-171a" } ], "prose" : "identified personnel or roles are alerted in the event of an audit logging process failure." } ] } ] }, { "id" : "3.3.5", "class" : "SP800-171", "title" : "Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.", "props" : [ { "name" : "label", "value" : "3.3.5" }, { "name" : "label", "value" : "3.3.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.5" } ], "parts" : [ { "id" : "3.3.5_smt", "name" : "statement", "prose" : "Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity." }, { "id" : "3.3.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.5[a]", "class" : "sp800-171a" } ], "prose" : "audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined." }, { "id" : "3.3.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.5[b]", "class" : "sp800-171a" } ], "prose" : "defined audit record review, analysis, and reporting processes are correlated." } ] } ] }, { "id" : "3.3.6", "class" : "SP800-171", "title" : "Provide audit record reduction and report generation to support on-demand analysis and reporting.", "props" : [ { "name" : "label", "value" : "3.3.6" }, { "name" : "label", "value" : "3.3.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.6" } ], "parts" : [ { "id" : "3.3.6_smt", "name" : "statement", "prose" : "Provide audit record reduction and report generation to support on-demand analysis and reporting." }, { "id" : "3.3.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.6[a]", "class" : "sp800-171a" } ], "prose" : "an audit record reduction capability that supports on-demand analysis is provided." }, { "id" : "3.3.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.6[b]", "class" : "sp800-171a" } ], "prose" : "a report generation capability that supports on-demand reporting is provided." } ] } ] }, { "id" : "3.3.7", "class" : "SP800-171", "title" : "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.", "props" : [ { "name" : "label", "value" : "3.3.7" }, { "name" : "label", "value" : "3.3.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.7" } ], "parts" : [ { "id" : "3.3.7_smt", "name" : "statement", "prose" : "Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records." }, { "id" : "3.3.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.7_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.7[a]", "class" : "sp800-171a" } ], "prose" : "internal system clocks are used to generate time stamps for audit records." }, { "id" : "3.3.7_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.7[b]", "class" : "sp800-171a" } ], "prose" : "an authoritative source with which to compare and synchronize internal system clocks is specified." }, { "id" : "3.3.7_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.7[c]", "class" : "sp800-171a" } ], "prose" : "internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source." } ] } ] }, { "id" : "3.3.8", "class" : "SP800-171", "title" : "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.", "props" : [ { "name" : "label", "value" : "3.3.8" }, { "name" : "label", "value" : "3.3.8", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.8" } ], "parts" : [ { "id" : "3.3.8_smt", "name" : "statement", "prose" : "Protect audit information and audit logging tools from unauthorized access, modification, and deletion." }, { "id" : "3.3.8_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.8_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8[a]", "class" : "sp800-171a" } ], "prose" : "audit information is protected from unauthorized access." }, { "id" : "3.3.8_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8[b]", "class" : "sp800-171a" } ], "prose" : "audit information is protected from unauthorized modification." }, { "id" : "3.3.8_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8[c]", "class" : "sp800-171a" } ], "prose" : "audit information is protected from unauthorized deletion." }, { "id" : "3.3.8_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8[d]", "class" : "sp800-171a" } ], "prose" : "audit logging tools are protected from unauthorized access." }, { "id" : "3.3.8_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8[e]", "class" : "sp800-171a" } ], "prose" : "audit logging tools are protected from unauthorized modification." }, { "id" : "3.3.8_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.8[f]", "class" : "sp800-171a" } ], "prose" : "audit logging tools are protected from unauthorized deletion." } ] } ] }, { "id" : "3.3.9", "class" : "SP800-171", "title" : "Limit management of audit logging functionality to a subset of privileged users.", "props" : [ { "name" : "label", "value" : "3.3.9" }, { "name" : "label", "value" : "3.3.9", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.3.9" } ], "parts" : [ { "id" : "3.3.9_smt", "name" : "statement", "prose" : "Limit management of audit logging functionality to a subset of privileged users." }, { "id" : "3.3.9_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.9", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.3.9_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.9[a]", "class" : "sp800-171a" } ], "prose" : "a subset of privileged users granted access to manage audit logging functionality is defined." }, { "id" : "3.3.9_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.3.9[b]", "class" : "sp800-171a" } ], "prose" : "management of audit logging functionality is limited to the defined subset of privileged users." } ] } ] } ] }, { "id" : "3.4", "class" : "family", "title" : "Configuration Management", "controls" : [ { "id" : "3.4.1", "class" : "SP800-171", "title" : "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.", "props" : [ { "name" : "label", "value" : "3.4.1" }, { "name" : "label", "value" : "3.4.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.1" } ], "parts" : [ { "id" : "3.4.1_smt", "name" : "statement", "prose" : "Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles." }, { "id" : "3.4.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1[a]", "class" : "sp800-171a" } ], "prose" : "a baseline configuration is established." }, { "id" : "3.4.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1[b]", "class" : "sp800-171a" } ], "prose" : "the baseline configuration includes hardware, software, firmware, and documentation." }, { "id" : "3.4.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1[c]", "class" : "sp800-171a" } ], "prose" : "the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle." }, { "id" : "3.4.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1[d]", "class" : "sp800-171a" } ], "prose" : "a system inventory is established." }, { "id" : "3.4.1_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1[e]", "class" : "sp800-171a" } ], "prose" : "the system inventory includes hardware, software, firmware, and documentation." }, { "id" : "3.4.1_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.1[f]", "class" : "sp800-171a" } ], "prose" : "the inventory is maintained (reviewed and updated) throughout the system development life cycle." } ] } ] }, { "id" : "3.4.2", "class" : "SP800-171", "title" : "Establish and enforce security configuration settings for information technology products employed in organizational systems.", "props" : [ { "name" : "label", "value" : "3.4.2" }, { "name" : "label", "value" : "3.4.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.2" } ], "parts" : [ { "id" : "3.4.2_smt", "name" : "statement", "prose" : "Establish and enforce security configuration settings for information technology products employed in organizational systems." }, { "id" : "3.4.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.2[a]", "class" : "sp800-171a" } ], "prose" : "security configuration settings for information technology products employed in the system are established and included in the baseline configuration." }, { "id" : "3.4.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.2[b]", "class" : "sp800-171a" } ], "prose" : "security configuration settings for information technology products employed in the system are enforced." } ] } ] }, { "id" : "3.4.3", "class" : "SP800-171", "title" : "Track, review, approve or disapprove, and log changes to organizational systems.", "props" : [ { "name" : "label", "value" : "3.4.3" }, { "name" : "label", "value" : "3.4.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.3" } ], "parts" : [ { "id" : "3.4.3_smt", "name" : "statement", "prose" : "Track, review, approve or disapprove, and log changes to organizational systems." }, { "id" : "3.4.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.3[a]", "class" : "sp800-171a" } ], "prose" : "changes to the system are tracked." }, { "id" : "3.4.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.3[b]", "class" : "sp800-171a" } ], "prose" : "changes to the system are reviewed." }, { "id" : "3.4.3_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.3[c]", "class" : "sp800-171a" } ], "prose" : "changes to the system are approved or disapproved." }, { "id" : "3.4.3_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.3[d]", "class" : "sp800-171a" } ], "prose" : "changes to the system are logged." } ] } ] }, { "id" : "3.4.4", "class" : "SP800-171", "title" : "Analyze the security impact of changes prior to implementation.", "props" : [ { "name" : "label", "value" : "3.4.4" }, { "name" : "label", "value" : "3.4.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.4" } ], "parts" : [ { "id" : "3.4.4_smt", "name" : "statement", "prose" : "Analyze the security impact of changes prior to implementation." }, { "id" : "3.4.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.4_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.4[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the security impact of changes to the system is analyzed prior to implementation." } ] } ] }, { "id" : "3.4.5", "class" : "SP800-171", "title" : "Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.", "props" : [ { "name" : "label", "value" : "3.4.5" }, { "name" : "label", "value" : "3.4.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.5" } ], "parts" : [ { "id" : "3.4.5_smt", "name" : "statement", "prose" : "Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems." }, { "id" : "3.4.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[a]", "class" : "sp800-171a" } ], "prose" : "physical access restrictions associated with changes to the system are defined." }, { "id" : "3.4.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[b]", "class" : "sp800-171a" } ], "prose" : "physical access restrictions associated with changes to the system are documented." }, { "id" : "3.4.5_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[c]", "class" : "sp800-171a" } ], "prose" : "physical access restrictions associated with changes to the system are approved." }, { "id" : "3.4.5_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[d]", "class" : "sp800-171a" } ], "prose" : "physical access restrictions associated with changes to the system are enforced." }, { "id" : "3.4.5_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[e]", "class" : "sp800-171a" } ], "prose" : "logical access restrictions associated with changes to the system are defined." }, { "id" : "3.4.5_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[f]", "class" : "sp800-171a" } ], "prose" : "logical access restrictions associated with changes to the system are documented." }, { "id" : "3.4.5_obj.g", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[g]", "class" : "sp800-171a" } ], "prose" : "logical access restrictions associated with changes to the system are approved." }, { "id" : "3.4.5_obj.h", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.5[h]", "class" : "sp800-171a" } ], "prose" : "logical access restrictions associated with changes to the system are enforced." } ] } ] }, { "id" : "3.4.6", "class" : "SP800-171", "title" : "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.", "props" : [ { "name" : "label", "value" : "3.4.6" }, { "name" : "label", "value" : "3.4.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.6" } ], "parts" : [ { "id" : "3.4.6_smt", "name" : "statement", "prose" : "Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities." }, { "id" : "3.4.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.6[a]", "class" : "sp800-171a" } ], "prose" : "essential system capabilities are defined based on the principle of least functionality." }, { "id" : "3.4.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.6[b]", "class" : "sp800-171a" } ], "prose" : "the system is configured to provide only the defined essential capabilities." } ] } ] }, { "id" : "3.4.7", "class" : "SP800-171", "title" : "Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.", "props" : [ { "name" : "label", "value" : "3.4.7" }, { "name" : "label", "value" : "3.4.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.7" } ], "parts" : [ { "id" : "3.4.7_smt", "name" : "statement", "prose" : "Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services." }, { "id" : "3.4.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.7_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[a]", "class" : "sp800-171a" } ], "prose" : "essential programs are defined." }, { "id" : "3.4.7_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[b]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential programs is defined." }, { "id" : "3.4.7_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[c]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential programs is restricted, disabled, or prevented as defined." }, { "id" : "3.4.7_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[d]", "class" : "sp800-171a" } ], "prose" : "essential functions are defined." }, { "id" : "3.4.7_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[e]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential functions is defined." }, { "id" : "3.4.7_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[f]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential functions is restricted, disabled, or prevented as defined." }, { "id" : "3.4.7_obj.g", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[g]", "class" : "sp800-171a" } ], "prose" : "essential ports are defined." }, { "id" : "3.4.7_obj.h", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[h]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential ports is defined." }, { "id" : "3.4.7_obj.i", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[i]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential ports is restricted, disabled, or prevented as defined." }, { "id" : "3.4.7_obj.j", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[j]", "class" : "sp800-171a" } ], "prose" : "essential protocols are defined." }, { "id" : "3.4.7_obj.k", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[k]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential protocols is defined." }, { "id" : "3.4.7_obj.l", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[l]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential protocols is restricted, disabled, or prevented as defined." }, { "id" : "3.4.7_obj.m", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[m]", "class" : "sp800-171a" } ], "prose" : "essential services are defined." }, { "id" : "3.4.7_obj.n", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[n]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential services is defined." }, { "id" : "3.4.7_obj.o", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.7[o]", "class" : "sp800-171a" } ], "prose" : "the use of nonessential services is restricted, disabled, or prevented as defined." } ] } ] }, { "id" : "3.4.8", "class" : "SP800-171", "title" : "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.", "props" : [ { "name" : "label", "value" : "3.4.8" }, { "name" : "label", "value" : "3.4.8", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.8" } ], "parts" : [ { "id" : "3.4.8_smt", "name" : "statement", "prose" : "Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software." }, { "id" : "3.4.8_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.8", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.8_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.8[a]", "class" : "sp800-171a" } ], "prose" : "a policy specifying whether whitelisting or blacklisting is to be implemented is specified." }, { "id" : "3.4.8_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.8[b]", "class" : "sp800-171a" } ], "prose" : "the software allowed to execute under whitelisting or denied use under blacklisting is specified." }, { "id" : "3.4.8_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.8[c]", "class" : "sp800-171a" } ], "prose" : "whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified." } ] } ] }, { "id" : "3.4.9", "class" : "SP800-171", "title" : "Control and monitor user-installed software.", "props" : [ { "name" : "label", "value" : "3.4.9" }, { "name" : "label", "value" : "3.4.9", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.4.9" } ], "parts" : [ { "id" : "3.4.9_smt", "name" : "statement", "prose" : "Control and monitor user-installed software." }, { "id" : "3.4.9_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.9", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.4.9_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.9[a]", "class" : "sp800-171a" } ], "prose" : "a policy for controlling the installation of software by users is established." }, { "id" : "3.4.9_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.9[b]", "class" : "sp800-171a" } ], "prose" : "installation of software by users is controlled based on the established policy." }, { "id" : "3.4.9_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.4.9[c]", "class" : "sp800-171a" } ], "prose" : "installation of software by users is monitored." } ] } ] } ] }, { "id" : "3.5", "class" : "family", "title" : "Identification and Authentication", "controls" : [ { "id" : "3.5.1", "class" : "SP800-171", "title" : "Identify system users, processes acting on behalf of users, and devices.", "props" : [ { "name" : "label", "value" : "3.5.1" }, { "name" : "label", "value" : "3.5.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.1" } ], "parts" : [ { "id" : "3.5.1_smt", "name" : "statement", "prose" : "Identify system users, processes acting on behalf of users, and devices." }, { "id" : "3.5.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.1[a]", "class" : "sp800-171a" } ], "prose" : "system users are identified." }, { "id" : "3.5.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.1[b]", "class" : "sp800-171a" } ], "prose" : "processes acting on behalf of users are identified." }, { "id" : "3.5.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.1[c]", "class" : "sp800-171a" } ], "prose" : "devices accessing the system are identified." } ] } ] }, { "id" : "3.5.2", "class" : "SP800-171", "title" : "Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.", "props" : [ { "name" : "label", "value" : "3.5.2" }, { "name" : "label", "value" : "3.5.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.2" } ], "parts" : [ { "id" : "3.5.2_smt", "name" : "statement", "prose" : "Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems." }, { "id" : "3.5.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.2[a]", "class" : "sp800-171a" } ], "prose" : "the identity of each user is authenticated or verified as a prerequisite to system access." }, { "id" : "3.5.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.2[b]", "class" : "sp800-171a" } ], "prose" : "the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access." }, { "id" : "3.5.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.2[c]", "class" : "sp800-171a" } ], "prose" : "the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access." } ] } ] }, { "id" : "3.5.3", "class" : "SP800-171", "title" : "Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to non- privileged accounts.", "props" : [ { "name" : "label", "value" : "3.5.3" }, { "name" : "label", "value" : "3.5.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.3" } ], "parts" : [ { "id" : "3.5.3_smt", "name" : "statement", "prose" : "Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to non- privileged accounts." }, { "id" : "3.5.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.3[a]", "class" : "sp800-171a" } ], "prose" : "privileged accounts are identified." }, { "id" : "3.5.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.3[b]", "class" : "sp800-171a" } ], "prose" : "multifactor authentication is implemented for local access to privileged accounts." }, { "id" : "3.5.3_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.3[c]", "class" : "sp800-171a" } ], "prose" : "multifactor authentication is implemented for network access to privileged accounts." }, { "id" : "3.5.3_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.3[d]", "class" : "sp800-171a" } ], "prose" : "multifactor authentication is implemented for network access to non-privileged accounts." } ] } ] }, { "id" : "3.5.4", "class" : "SP800-171", "title" : "Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.", "props" : [ { "name" : "label", "value" : "3.5.4" }, { "name" : "label", "value" : "3.5.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.4" } ], "parts" : [ { "id" : "3.5.4_smt", "name" : "statement", "prose" : "Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts." }, { "id" : "3.5.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.4_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.4[D]", "class" : "sp800-171a" } ], "prose" : "ermine if replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts." } ] } ] }, { "id" : "3.5.5", "class" : "SP800-171", "title" : "Prevent reuse of identifiers for a defined period.", "props" : [ { "name" : "label", "value" : "3.5.5" }, { "name" : "label", "value" : "3.5.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.5" } ], "parts" : [ { "id" : "3.5.5_smt", "name" : "statement", "prose" : "Prevent reuse of identifiers for a defined period." }, { "id" : "3.5.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.5[a]", "class" : "sp800-171a" } ], "prose" : "a period within which identifiers cannot be reused is defined." }, { "id" : "3.5.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.5[b]", "class" : "sp800-171a" } ], "prose" : "reuse of identifiers is prevented within the defined period." } ] } ] }, { "id" : "3.5.6", "class" : "SP800-171", "title" : "Disable identifiers after a defined period of inactivity.", "props" : [ { "name" : "label", "value" : "3.5.6" }, { "name" : "label", "value" : "3.5.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.6" } ], "parts" : [ { "id" : "3.5.6_smt", "name" : "statement", "prose" : "Disable identifiers after a defined period of inactivity." }, { "id" : "3.5.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.6[a]", "class" : "sp800-171a" } ], "prose" : "a period of inactivity after which an identifier is disabled is defined." }, { "id" : "3.5.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.6[b]", "class" : "sp800-171a" } ], "prose" : "identifiers are disabled after the defined period of inactivity." } ] } ] }, { "id" : "3.5.7", "class" : "SP800-171", "title" : "Enforce a minimum password complexity and change of characters when new passwords are created.", "props" : [ { "name" : "label", "value" : "3.5.7" }, { "name" : "label", "value" : "3.5.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.7" } ], "parts" : [ { "id" : "3.5.7_smt", "name" : "statement", "prose" : "Enforce a minimum password complexity and change of characters when new passwords are created." }, { "id" : "3.5.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.7_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.7[a]", "class" : "sp800-171a" } ], "prose" : "password complexity requirements are defined." }, { "id" : "3.5.7_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.7[b]", "class" : "sp800-171a" } ], "prose" : "password change of character requirements are defined." }, { "id" : "3.5.7_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.7[c]", "class" : "sp800-171a" } ], "prose" : "minimum password complexity requirements as defined are enforced when new passwords are created." }, { "id" : "3.5.7_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.7[d]", "class" : "sp800-171a" } ], "prose" : "minimum password change of character requirements as defined are enforced when new passwords are created." } ] } ] }, { "id" : "3.5.8", "class" : "SP800-171", "title" : "Prohibit password reuse for a specified number of generations.", "props" : [ { "name" : "label", "value" : "3.5.8" }, { "name" : "label", "value" : "3.5.8", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.8" } ], "parts" : [ { "id" : "3.5.8_smt", "name" : "statement", "prose" : "Prohibit password reuse for a specified number of generations." }, { "id" : "3.5.8_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.8", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.8_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.8[a]", "class" : "sp800-171a" } ], "prose" : "the number of generations during which a password cannot be reused is specified." }, { "id" : "3.5.8_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.8[b]", "class" : "sp800-171a" } ], "prose" : "reuse of passwords is prohibited during the specified number of generations." } ] } ] }, { "id" : "3.5.9", "class" : "SP800-171", "title" : "Allow temporary password use for system logons with an immediate change to a permanent password.", "props" : [ { "name" : "label", "value" : "3.5.9" }, { "name" : "label", "value" : "3.5.9", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.9" } ], "parts" : [ { "id" : "3.5.9_smt", "name" : "statement", "prose" : "Allow temporary password use for system logons with an immediate change to a permanent password." }, { "id" : "3.5.9_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.9", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.9_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.9[D]", "class" : "sp800-171a" } ], "prose" : "ermine if an immediate change to a permanent password is required when a temporary password is used for system logon." } ] } ] }, { "id" : "3.5.10", "class" : "SP800-171", "title" : "Store and transmit only cryptographically- protected passwords.", "props" : [ { "name" : "label", "value" : "3.5.10" }, { "name" : "label", "value" : "3.5.10", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.10" } ], "parts" : [ { "id" : "3.5.10_smt", "name" : "statement", "prose" : "Store and transmit only cryptographically- protected passwords." }, { "id" : "3.5.10_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.10", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.10_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.10[a]", "class" : "sp800-171a" } ], "prose" : "passwords are cryptographically protected in storage." }, { "id" : "3.5.10_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.10[b]", "class" : "sp800-171a" } ], "prose" : "passwords are cryptographically protected in transit." } ] } ] }, { "id" : "3.5.11", "class" : "SP800-171", "title" : "Obscure feedback of authentication information.", "props" : [ { "name" : "label", "value" : "3.5.11" }, { "name" : "label", "value" : "3.5.11", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.5.11" } ], "parts" : [ { "id" : "3.5.11_smt", "name" : "statement", "prose" : "Obscure feedback of authentication information." }, { "id" : "3.5.11_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.11", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.5.11_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.5.11[D]", "class" : "sp800-171a" } ], "prose" : "ermine if authentication information is obscured during the authentication process." } ] } ] } ] }, { "id" : "3.6", "class" : "family", "title" : "Incident Response", "controls" : [ { "id" : "3.6.1", "class" : "SP800-171", "title" : "Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.", "props" : [ { "name" : "label", "value" : "3.6.1" }, { "name" : "label", "value" : "3.6.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.6.1" } ], "parts" : [ { "id" : "3.6.1_smt", "name" : "statement", "prose" : "Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities." }, { "id" : "3.6.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.6.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[a]", "class" : "sp800-171a" } ], "prose" : "an operational incident-handling capability is established." }, { "id" : "3.6.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[b]", "class" : "sp800-171a" } ], "prose" : "the operational incident-handling capability includes preparation." }, { "id" : "3.6.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[c]", "class" : "sp800-171a" } ], "prose" : "the operational incident-handling capability includes detection." }, { "id" : "3.6.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[d]", "class" : "sp800-171a" } ], "prose" : "the operational incident-handling capability includes analysis." }, { "id" : "3.6.1_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[e]", "class" : "sp800-171a" } ], "prose" : "the operational incident-handling capability includes containment." }, { "id" : "3.6.1_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[f]", "class" : "sp800-171a" } ], "prose" : "the operational incident-handling capability includes recovery." }, { "id" : "3.6.1_obj.g", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.1[g]", "class" : "sp800-171a" } ], "prose" : "the operational incident-handling capability includes user response activities." } ] } ] }, { "id" : "3.6.2", "class" : "SP800-171", "title" : "Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.", "props" : [ { "name" : "label", "value" : "3.6.2" }, { "name" : "label", "value" : "3.6.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.6.2" } ], "parts" : [ { "id" : "3.6.2_smt", "name" : "statement", "prose" : "Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization." }, { "id" : "3.6.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.6.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2[a]", "class" : "sp800-171a" } ], "prose" : "incidents are tracked." }, { "id" : "3.6.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2[b]", "class" : "sp800-171a" } ], "prose" : "incidents are documented." }, { "id" : "3.6.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2[c]", "class" : "sp800-171a" } ], "prose" : "authorities to whom incidents are to be reported are identified." }, { "id" : "3.6.2_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2[d]", "class" : "sp800-171a" } ], "prose" : "organizational officials to whom incidents are to be reported are identified." }, { "id" : "3.6.2_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2[e]", "class" : "sp800-171a" } ], "prose" : "identified authorities are notified of incidents." }, { "id" : "3.6.2_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.2[f]", "class" : "sp800-171a" } ], "prose" : "identified organizational officials are notified of incidents." } ] } ] }, { "id" : "3.6.3", "class" : "SP800-171", "title" : "Test the organizational incident response capability.", "props" : [ { "name" : "label", "value" : "3.6.3" }, { "name" : "label", "value" : "3.6.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.6.3" } ], "parts" : [ { "id" : "3.6.3_smt", "name" : "statement", "prose" : "Test the organizational incident response capability." }, { "id" : "3.6.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.6.3_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.6.3[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the incident response capability is tested." } ] } ] } ] }, { "id" : "3.7", "class" : "family", "title" : "Maintenance", "controls" : [ { "id" : "3.7.1", "class" : "SP800-171", "title" : "Perform maintenance on organizational systems.", "props" : [ { "name" : "label", "value" : "3.7.1" }, { "name" : "label", "value" : "3.7.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.7.1" } ], "parts" : [ { "id" : "3.7.1_smt", "name" : "statement", "prose" : "Perform maintenance on organizational systems." }, { "id" : "3.7.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.7.1_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.1[D]", "class" : "sp800-171a" } ], "prose" : "ermine if system maintenance is performed." } ] } ] }, { "id" : "3.7.2", "class" : "SP800-171", "title" : "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.", "props" : [ { "name" : "label", "value" : "3.7.2" }, { "name" : "label", "value" : "3.7.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.7.2" } ], "parts" : [ { "id" : "3.7.2_smt", "name" : "statement", "prose" : "Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance." }, { "id" : "3.7.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.7.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.2[a]", "class" : "sp800-171a" } ], "prose" : "tools used to conduct system maintenance are controlled." }, { "id" : "3.7.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.2[b]", "class" : "sp800-171a" } ], "prose" : "techniques used to conduct system maintenance are controlled." }, { "id" : "3.7.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.2[c]", "class" : "sp800-171a" } ], "prose" : "mechanisms used to conduct system maintenance are controlled." }, { "id" : "3.7.2_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.2[d]", "class" : "sp800-171a" } ], "prose" : "personnel used to conduct system maintenance are controlled." } ] } ] }, { "id" : "3.7.3", "class" : "SP800-171", "title" : "Ensure equipment removed for off-site maintenance is sanitized of any CUI.", "props" : [ { "name" : "label", "value" : "3.7.3" }, { "name" : "label", "value" : "3.7.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.7.3" } ], "parts" : [ { "id" : "3.7.3_smt", "name" : "statement", "prose" : "Ensure equipment removed for off-site maintenance is sanitized of any CUI." }, { "id" : "3.7.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.7.3_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.3[D]", "class" : "sp800-171a" } ], "prose" : "ermine if equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI." } ] } ] }, { "id" : "3.7.4", "class" : "SP800-171", "title" : "Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.", "props" : [ { "name" : "label", "value" : "3.7.4" }, { "name" : "label", "value" : "3.7.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.7.4" } ], "parts" : [ { "id" : "3.7.4_smt", "name" : "statement", "prose" : "Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems." }, { "id" : "3.7.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.7.4_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.4[D]", "class" : "sp800-171a" } ], "prose" : "ermine if media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI." } ] } ] }, { "id" : "3.7.5", "class" : "SP800-171", "title" : "Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.", "props" : [ { "name" : "label", "value" : "3.7.5" }, { "name" : "label", "value" : "3.7.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.7.5" } ], "parts" : [ { "id" : "3.7.5_smt", "name" : "statement", "prose" : "Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete." }, { "id" : "3.7.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.7.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.5[a]", "class" : "sp800-171a" } ], "prose" : "multifactor authentication is used to establish nonlocal maintenance sessions via external network connections." }, { "id" : "3.7.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.5[b]", "class" : "sp800-171a" } ], "prose" : "nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete." } ] } ] }, { "id" : "3.7.6", "class" : "SP800-171", "title" : "Supervise the maintenance activities of maintenance personnel without required access authorization.", "props" : [ { "name" : "label", "value" : "3.7.6" }, { "name" : "label", "value" : "3.7.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.7.6" } ], "parts" : [ { "id" : "3.7.6_smt", "name" : "statement", "prose" : "Supervise the maintenance activities of maintenance personnel without required access authorization." }, { "id" : "3.7.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.7.6_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.7.6[D]", "class" : "sp800-171a" } ], "prose" : "ermine if maintenance personnel without required access authorization are supervised during maintenance activities." } ] } ] } ] }, { "id" : "3.8", "class" : "family", "title" : "Media Protection", "controls" : [ { "id" : "3.8.1", "class" : "SP800-171", "title" : "Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.", "props" : [ { "name" : "label", "value" : "3.8.1" }, { "name" : "label", "value" : "3.8.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.1" } ], "parts" : [ { "id" : "3.8.1_smt", "name" : "statement", "prose" : "Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital." }, { "id" : "3.8.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.1[a]", "class" : "sp800-171a" } ], "prose" : "paper media containing CUI is physically controlled." }, { "id" : "3.8.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.1[b]", "class" : "sp800-171a" } ], "prose" : "digital media containing CUI is physically controlled." }, { "id" : "3.8.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.1[c]", "class" : "sp800-171a" } ], "prose" : "paper media containing CUI is securely stored." }, { "id" : "3.8.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.1[d]", "class" : "sp800-171a" } ], "prose" : "digital media containing CUI is securely stored." } ] } ] }, { "id" : "3.8.2", "class" : "SP800-171", "title" : "Limit access to CUI on system media to authorized users.", "props" : [ { "name" : "label", "value" : "3.8.2" }, { "name" : "label", "value" : "3.8.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.2" } ], "parts" : [ { "id" : "3.8.2_smt", "name" : "statement", "prose" : "Limit access to CUI on system media to authorized users." }, { "id" : "3.8.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.2_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.2[D]", "class" : "sp800-171a" } ], "prose" : "ermine if access to CUI on system media is limited to authorized users." } ] } ] }, { "id" : "3.8.3", "class" : "SP800-171", "title" : "Sanitize or destroy system media containing CUI before disposal or release for reuse.", "props" : [ { "name" : "label", "value" : "3.8.3" }, { "name" : "label", "value" : "3.8.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.3" } ], "parts" : [ { "id" : "3.8.3_smt", "name" : "statement", "prose" : "Sanitize or destroy system media containing CUI before disposal or release for reuse." }, { "id" : "3.8.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.3[a]", "class" : "sp800-171a" } ], "prose" : "system media containing CUI is sanitized or destroyed before disposal." }, { "id" : "3.8.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.3[b]", "class" : "sp800-171a" } ], "prose" : "system media containing CUI is sanitized before it is released for reuse." } ] } ] }, { "id" : "3.8.4", "class" : "SP800-171", "title" : "Mark media with necessary CUI markings and distribution limitations.", "props" : [ { "name" : "label", "value" : "3.8.4" }, { "name" : "label", "value" : "3.8.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.4" } ], "parts" : [ { "id" : "3.8.4_smt", "name" : "statement", "prose" : "Mark media with necessary CUI markings and distribution limitations." }, { "id" : "3.8.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.4_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.4[a]", "class" : "sp800-171a" } ], "prose" : "media containing CUI is marked with applicable CUI markings." }, { "id" : "3.8.4_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.4[b]", "class" : "sp800-171a" } ], "prose" : "media containing CUI is marked with distribution limitations." } ] } ] }, { "id" : "3.8.5", "class" : "SP800-171", "title" : "Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.", "props" : [ { "name" : "label", "value" : "3.8.5" }, { "name" : "label", "value" : "3.8.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.5" } ], "parts" : [ { "id" : "3.8.5_smt", "name" : "statement", "prose" : "Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas." }, { "id" : "3.8.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.5[a]", "class" : "sp800-171a" } ], "prose" : "access to media containing CUI is controlled." }, { "id" : "3.8.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.5[b]", "class" : "sp800-171a" } ], "prose" : "accountability for media containing CUI is maintained during transport outside of controlled areas." } ] } ] }, { "id" : "3.8.6", "class" : "SP800-171", "title" : "Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.", "props" : [ { "name" : "label", "value" : "3.8.6" }, { "name" : "label", "value" : "3.8.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.6" } ], "parts" : [ { "id" : "3.8.6_smt", "name" : "statement", "prose" : "Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards." }, { "id" : "3.8.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.6_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.6[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards." } ] } ] }, { "id" : "3.8.7", "class" : "SP800-171", "title" : "Control the use of removable media on system components.", "props" : [ { "name" : "label", "value" : "3.8.7" }, { "name" : "label", "value" : "3.8.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.7" } ], "parts" : [ { "id" : "3.8.7_smt", "name" : "statement", "prose" : "Control the use of removable media on system components." }, { "id" : "3.8.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.7_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.7[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the use of removable media on system components is controlled." } ] } ] }, { "id" : "3.8.8", "class" : "SP800-171", "title" : "Prohibit the use of portable storage devices when such devices have no identifiable owner.", "props" : [ { "name" : "label", "value" : "3.8.8" }, { "name" : "label", "value" : "3.8.8", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.8" } ], "parts" : [ { "id" : "3.8.8_smt", "name" : "statement", "prose" : "Prohibit the use of portable storage devices when such devices have no identifiable owner." }, { "id" : "3.8.8_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.8", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.8_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.8[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the use of portable storage devices is prohibited when such devices have no identifiable owner." } ] } ] }, { "id" : "3.8.9", "class" : "SP800-171", "title" : "Protect the confidentiality of backup CUI at storage locations.", "props" : [ { "name" : "label", "value" : "3.8.9" }, { "name" : "label", "value" : "3.8.9", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.8.9" } ], "parts" : [ { "id" : "3.8.9_smt", "name" : "statement", "prose" : "Protect the confidentiality of backup CUI at storage locations." }, { "id" : "3.8.9_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.9", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.8.9_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.8.9[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the confidentiality of backup CUI is protected at storage locations." } ] } ] } ] }, { "id" : "3.9", "class" : "family", "title" : "Personnel Security", "controls" : [ { "id" : "3.9.1", "class" : "SP800-171", "title" : "Screen individuals prior to authorizing access to organizational systems containing CUI.", "props" : [ { "name" : "label", "value" : "3.9.1" }, { "name" : "label", "value" : "3.9.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.9.1" } ], "parts" : [ { "id" : "3.9.1_smt", "name" : "statement", "prose" : "Screen individuals prior to authorizing access to organizational systems containing CUI." }, { "id" : "3.9.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.9.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.9.1_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.9.1[D]", "class" : "sp800-171a" } ], "prose" : "ermine if individuals are screened prior to authorizing access to organizational systems containing CUI." } ] } ] }, { "id" : "3.9.2", "class" : "SP800-171", "title" : "Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.", "props" : [ { "name" : "label", "value" : "3.9.2" }, { "name" : "label", "value" : "3.9.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.9.2" } ], "parts" : [ { "id" : "3.9.2_smt", "name" : "statement", "prose" : "Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers." }, { "id" : "3.9.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.9.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.9.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.9.2[a]", "class" : "sp800-171a" } ], "prose" : "a policy and/or process for terminating system access and any credentials coincident with personnel actions is established." }, { "id" : "3.9.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.9.2[b]", "class" : "sp800-171a" } ], "prose" : "system access and credentials are terminated consistent with personnel actions such as termination or transfer." }, { "id" : "3.9.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.9.2[c]", "class" : "sp800-171a" } ], "prose" : "the system is protected during and after personnel transfer actions." } ] } ] } ] }, { "id" : "3.10", "class" : "family", "title" : "Physical Protection", "controls" : [ { "id" : "3.10.1", "class" : "SP800-171", "title" : "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.", "props" : [ { "name" : "label", "value" : "3.10.1" }, { "name" : "label", "value" : "3.10.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.10.1" } ], "parts" : [ { "id" : "3.10.1_smt", "name" : "statement", "prose" : "Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals." }, { "id" : "3.10.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.10.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.1[a]", "class" : "sp800-171a" } ], "prose" : "authorized individuals allowed physical access are identified." }, { "id" : "3.10.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.1[b]", "class" : "sp800-171a" } ], "prose" : "physical access to organizational systems is limited to authorized individuals." }, { "id" : "3.10.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.1[c]", "class" : "sp800-171a" } ], "prose" : "physical access to equipment is limited to authorized individuals." }, { "id" : "3.10.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.1[d]", "class" : "sp800-171a" } ], "prose" : "physical access to operating environments is limited to authorized individuals." } ] } ] }, { "id" : "3.10.2", "class" : "SP800-171", "title" : "Protect and monitor the physical facility and support infrastructure for organizational systems.", "props" : [ { "name" : "label", "value" : "3.10.2" }, { "name" : "label", "value" : "3.10.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.10.2" } ], "parts" : [ { "id" : "3.10.2_smt", "name" : "statement", "prose" : "Protect and monitor the physical facility and support infrastructure for organizational systems." }, { "id" : "3.10.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.10.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.2[a]", "class" : "sp800-171a" } ], "prose" : "the physical facility where organizational systems reside is protected." }, { "id" : "3.10.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.2[b]", "class" : "sp800-171a" } ], "prose" : "the support infrastructure for organizational systems is protected." }, { "id" : "3.10.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.2[c]", "class" : "sp800-171a" } ], "prose" : "the physical facility where organizational systems reside is monitored." }, { "id" : "3.10.2_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.2[d]", "class" : "sp800-171a" } ], "prose" : "the support infrastructure for organizational systems is monitored." } ] } ] }, { "id" : "3.10.3", "class" : "SP800-171", "title" : "Escort visitors and monitor visitor activity.", "props" : [ { "name" : "label", "value" : "3.10.3" }, { "name" : "label", "value" : "3.10.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.10.3" } ], "parts" : [ { "id" : "3.10.3_smt", "name" : "statement", "prose" : "Escort visitors and monitor visitor activity." }, { "id" : "3.10.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.10.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.3[a]", "class" : "sp800-171a" } ], "prose" : "visitors are escorted." }, { "id" : "3.10.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.3[b]", "class" : "sp800-171a" } ], "prose" : "visitor activity is monitored." } ] } ] }, { "id" : "3.10.4", "class" : "SP800-171", "title" : "Maintain audit logs of physical access.", "props" : [ { "name" : "label", "value" : "3.10.4" }, { "name" : "label", "value" : "3.10.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.10.4" } ], "parts" : [ { "id" : "3.10.4_smt", "name" : "statement", "prose" : "Maintain audit logs of physical access." }, { "id" : "3.10.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.10.4_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.4[D]", "class" : "sp800-171a" } ], "prose" : "ermine if audit logs of physical access are maintained." } ] } ] }, { "id" : "3.10.5", "class" : "SP800-171", "title" : "Control and manage physical access devices.", "props" : [ { "name" : "label", "value" : "3.10.5" }, { "name" : "label", "value" : "3.10.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.10.5" } ], "parts" : [ { "id" : "3.10.5_smt", "name" : "statement", "prose" : "Control and manage physical access devices." }, { "id" : "3.10.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.10.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.5[a]", "class" : "sp800-171a" } ], "prose" : "physical access devices are identified." }, { "id" : "3.10.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.5[b]", "class" : "sp800-171a" } ], "prose" : "physical access devices are controlled." }, { "id" : "3.10.5_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.5[c]", "class" : "sp800-171a" } ], "prose" : "physical access devices are managed." } ] } ] }, { "id" : "3.10.6", "class" : "SP800-171", "title" : "Enforce safeguarding measures for CUI at alternate work sites.", "props" : [ { "name" : "label", "value" : "3.10.6" }, { "name" : "label", "value" : "3.10.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.10.6" } ], "parts" : [ { "id" : "3.10.6_smt", "name" : "statement", "prose" : "Enforce safeguarding measures for CUI at alternate work sites." }, { "id" : "3.10.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.10.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.6[a]", "class" : "sp800-171a" } ], "prose" : "safeguarding measures for CUI are defined for alternate work sites." }, { "id" : "3.10.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.10.6[b]", "class" : "sp800-171a" } ], "prose" : "safeguarding measures for CUI are enforced for alternate work sites." } ] } ] } ] }, { "id" : "3.11", "class" : "family", "title" : "Risk Assessment", "controls" : [ { "id" : "3.11.1", "class" : "SP800-171", "title" : "Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.", "props" : [ { "name" : "label", "value" : "3.11.1" }, { "name" : "label", "value" : "3.11.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.11.1" } ], "parts" : [ { "id" : "3.11.1_smt", "name" : "statement", "prose" : "Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI." }, { "id" : "3.11.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.11.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.1[a]", "class" : "sp800-171a" } ], "prose" : "the frequency to assess risk to organizational operations, organizational assets, and individuals is defined." }, { "id" : "3.11.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.1[b]", "class" : "sp800-171a" } ], "prose" : "risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency." } ] } ] }, { "id" : "3.11.2", "class" : "SP800-171", "title" : "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.", "props" : [ { "name" : "label", "value" : "3.11.2" }, { "name" : "label", "value" : "3.11.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.11.2" } ], "parts" : [ { "id" : "3.11.2_smt", "name" : "statement", "prose" : "Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified." }, { "id" : "3.11.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.11.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.2[a]", "class" : "sp800-171a" } ], "prose" : "the frequency to scan for vulnerabilities in organizational systems and applications is defined." }, { "id" : "3.11.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.2[b]", "class" : "sp800-171a" } ], "prose" : "vulnerability scans are performed on organizational systems with the defined frequency." }, { "id" : "3.11.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.2[c]", "class" : "sp800-171a" } ], "prose" : "vulnerability scans are performed on applications with the defined frequency." }, { "id" : "3.11.2_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.2[d]", "class" : "sp800-171a" } ], "prose" : "vulnerability scans are performed on organizational systems when new vulnerabilities are identified." }, { "id" : "3.11.2_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.2[e]", "class" : "sp800-171a" } ], "prose" : "vulnerability scans are performed on applications when new vulnerabilities are identified." } ] } ] }, { "id" : "3.11.3", "class" : "SP800-171", "title" : "Remediate vulnerabilities in accordance with risk assessments.", "props" : [ { "name" : "label", "value" : "3.11.3" }, { "name" : "label", "value" : "3.11.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.11.3" } ], "parts" : [ { "id" : "3.11.3_smt", "name" : "statement", "prose" : "Remediate vulnerabilities in accordance with risk assessments." }, { "id" : "3.11.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.11.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.3[a]", "class" : "sp800-171a" } ], "prose" : "vulnerabilities are identified." }, { "id" : "3.11.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.11.3[b]", "class" : "sp800-171a" } ], "prose" : "vulnerabilities are remediated in accordance with risk assessments." } ] } ] } ] }, { "id" : "3.12", "class" : "family", "title" : "Security Assessment", "controls" : [ { "id" : "3.12.1", "class" : "SP800-171", "title" : "Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.", "props" : [ { "name" : "label", "value" : "3.12.1" }, { "name" : "label", "value" : "3.12.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.12.1" } ], "parts" : [ { "id" : "3.12.1_smt", "name" : "statement", "prose" : "Periodically assess the security controls in organizational systems to determine if the controls are effective in their application." }, { "id" : "3.12.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.12.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.1[a]", "class" : "sp800-171a" } ], "prose" : "the frequency of security control assessments is defined." }, { "id" : "3.12.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.1[b]", "class" : "sp800-171a" } ], "prose" : "security controls are assessed with the defined frequency to determine if the controls are effective in their application." } ] } ] }, { "id" : "3.12.2", "class" : "SP800-171", "title" : "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.", "props" : [ { "name" : "label", "value" : "3.12.2" }, { "name" : "label", "value" : "3.12.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.12.2" } ], "parts" : [ { "id" : "3.12.2_smt", "name" : "statement", "prose" : "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems." }, { "id" : "3.12.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.12.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.2[a]", "class" : "sp800-171a" } ], "prose" : "deficiencies and vulnerabilities to be addressed by the plan of action are identified." }, { "id" : "3.12.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.2[b]", "class" : "sp800-171a" } ], "prose" : "a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities." }, { "id" : "3.12.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.2[c]", "class" : "sp800-171a" } ], "prose" : "the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities." } ] } ] }, { "id" : "3.12.3", "class" : "SP800-171", "title" : "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.", "props" : [ { "name" : "label", "value" : "3.12.3" }, { "name" : "label", "value" : "3.12.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.12.3" } ], "parts" : [ { "id" : "3.12.3_smt", "name" : "statement", "prose" : "Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls." }, { "id" : "3.12.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.12.3_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.3[D]", "class" : "sp800-171a" } ], "prose" : "ermine if security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls." } ] } ] }, { "id" : "3.12.4", "class" : "SP800-171", "title" : "Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.", "props" : [ { "name" : "label", "value" : "3.12.4" }, { "name" : "label", "value" : "3.12.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.12.4" } ], "parts" : [ { "id" : "3.12.4_smt", "name" : "statement", "prose" : "Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems." }, { "id" : "3.12.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.12.4_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[a]", "class" : "sp800-171a" } ], "prose" : "a system security plan is developed." }, { "id" : "3.12.4_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[b]", "class" : "sp800-171a" } ], "prose" : "the system boundary is described and documented in the system security plan." }, { "id" : "3.12.4_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[c]", "class" : "sp800-171a" } ], "prose" : "the system environment of operation is described and documented in the system security plan." }, { "id" : "3.12.4_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[d]", "class" : "sp800-171a" } ], "prose" : "the security requirements identified and approved by the designated authority as non-applicable are identified." }, { "id" : "3.12.4_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[e]", "class" : "sp800-171a" } ], "prose" : "the method of security requirement implementation is described and documented in the system security plan." }, { "id" : "3.12.4_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[f]", "class" : "sp800-171a" } ], "prose" : "the relationship with or connection to other systems is described and documented in the system security plan." }, { "id" : "3.12.4_obj.g", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[g]", "class" : "sp800-171a" } ], "prose" : "the frequency to update the system security plan is defined." }, { "id" : "3.12.4_obj.h", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.12.4[h]", "class" : "sp800-171a" } ], "prose" : "system security plan is updated with the defined frequency." } ] } ] } ] }, { "id" : "3.13", "class" : "family", "title" : "System and Communications Protection", "controls" : [ { "id" : "3.13.1", "class" : "SP800-171", "title" : "Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.", "props" : [ { "name" : "label", "value" : "3.13.1" }, { "name" : "label", "value" : "3.13.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.1" } ], "parts" : [ { "id" : "3.13.1_smt", "name" : "statement", "prose" : "Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems." }, { "id" : "3.13.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[a]", "class" : "sp800-171a" } ], "prose" : "the external system boundary is defined." }, { "id" : "3.13.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[b]", "class" : "sp800-171a" } ], "prose" : "key internal system boundaries are defined." }, { "id" : "3.13.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[c]", "class" : "sp800-171a" } ], "prose" : "communications are monitored at the external system boundary." }, { "id" : "3.13.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[d]", "class" : "sp800-171a" } ], "prose" : "communications are monitored at key internal boundaries." }, { "id" : "3.13.1_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[e]", "class" : "sp800-171a" } ], "prose" : "communications are controlled at the external system boundary." }, { "id" : "3.13.1_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[f]", "class" : "sp800-171a" } ], "prose" : "communications are controlled at key internal boundaries." }, { "id" : "3.13.1_obj.g", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[g]", "class" : "sp800-171a" } ], "prose" : "communications are protected at the external system boundary." }, { "id" : "3.13.1_obj.h", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.1[h]", "class" : "sp800-171a" } ], "prose" : "communications are protected at key internal boundaries." } ] } ] }, { "id" : "3.13.2", "class" : "SP800-171", "title" : "Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.", "props" : [ { "name" : "label", "value" : "3.13.2" }, { "name" : "label", "value" : "3.13.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.2" } ], "parts" : [ { "id" : "3.13.2_smt", "name" : "statement", "prose" : "Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems." }, { "id" : "3.13.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2[a]", "class" : "sp800-171a" } ], "prose" : "architectural designs that promote effective information security are identified." }, { "id" : "3.13.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2[b]", "class" : "sp800-171a" } ], "prose" : "software development techniques that promote effective information security are identified." }, { "id" : "3.13.2_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2[c]", "class" : "sp800-171a" } ], "prose" : "systems engineering principles that promote effective information security are identified." }, { "id" : "3.13.2_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2[d]", "class" : "sp800-171a" } ], "prose" : "identified architectural designs that promote effective information security are employed." }, { "id" : "3.13.2_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2[e]", "class" : "sp800-171a" } ], "prose" : "identified software development techniques that promote effective information security are employed." }, { "id" : "3.13.2_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.2[f]", "class" : "sp800-171a" } ], "prose" : "identified systems engineering principles that promote effective information security are employed." } ] } ] }, { "id" : "3.13.3", "class" : "SP800-171", "title" : "Separate user functionality from system management functionality.", "props" : [ { "name" : "label", "value" : "3.13.3" }, { "name" : "label", "value" : "3.13.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.3" } ], "parts" : [ { "id" : "3.13.3_smt", "name" : "statement", "prose" : "Separate user functionality from system management functionality." }, { "id" : "3.13.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.3[a]", "class" : "sp800-171a" } ], "prose" : "user functionality is identified." }, { "id" : "3.13.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.3[b]", "class" : "sp800-171a" } ], "prose" : "system management functionality is identified." }, { "id" : "3.13.3_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.3[c]", "class" : "sp800-171a" } ], "prose" : "user functionality is separated from system management functionality." } ] } ] }, { "id" : "3.13.4", "class" : "SP800-171", "title" : "Prevent unauthorized and unintended information transfer via shared system resources.", "props" : [ { "name" : "label", "value" : "3.13.4" }, { "name" : "label", "value" : "3.13.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.4" } ], "parts" : [ { "id" : "3.13.4_smt", "name" : "statement", "prose" : "Prevent unauthorized and unintended information transfer via shared system resources." }, { "id" : "3.13.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.4_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.4[D]", "class" : "sp800-171a" } ], "prose" : "ermine if unauthorized and unintended information transfer via shared system resources is prevented." } ] } ] }, { "id" : "3.13.5", "class" : "SP800-171", "title" : "Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.", "props" : [ { "name" : "label", "value" : "3.13.5" }, { "name" : "label", "value" : "3.13.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.5" } ], "parts" : [ { "id" : "3.13.5_smt", "name" : "statement", "prose" : "Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks." }, { "id" : "3.13.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.5[a]", "class" : "sp800-171a" } ], "prose" : "publicly accessible system components are identified." }, { "id" : "3.13.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.5[b]", "class" : "sp800-171a" } ], "prose" : "subnetworks for publicly accessible system components are physically or logically separated from internal networks." } ] } ] }, { "id" : "3.13.6", "class" : "SP800-171", "title" : "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).", "props" : [ { "name" : "label", "value" : "3.13.6" }, { "name" : "label", "value" : "3.13.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.6" } ], "parts" : [ { "id" : "3.13.6_smt", "name" : "statement", "prose" : "Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)." }, { "id" : "3.13.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.6[a]", "class" : "sp800-171a" } ], "prose" : "network communications traffic is denied by default." }, { "id" : "3.13.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.6[b]", "class" : "sp800-171a" } ], "prose" : "network communications traffic is allowed by exception." } ] } ] }, { "id" : "3.13.7", "class" : "SP800-171", "title" : "Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).", "props" : [ { "name" : "label", "value" : "3.13.7" }, { "name" : "label", "value" : "3.13.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.7" } ], "parts" : [ { "id" : "3.13.7_smt", "name" : "statement", "prose" : "Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling)." }, { "id" : "3.13.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.7_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.7[D]", "class" : "sp800-171a" } ], "prose" : "ermine if remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling)." } ] } ] }, { "id" : "3.13.8", "class" : "SP800-171", "title" : "Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.", "props" : [ { "name" : "label", "value" : "3.13.8" }, { "name" : "label", "value" : "3.13.8", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.8" } ], "parts" : [ { "id" : "3.13.8_smt", "name" : "statement", "prose" : "Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards." }, { "id" : "3.13.8_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.8", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.8_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.8[a]", "class" : "sp800-171a" } ], "prose" : "cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified." }, { "id" : "3.13.8_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.8[b]", "class" : "sp800-171a" } ], "prose" : "alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified." }, { "id" : "3.13.8_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.8[c]", "class" : "sp800-171a" } ], "prose" : "either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission." } ] } ] }, { "id" : "3.13.9", "class" : "SP800-171", "title" : "Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.", "props" : [ { "name" : "label", "value" : "3.13.9" }, { "name" : "label", "value" : "3.13.9", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.9" } ], "parts" : [ { "id" : "3.13.9_smt", "name" : "statement", "prose" : "Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity." }, { "id" : "3.13.9_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.9", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.9_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.9[a]", "class" : "sp800-171a" } ], "prose" : "a period of inactivity to terminate network connections associated with communications sessions is defined." }, { "id" : "3.13.9_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.9[b]", "class" : "sp800-171a" } ], "prose" : "network connections associated with communications sessions are terminated at the end of the sessions." }, { "id" : "3.13.9_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.9[c]", "class" : "sp800-171a" } ], "prose" : "network connections associated with communications sessions are terminated after the defined period of inactivity." } ] } ] }, { "id" : "3.13.10", "class" : "SP800-171", "title" : "Establish and manage cryptographic keys for cryptography employed in organizational systems.", "props" : [ { "name" : "label", "value" : "3.13.10" }, { "name" : "label", "value" : "3.13.10", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.10" } ], "parts" : [ { "id" : "3.13.10_smt", "name" : "statement", "prose" : "Establish and manage cryptographic keys for cryptography employed in organizational systems." }, { "id" : "3.13.10_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.10", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.10_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.10[a]", "class" : "sp800-171a" } ], "prose" : "cryptographic keys are established whenever cryptography is employed." }, { "id" : "3.13.10_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.10[b]", "class" : "sp800-171a" } ], "prose" : "cryptographic keys are managed whenever cryptography is employed." } ] } ] }, { "id" : "3.13.11", "class" : "SP800-171", "title" : "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.", "props" : [ { "name" : "label", "value" : "3.13.11" }, { "name" : "label", "value" : "3.13.11", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.11" } ], "parts" : [ { "id" : "3.13.11_smt", "name" : "statement", "prose" : "Employ FIPS-validated cryptography when used to protect the confidentiality of CUI." }, { "id" : "3.13.11_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.11", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.11_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.11[D]", "class" : "sp800-171a" } ], "prose" : "ermine if FIPS-validated cryptography is employed to protect the confidentiality of CUI." } ] } ] }, { "id" : "3.13.12", "class" : "SP800-171", "title" : "Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.", "props" : [ { "name" : "label", "value" : "3.13.12" }, { "name" : "label", "value" : "3.13.12", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.12" } ], "parts" : [ { "id" : "3.13.12_smt", "name" : "statement", "prose" : "Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device." }, { "id" : "3.13.12_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.12", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.12_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.12[a]", "class" : "sp800-171a" } ], "prose" : "collaborative computing devices are identified." }, { "id" : "3.13.12_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.12[b]", "class" : "sp800-171a" } ], "prose" : "collaborative computing devices provide indication to users of devices in use." }, { "id" : "3.13.12_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.12[c]", "class" : "sp800-171a" } ], "prose" : "remote activation of collaborative computing devices is prohibited." } ] } ] }, { "id" : "3.13.13", "class" : "SP800-171", "title" : "Control and monitor the use of mobile code.", "props" : [ { "name" : "label", "value" : "3.13.13" }, { "name" : "label", "value" : "3.13.13", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.13" } ], "parts" : [ { "id" : "3.13.13_smt", "name" : "statement", "prose" : "Control and monitor the use of mobile code." }, { "id" : "3.13.13_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.13", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.13_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.13[a]", "class" : "sp800-171a" } ], "prose" : "use of mobile code is controlled." }, { "id" : "3.13.13_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.13[b]", "class" : "sp800-171a" } ], "prose" : "use of mobile code is monitored." } ] } ] }, { "id" : "3.13.14", "class" : "SP800-171", "title" : "Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.", "props" : [ { "name" : "label", "value" : "3.13.14" }, { "name" : "label", "value" : "3.13.14", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.14" } ], "parts" : [ { "id" : "3.13.14_smt", "name" : "statement", "prose" : "Control and monitor the use of Voice over Internet Protocol (VoIP) technologies." }, { "id" : "3.13.14_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.14", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.14_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.14[a]", "class" : "sp800-171a" } ], "prose" : "use of Voice over Internet Protocol (VoIP) technologies is controlled." }, { "id" : "3.13.14_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.14[b]", "class" : "sp800-171a" } ], "prose" : "use of Voice over Internet Protocol (VoIP) technologies is monitored." } ] } ] }, { "id" : "3.13.15", "class" : "SP800-171", "title" : "Protect the authenticity of communications sessions.", "props" : [ { "name" : "label", "value" : "3.13.15" }, { "name" : "label", "value" : "3.13.15", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.15" } ], "parts" : [ { "id" : "3.13.15_smt", "name" : "statement", "prose" : "Protect the authenticity of communications sessions." }, { "id" : "3.13.15_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.15", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.15_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.15[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the authenticity of communications sessions is protected." } ] } ] }, { "id" : "3.13.16", "class" : "SP800-171", "title" : "Protect the confidentiality of CUI at rest.", "props" : [ { "name" : "label", "value" : "3.13.16" }, { "name" : "label", "value" : "3.13.16", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.13.16" } ], "parts" : [ { "id" : "3.13.16_smt", "name" : "statement", "prose" : "Protect the confidentiality of CUI at rest." }, { "id" : "3.13.16_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.16", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.13.16_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.13.16[D]", "class" : "sp800-171a" } ], "prose" : "ermine if the confidentiality of CUI at rest is protected." } ] } ] } ] }, { "id" : "3.14", "class" : "family", "title" : "System and Information Integrity", "controls" : [ { "id" : "3.14.1", "class" : "SP800-171", "title" : "Identify, report, and correct system flaws in a timely manner.", "props" : [ { "name" : "label", "value" : "3.14.1" }, { "name" : "label", "value" : "3.14.1", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.1" } ], "parts" : [ { "id" : "3.14.1_smt", "name" : "statement", "prose" : "Identify, report, and correct system flaws in a timely manner." }, { "id" : "3.14.1_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.1_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1[a]", "class" : "sp800-171a" } ], "prose" : "the time within which to identify system flaws is specified." }, { "id" : "3.14.1_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1[b]", "class" : "sp800-171a" } ], "prose" : "system flaws are identified within the specified time frame." }, { "id" : "3.14.1_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1[c]", "class" : "sp800-171a" } ], "prose" : "the time within which to report system flaws is specified." }, { "id" : "3.14.1_obj.d", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1[d]", "class" : "sp800-171a" } ], "prose" : "system flaws are reported within the specified time frame." }, { "id" : "3.14.1_obj.e", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1[e]", "class" : "sp800-171a" } ], "prose" : "the time within which to correct system flaws is specified." }, { "id" : "3.14.1_obj.f", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.1[f]", "class" : "sp800-171a" } ], "prose" : "system flaws are corrected within the specified time frame." } ] } ] }, { "id" : "3.14.2", "class" : "SP800-171", "title" : "Provide protection from malicious code at designated locations within organizational systems.", "props" : [ { "name" : "label", "value" : "3.14.2" }, { "name" : "label", "value" : "3.14.2", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.2" } ], "parts" : [ { "id" : "3.14.2_smt", "name" : "statement", "prose" : "Provide protection from malicious code at designated locations within organizational systems." }, { "id" : "3.14.2_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.2", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.2_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.2[a]", "class" : "sp800-171a" } ], "prose" : "designated locations for malicious code protection are identified." }, { "id" : "3.14.2_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.2[b]", "class" : "sp800-171a" } ], "prose" : "protection from malicious code at designated locations is provided." } ] } ] }, { "id" : "3.14.3", "class" : "SP800-171", "title" : "Monitor system security alerts and advisories and take action in response.", "props" : [ { "name" : "label", "value" : "3.14.3" }, { "name" : "label", "value" : "3.14.3", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.3" } ], "parts" : [ { "id" : "3.14.3_smt", "name" : "statement", "prose" : "Monitor system security alerts and advisories and take action in response." }, { "id" : "3.14.3_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.3", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.3_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.3[a]", "class" : "sp800-171a" } ], "prose" : "response actions to system security alerts and advisories are identified." }, { "id" : "3.14.3_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.3[b]", "class" : "sp800-171a" } ], "prose" : "system security alerts and advisories are monitored." }, { "id" : "3.14.3_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.3[c]", "class" : "sp800-171a" } ], "prose" : "actions in response to system security alerts and advisories are taken." } ] } ] }, { "id" : "3.14.4", "class" : "SP800-171", "title" : "Update malicious code protection mechanisms when new releases are available.", "props" : [ { "name" : "label", "value" : "3.14.4" }, { "name" : "label", "value" : "3.14.4", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.4" } ], "parts" : [ { "id" : "3.14.4_smt", "name" : "statement", "prose" : "Update malicious code protection mechanisms when new releases are available." }, { "id" : "3.14.4_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.4", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.4_obj.D", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.4[D]", "class" : "sp800-171a" } ], "prose" : "ermine if malicious code protection mechanisms are updated when new releases are available." } ] } ] }, { "id" : "3.14.5", "class" : "SP800-171", "title" : "Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.", "props" : [ { "name" : "label", "value" : "3.14.5" }, { "name" : "label", "value" : "3.14.5", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.5" } ], "parts" : [ { "id" : "3.14.5_smt", "name" : "statement", "prose" : "Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed." }, { "id" : "3.14.5_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.5", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.5_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.5[a]", "class" : "sp800-171a" } ], "prose" : "the frequency for malicious code scans is defined." }, { "id" : "3.14.5_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.5[b]", "class" : "sp800-171a" } ], "prose" : "malicious code scans are performed with the defined frequency." }, { "id" : "3.14.5_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.5[c]", "class" : "sp800-171a" } ], "prose" : "real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed." } ] } ] }, { "id" : "3.14.6", "class" : "SP800-171", "title" : "Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.", "props" : [ { "name" : "label", "value" : "3.14.6" }, { "name" : "label", "value" : "3.14.6", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.6" } ], "parts" : [ { "id" : "3.14.6_smt", "name" : "statement", "prose" : "Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks." }, { "id" : "3.14.6_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.6", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.6_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.6[a]", "class" : "sp800-171a" } ], "prose" : "the system is monitored to detect attacks and indicators of potential attacks." }, { "id" : "3.14.6_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.6[b]", "class" : "sp800-171a" } ], "prose" : "inbound communications traffic is monitored to detect attacks and indicators of potential attacks." }, { "id" : "3.14.6_obj.c", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.6[c]", "class" : "sp800-171a" } ], "prose" : "outbound communications traffic is monitored to detect attacks and indicators of potential attacks." } ] } ] }, { "id" : "3.14.7", "class" : "SP800-171", "title" : "Identify unauthorized use of organizational systems", "props" : [ { "name" : "label", "value" : "3.14.7" }, { "name" : "label", "value" : "3.14.7", "class" : "sp800-171a" }, { "name" : "sort-id", "value" : "3.14.7" } ], "parts" : [ { "id" : "3.14.7_smt", "name" : "statement", "prose" : "Identify unauthorized use of organizational systems" }, { "id" : "3.14.7_obj", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.7", "class" : "sp800-171a" } ], "parts" : [ { "id" : "3.14.7_obj.a", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.7[a]", "class" : "sp800-171a" } ], "prose" : "authorized use of the system is defined." }, { "id" : "3.14.7_obj.b", "name" : "assessment-objective", "props" : [ { "name" : "label", "value" : "3.14.7[b]", "class" : "sp800-171a" } ], "prose" : "unauthorized use of the system is identified." } ] } ] } ] } ], "back-matter" : { "resources" : [ { "uuid" : "40309802-71cd-43b9-b807-5fbd634c0217", "title" : "NIST 800-171 OSCAL Catalog GitHub Project", "rlinks" : [ { "href" : "https://github.com/s0l4r1um/NIST-800-171-OSCAL-Catalog" } ] }, { "uuid" : "91f992fb-f668-4c91-a50f-0f05b95ccee3", "title" : "32 CFR 2002", "citation" : { "text" : "Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)." }, "rlinks" : [ { "href" : "https://www.federalregister.gov/documents/2016/09/14/2016-21665/controlled-unclassified-information" } ] }, { "uuid" : "0f963c17-ab5a-432a-a867-91eac550309b", "title" : "41 CFR 201", "citation" : { "text" : "\"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271." }, "rlinks" : [ { "href" : "https://www.federalregister.gov/d/2020-18939" } ] }, { "uuid" : "a5ef5e56-5c1a-4911-b419-37dddc1b3581", "title" : "5 CFR 731", "citation" : { "text" : "Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/CFR-2012-title5-vol2/pdf/CFR-2012-title5-vol2-sec731-106.pdf" } ] }, { "uuid" : "d3b71d4d-27c1-40f7-ad7f-1c1fe6d8bde8", "title" : "ATOM54", "citation" : { "text" : "Atomic Energy Act (P.L. 83-703), August 1954." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/STATUTE-68/pdf/STATUTE-68-Pg919.pdf" } ] }, { "uuid" : "94c64e1a-456c-457f-86da-83ac0dfc85ac", "title" : "CMPPA", "citation" : { "text" : "Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-Pg2507.pdf" } ] }, { "uuid" : "031cc4b7-9adf-4835-98f1-f1ca493519cf", "title" : "CNSSD 505", "citation" : { "text" : "Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017." }, "rlinks" : [ { "href" : "https://www.cnss.gov/CNSS/issuances/Directives.cfm" } ] }, { "uuid" : "4e4fbc93-333d-45e6-a875-de36b878b6b9", "title" : "CNSSI 1253", "citation" : { "text" : "Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014." }, "rlinks" : [ { "href" : "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" } ] }, { "uuid" : "6f63a36d-24bb-44f3-885a-5a50b5e1ada0", "title" : "CNSSI 4009", "citation" : { "text" : "Committee on National Security Systems Instruction No. 4009, *Committee on National Security Systems (CNSS) Glossary* , April 2015." }, "rlinks" : [ { "href" : "https://www.cnss.gov/CNSS/issuances/Instructions.cfm" } ] }, { "uuid" : "8a687894-cdab-423d-b95b-8d9475e4b51e", "title" : "CNSSP 22", "citation" : { "text" : "Committee on National Security Systems Policy No. 22, *Cybersecurity Risk Management Policy* , August 2016." }, "rlinks" : [ { "href" : "https://www.cnss.gov/CNSS/issuances/Policies.cfm" } ] }, { "uuid" : "b9951d04-6385-478c-b1a3-ab68c19d9041", "title" : "DHS NIPP", "citation" : { "text" : "Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)* , 2009." }, "rlinks" : [ { "href" : "https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf" } ] }, { "uuid" : "4f42ee6e-86cc-403b-a51f-76c2b4f81b54", "title" : "DHS TIC", "citation" : { "text" : "Department of Homeland Security, *Trusted Internet Connections (TIC)*." }, "rlinks" : [ { "href" : "https://www.dhs.gov/trusted-internet-connections" } ] }, { "uuid" : "aa66e14f-e7cb-4a37-99d2-07578dfd4608", "title" : "DOD STIG", "citation" : { "text" : "Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*." }, "rlinks" : [ { "href" : "https://public.cyber.mil/stigs" } ] }, { "uuid" : "d6f8ff7f-4b71-47ba-b61b-a5ee3ffd3af0", "title" : "DODI 8510.01", "citation" : { "text" : "Department of Defense Instruction 8510.01, *Risk Management Framework (RMF) for DoD Information Technology (IT)* , March 2014." }, "rlinks" : [ { "href" : "https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf?ver=2019-02-26-101520-300" } ] }, { "uuid" : "1c861e8c-cb40-463e-9cf2-693554107693", "title" : "DODTERMS", "citation" : { "text" : "Department of Defense, *Dictionary of Military and Associated Terms*." }, "rlinks" : [ { "href" : "https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf" } ] }, { "uuid" : "00db708b-4704-4fcb-b854-b66d1d756a58", "title" : "DSB 2017", "citation" : { "text" : "Department of Defense, Defense Science Board, *Task Force on Cyber Deterrence* , February 2017." }, "rlinks" : [ { "href" : "https://dsb.cto.mil/reports/2010s/DSB-CyberDeterrenceReport_02-28-17_Final.pdf" } ] }, { "uuid" : "7b0b9634-741a-4335-b6fa-161228c3a76e", "title" : "EGOV", "citation" : { "text" : "E-Government Act [includes FISMA] (P.L. 107-347), December 2002." }, "rlinks" : [ { "href" : "https://www.congress.gov/107/plaws/publ347/PLAW-107publ347.pdf" } ] }, { "uuid" : "55b0c93a-5e48-457a-baa6-5ce81c239c49", "title" : "EO 13526", "citation" : { "text" : "Executive Order 13526, *Classified National Security Information* , December 2009." }, "rlinks" : [ { "href" : "https://www.archives.gov/isoo/policy-documents/cnsi-eo.html" } ] }, { "uuid" : "34a5571f-e252-4309-a8a1-2fdb2faefbcd", "title" : "EO 13556", "citation" : { "text" : "Executive Order 13556, *Controlled Unclassified Information* , November 2010." }, "rlinks" : [ { "href" : "https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information" } ] }, { "uuid" : "0af071a6-cf8e-48ee-8c82-fe91efa20f94", "title" : "EO 13587", "citation" : { "text" : "Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011." }, "rlinks" : [ { "href" : "https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net" } ] }, { "uuid" : "3406fdc0-d61c-44a9-a5ca-84180544c83a", "title" : "EO 13636", "citation" : { "text" : "Executive Order 13636, *Improving Critical Infrastructure Cybersecurity* , February 2013." }, "rlinks" : [ { "href" : "https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity" } ] }, { "uuid" : "09afa3a7-e564-4c5f-865f-2679049563b0", "title" : "EO 13800", "citation" : { "text" : "Executive Order 13800, *Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure* , May 2017." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/presidential-actions/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure" } ] }, { "uuid" : "21caa535-1154-4369-ba7b-32c309fee0f7", "title" : "EO 13873", "citation" : { "text" : "Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain" } ] }, { "uuid" : "511da9ca-604d-43f7-be41-b862085420a9", "title" : "EVIDACT", "citation" : { "text" : "Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019." }, "rlinks" : [ { "href" : "https://www.congress.gov/115/plaws/publ435/PLAW-115publ435.pdf" } ] }, { "uuid" : "4ff10ed3-d8fe-4246-99e3-443045e27482", "title" : "FASC18", "citation" : { "text" : "Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018." }, "rlinks" : [ { "href" : "https://www.congress.gov/bill/115th-congress/senate-bill/3085" } ] }, { "uuid" : "a1555677-2b9d-4868-a97b-a1363aff32f5", "title" : "FED PKI", "citation" : { "text" : "General Services Administration, *Federal Public Key Infrastructure*." }, "rlinks" : [ { "href" : "https://www.idmanagement.gov/topics/fpki" } ] }, { "uuid" : "678e3d6c-150b-4393-aec5-6e3481eb1e00", "title" : "FIPS 140-3", "citation" : { "text" : "National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.140-3" } ] }, { "uuid" : "eea3c092-42ed-4382-a6f4-1adadef01b9d", "title" : "FIPS 180-4", "citation" : { "text" : "National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.180-4" } ] }, { "uuid" : "7c37a38d-21d7-40d8-bc3d-b5e27eac17e1", "title" : "FIPS 186-4", "citation" : { "text" : "National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.186-4" } ] }, { "uuid" : "736d6310-e403-4b57-a79d-9967970c66d7", "title" : "FIPS 197", "citation" : { "text" : "National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.197" } ] }, { "uuid" : "628d22a1-6a11-4784-bc59-5cd9497b5445", "title" : "FIPS 199", "citation" : { "text" : "National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.199" } ] }, { "uuid" : "599fb53d-5041-444e-a7fe-640d6d30ad05", "title" : "FIPS 200", "citation" : { "text" : "National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.200" } ] }, { "uuid" : "7ba1d91c-3934-4d5a-8532-b32f864ad34c", "title" : "FIPS 201-2", "citation" : { "text" : "National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.201-2" } ] }, { "uuid" : "a295ca19-8c75-4b4c-8800-98024732e181", "title" : "FIPS 202", "citation" : { "text" : "National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.FIPS.202" } ] }, { "uuid" : "d68867c0-2f21-4193-bef8-300f3270db56", "title" : "FISMA IMP", "citation" : { "text" : "Federal Information Security Modernization Act (FISMA) Implementation Project." }, "rlinks" : [ { "href" : "https://nist.gov/RMF" } ] }, { "uuid" : "0c67b2a9-bede-43d2-b86d-5f35b8be36e9", "title" : "FISMA", "citation" : { "text" : "Federal Information Security Modernization Act (P.L. 113-283), December 2014." }, "rlinks" : [ { "href" : "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" } ] }, { "uuid" : "d9b1262c-9ee6-4c3e-846f-3a15f9d7eaa6", "title" : "FOIA96", "citation" : { "text" : "Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/PLAW-104publ231/pdf/PLAW-104publ231.pdf" } ] }, { "uuid" : "f16e438e-7114-4144-bfe2-2dfcad8cb2d0", "title" : "HSPD 12", "citation" : { "text" : "Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004." }, "rlinks" : [ { "href" : "https://www.dhs.gov/homeland-security-presidential-directive-12" } ] }, { "uuid" : "488d6934-00b2-4252-bf23-1b3c2d71eb13", "title" : "HSPD 7", "citation" : { "text" : "Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection* , December 2003." }, "rlinks" : [ { "href" : "https://www.dhs.gov/homeland-security-presidential-directive-7" } ] }, { "uuid" : "7623635e-1a92-4250-a829-4a5c8a4da2bc", "title" : "IETF 4949", "citation" : { "text" : "Internet Engineering Task Force (IETF), Request for Comments: 4949, *Internet Security Glossary, Version 2* , August 2007." }, "rlinks" : [ { "href" : "https://tools.ietf.org/html/rfc4949" } ] }, { "uuid" : "e4d37285-1e79-4029-8b6a-42df39cace30", "title" : "IETF 5905", "citation" : { "text" : "Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010." }, "rlinks" : [ { "href" : "https://tools.ietf.org/pdf/rfc5905.pdf" } ] }, { "uuid" : "15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c", "title" : "IR 7539", "citation" : { "text" : "Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7539" } ] }, { "uuid" : "2be7b163-e50a-435c-8906-f1162f2a457a", "title" : "IR 7559", "citation" : { "text" : "Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7559" } ] }, { "uuid" : "e24b06cc-9129-4998-a76a-65c3d7a576ba", "title" : "IR 7622", "citation" : { "text" : "Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7622" } ] }, { "uuid" : "4b38e961-1125-4a5b-aa35-1d6c02846dad", "title" : "IR 7676", "citation" : { "text" : "Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7676" } ] }, { "uuid" : "aa5d04e0-6090-4e17-84d4-b9963d55fc2c", "title" : "IR 7788", "citation" : { "text" : "Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7788" } ] }, { "uuid" : "91701292-8bcd-4d2e-a5bd-59ab61e34b3c", "title" : "IR 7817", "citation" : { "text" : "Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7817" } ] }, { "uuid" : "4f5f51ac-2b8d-4b90-a3c7-46f56e967617", "title" : "IR 7849", "citation" : { "text" : "Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7849" } ] }, { "uuid" : "604774da-9e1d-48eb-9c62-4e959dc80737", "title" : "IR 7870", "citation" : { "text" : "Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7870" } ] }, { "uuid" : "7f473f21-fdbf-4a6c-81a1-0ab95919609d", "title" : "IR 7874", "citation" : { "text" : "Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7874" } ] }, { "uuid" : "849b2358-683f-4d97-b111-1cc3d522ded5", "title" : "IR 7956", "citation" : { "text" : "Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7956" } ] }, { "uuid" : "3915a084-b87b-4f02-83d4-c369e746292f", "title" : "IR 7966", "citation" : { "text" : "Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.7966" } ] }, { "uuid" : "bbac9fc2-df5b-4f2d-bf99-90d0ade45349", "title" : "IR 8011-1", "citation" : { "text" : "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8011-1" } ] }, { "uuid" : "70402863-5078-43af-9a6c-e11b0f3ec370", "title" : "IR 8011-2", "citation" : { "text" : "Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8011-2" } ] }, { "uuid" : "996241f8-f692-42d5-91f1-ce8b752e39e6", "title" : "IR 8011-3", "citation" : { "text" : "Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8011-3" } ] }, { "uuid" : "d2ebec9b-f868-4ee1-a2bd-0b2282aed248", "title" : "IR 8011-4", "citation" : { "text" : "Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8011-4" } ] }, { "uuid" : "4c501da5-9d79-4cb6-ba80-97260e1ce327", "title" : "IR 8023", "citation" : { "text" : "Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8023" } ] }, { "uuid" : "81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5", "title" : "IR 8040", "citation" : { "text" : "Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8040" } ] }, { "uuid" : "98d415ca-7281-4064-9931-0c366637e324", "title" : "IR 8062", "citation" : { "text" : "Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8062" } ] }, { "uuid" : "a2590922-82f3-4277-83c0-ca5bee06dba4", "title" : "IR 8112", "citation" : { "text" : "Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8112" } ] }, { "uuid" : "d4296805-2dca-4c63-a95f-eeccaa826aec", "title" : "IR 8179", "citation" : { "text" : "Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8179" } ] }, { "uuid" : "38ff38f0-1366-4f50-a4c9-26a39aacee16", "title" : "IR 8272", "citation" : { "text" : "Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.IR.8272" } ] }, { "uuid" : "0c559766-0df1-468f-a499-3577bb6dfa46", "title" : "ISO 15026-1", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15026-1:2019, *Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary* , March 2019." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/73567.html" } ] }, { "uuid" : "7d8ec7b7-dba0-4a17-981c-c959dbcc6c68", "title" : "ISO 15288", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15288:2015, *Systems and software engineering —Systems life cycle processes* , May 2015." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/63711.html" } ] }, { "uuid" : "6afc1b04-c9d6-4023-adbc-f8fbe33a3c73", "title" : "ISO 15408-1", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017." }, "rlinks" : [ { "href" : "https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf" } ] }, { "uuid" : "87087451-2af5-43d4-88c1-d66ad850f614", "title" : "ISO 15408-2", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017." }, "rlinks" : [ { "href" : "https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf" } ] }, { "uuid" : "4452efc0-e79e-47b8-aa30-b54f3ef61c2f", "title" : "ISO 15408-3", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017." }, "rlinks" : [ { "href" : "https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf" } ] }, { "uuid" : "15a95e24-65b6-4686-bc18-90855a10457d", "title" : "ISO 20243", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/74399.html" } ] }, { "uuid" : "c22d2905-4087-4397-b574-c534b9e808c8", "title" : "ISO 25237", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 25237:2017, *Health informatics —Pseudonymization* , January 2017." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/63553.html" } ] }, { "uuid" : "863caf2a-978a-4260-9e8d-4a8929bce40c", "title" : "ISO 27036", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/59648.html" } ] }, { "uuid" : "094ad8c9-960f-4091-acff-8c99a390f08d", "title" : "ISO 29100", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 29100:2011, *Information technology—Security techniques—Privacy framework* , December 2011." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/45123.html" } ] }, { "uuid" : "8df72805-2e5c-4731-a73e-81db0f0318d0", "title" : "ISO 29147", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/72311.html" } ] }, { "uuid" : "06ce9216-bd54-4054-a422-94f358b50a5d", "title" : "ISO 29148", "citation" : { "text" : "International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018." }, "rlinks" : [ { "href" : "https://www.iso.org/standard/72089.html" } ] }, { "uuid" : "d1cdab13-4218-400d-91a9-c3818dfa5ec8", "title" : "LAMPSON73", "citation" : { "text" : "B. W. Lampson, *A Note on the Confinement Problem* , Communications of the ACM 16, 10, pp. 613-615, October 1973." } }, { "uuid" : "c28ae9a8-1121-42a9-a85e-00cfcc9b9a94", "title" : "NARA CUI", "citation" : { "text" : "National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry." }, "rlinks" : [ { "href" : "https://www.archives.gov/cui" } ] }, { "uuid" : "d744d9a3-73eb-4085-b9ff-79e82e9e2d6e", "title" : "NCPR", "citation" : { "text" : "National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at" }, "rlinks" : [ { "href" : "https://nvd.nist.gov/ncp/repository" } ] }, { "uuid" : "aea5026f-e5c5-4256-8293-ffcdc487bcd5", "title" : "NEUM04", "citation" : { "text" : "*Principled Assuredly Trustworthy Composable Architectures* , P. Neumann, CDRL A001 Final Report, SRI International, December 2004." }, "rlinks" : [ { "href" : "http://www.csl.sri.com/users/neumann/chats4.pdf" } ] }, { "uuid" : "795aff72-3e6c-4b6b-a80a-b14d84b7f544", "title" : "NIAP CCEVS", "citation" : { "text" : "National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*." }, "rlinks" : [ { "href" : "https://www.niap-ccevs.org" } ] }, { "uuid" : "84dc1b0c-acb7-4269-84c4-00dbabacd78c", "title" : "NIST CAVP", "citation" : { "text" : "National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at" }, "rlinks" : [ { "href" : "https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program" } ] }, { "uuid" : "1acdc775-aafb-4d11-9341-dc6a822e9d38", "title" : "NIST CMVP", "citation" : { "text" : "National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at" }, "rlinks" : [ { "href" : "https://csrc.nist.gov/projects/cryptographic-module-validation-program" } ] }, { "uuid" : "a806de34-70a2-4239-8030-4ab286acc7b8", "title" : "NIST CSF", "citation" : { "text" : "National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD)." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.CSWP.04162018" } ] }, { "uuid" : "956dcbb3-8109-4b6a-9058-ff0b909ec812", "title" : "NIST PF", "citation" : { "text" : "National Institute of Standards and Technology (2020) Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. (National Institute of Standards and Technology, Gaithersburg, MD)." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.CSWP.01162020" } ] }, { "uuid" : "528135e3-c65b-461a-93d3-46513610f792", "title" : "NITP12", "citation" : { "text" : "Presidential Memorandum for the Heads of Executive Departments and Agencies, *National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs* , November 2012." }, "rlinks" : [ { "href" : "https://obamawhitehouse.archives.gov/the-press-office/2012/11/21/presidential-memorandum-national-insider-threat-policy-and-minimum-stand" } ] }, { "uuid" : "3d575737-98cb-459d-b41c-d7e82b73ad78", "title" : "NSA CSFC", "citation" : { "text" : "National Security Agency, *Commercial Solutions for Classified Program (CSfC)*." }, "rlinks" : [ { "href" : "https://www.nsa.gov/resources/everyone/csfc" } ] }, { "uuid" : "df9f87e9-71e7-4c74-9ac3-3cabd4e92f21", "title" : "NSA MEDIA", "citation" : { "text" : "National Security Agency, *Media Destruction Guidance*." }, "rlinks" : [ { "href" : "https://www.nsa.gov/resources/everyone/media-destruction" } ] }, { "uuid" : "782a8c6d-39a4-45df-a6db-ad0b9226fa38", "title" : "NVD 800-53", "citation" : { "text" : "National Institute of Standards and Technology (2020) *National Vulnerability Database: NIST Special Publication 800-53 [database of controls].* Available at" }, "rlinks" : [ { "href" : "https://nvd.nist.gov/800-53" } ] }, { "uuid" : "89f2a08d-fc49-46d0-856e-bf974c9b1573", "title" : "ODNI CTF", "citation" : { "text" : "Office of the Director of National Intelligence (ODNI) Cyber Threat Framework." }, "rlinks" : [ { "href" : "https://www.dni.gov/index.php/cyber-threat-framework" } ] }, { "uuid" : "06d74ea9-2178-449c-a9c5-b2980f804ac8", "title" : "ODNI NITP", "citation" : { "text" : "Office of the Director National Intelligence, *National Insider Threat Policy*" }, "rlinks" : [ { "href" : "https://www.dni.gov/files/NCSC/documents/nittf/National_Insider_Threat_Policy.pdf" } ] }, { "uuid" : "3671ff20-c17c-44d6-8a88-7de203fa74aa", "title" : "OMB A-108", "citation" : { "text" : "Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf" } ] }, { "uuid" : "27847491-5ce1-4f6a-a1e4-9e483782f0ef", "title" : "OMB A-130", "citation" : { "text" : "Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf" } ] }, { "uuid" : "d229ae60-51dd-4d7b-a8bf-1f7195cc7561", "title" : "OMB M-03-22", "citation" : { "text" : "Office of Management and Budget Memorandum M-03-22, *OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002* , September 2003. [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf](https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf)" }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf" } ] }, { "uuid" : "047b041a-b4b0-4537-ab2d-2b36283eeda0", "title" : "OMB M-08-05", "citation" : { "text" : "Office of Management and Budget Memorandum M-08-05, *Implementation of Trusted Internet Connections (TIC)* , November 2007." }, "rlinks" : [ { "href" : "https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-05.pdf" } ] }, { "uuid" : "206a3284-6a7e-423c-8ea9-25b22542541d", "title" : "OMB M-17-06", "citation" : { "text" : "Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services* , November 2016." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-06.pdf" } ] }, { "uuid" : "5f4705ac-8d17-438c-b23a-ac7f12362ae4", "title" : "OMB M-17-12", "citation" : { "text" : "Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017." }, "rlinks" : [ { "href" : "https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf" } ] }, { "uuid" : "81c44706-0227-4258-a920-620a4d259990", "title" : "OMB M-17-25", "citation" : { "text" : "Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure* , May 2017." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf" } ] }, { "uuid" : "c5e11048-1d38-4af3-b00b-0d88dc26860c", "title" : "OMB M-19-03", "citation" : { "text" : "Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" } ] }, { "uuid" : "227063d4-431e-435f-9e8f-009b6dbc20f4", "title" : "OMB M-19-15", "citation" : { "text" : "Office of Management and Budget Memorandum M-19-15, *Improving Implementation of the Information Quality Act* , April 2019." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/wp-content/uploads/2019/04/M-19-15.pdf" } ] }, { "uuid" : "d886c141-c832-4ad7-ac6d-4b94f4b550d3", "title" : "OMB M-19-23", "citation" : { "text" : "Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance* , July 2019." }, "rlinks" : [ { "href" : "https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf" } ] }, { "uuid" : "79453f84-26a4-4995-8257-d32d37aefea3", "title" : "POPEK74", "citation" : { "text" : "G. Popek, *The Principle of Kernel Design* , in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978." } }, { "uuid" : "18e71fec-c6fd-475a-925a-5d8495cf8455", "title" : "PRIVACT", "citation" : { "text" : "Privacy Act (P.L. 93-579), December 1974." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf" } ] }, { "uuid" : "c9495d6e-ef64-4090-8509-e58c3b9009ff", "title" : "SALTZER75", "citation" : { "text" : "J. Saltzer and M. Schroeder, *The Protection of Information in Computer Systems* , in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308." } }, { "uuid" : "4c0ec2ee-a0d6-428a-9043-4504bc3ade6f", "title" : "SP 800-100", "citation" : { "text" : "Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-100" } ] }, { "uuid" : "10cf2fad-a216-41f9-bb1a-531b7e3119e3", "title" : "SP 800-101", "citation" : { "text" : "Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-101r1" } ] }, { "uuid" : "22f2d4f0-4365-4e88-a30d-275c1f5473ea", "title" : "SP 800-111", "citation" : { "text" : "Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-111" } ] }, { "uuid" : "6bc4d137-aece-42a8-8081-9ecb1ebe9fb4", "title" : "SP 800-113", "citation" : { "text" : "Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-113" } ] }, { "uuid" : "42e37e51-7cc0-4ffa-81c9-0ac942da7e99", "title" : "SP 800-114", "citation" : { "text" : "Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-114r1" } ] }, { "uuid" : "122177fa-c4ed-485d-8345-3082c0fb9a06", "title" : "SP 800-115", "citation" : { "text" : "Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-115" } ] }, { "uuid" : "2100332a-16a5-4598-bacf-7261baea9711", "title" : "SP 800-116", "citation" : { "text" : "Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-116r1" } ] }, { "uuid" : "d17ebd7a-ffab-499d-bfff-e705bbb01fa6", "title" : "SP 800-121", "citation" : { "text" : "Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-121r2" } ] }, { "uuid" : "0f66be67-85e7-4ca6-bd19-39453e9f4394", "title" : "SP 800-124", "citation" : { "text" : "Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-124r1" } ] }, { "uuid" : "88660532-2dcf-442e-845c-03340ce48999", "title" : "SP 800-125B", "citation" : { "text" : "Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-125B" } ] }, { "uuid" : "8016d2ed-d30f-4416-9c45-0f42c7aa3232", "title" : "SP 800-126", "citation" : { "text" : "Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-126r3" } ] }, { "uuid" : "20db4e66-e257-450c-b2e4-2bb9a62a2c88", "title" : "SP 800-128", "citation" : { "text" : "Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-128" } ] }, { "uuid" : "c7ac44e8-10db-4b64-b2b9-9e32ec1efed0", "title" : "SP 800-12", "citation" : { "text" : "Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-12r1" } ] }, { "uuid" : "3653e316-8923-430e-8943-b3b2b2562fc6", "title" : "SP 800-130", "citation" : { "text" : "Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-130" } ] }, { "uuid" : "62ea77ca-e450-4323-b210-e0d75390e785", "title" : "SP 800-137A", "citation" : { "text" : "Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-137A" } ] }, { "uuid" : "067223d8-1ec7-45c5-b21b-c848da6de8fb", "title" : "SP 800-137", "citation" : { "text" : "Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-137" } ] }, { "uuid" : "e47ee630-9cbc-4133-880e-e013f83ccd51", "title" : "SP 800-147", "citation" : { "text" : "Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-147" } ] }, { "uuid" : "9ef4b43c-42a4-4316-87dc-ffaf528bc05c", "title" : "SP 800-150", "citation" : { "text" : "Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-150" } ] }, { "uuid" : "2494df28-9049-4196-b233-540e7440993f", "title" : "SP 800-152", "citation" : { "text" : "Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-152" } ] }, { "uuid" : "708b94e1-3d5e-4b22-ab43-1c69f3a97e37", "title" : "SP 800-154", "citation" : { "text" : "Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154." }, "rlinks" : [ { "href" : "https://csrc.nist.gov/publications/detail/sp/800-154/draft" } ] }, { "uuid" : "d9e036ba-6eec-46a6-9340-b0bf1fea23b4", "title" : "SP 800-156", "citation" : { "text" : "Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-156" } ] }, { "uuid" : "e3cc0520-a366-4fc9-abc2-5272db7e3564", "title" : "SP 800-160-1", "citation" : { "text" : "Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-160v1" } ] }, { "uuid" : "61ccf0f4-d3e7-42db-9796-ce6cb1c85989", "title" : "SP 800-160-2", "citation" : { "text" : "Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-160v2" } ] }, { "uuid" : "e8e84963-14fc-4c3a-be05-b412a5d37cd2", "title" : "SP 800-161", "citation" : { "text" : "Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-161" } ] }, { "uuid" : "2956e175-f674-43f4-b1b9-e074ad9fc39c", "title" : "SP 800-162", "citation" : { "text" : "Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-162" } ] }, { "uuid" : "e8552d48-cf41-40aa-8b06-f45f7fb4706c", "title" : "SP 800-166", "citation" : { "text" : "Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-166" } ] }, { "uuid" : "38f39739-1ebd-43b1-8b8c-00f591d89ebd", "title" : "SP 800-167", "citation" : { "text" : "Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-167" } ] }, { "uuid" : "7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849", "title" : "SP 800-171", "citation" : { "text" : "Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-171r2" } ] }, { "uuid" : "f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e", "title" : "SP 800-172", "citation" : { "text" : "Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-172-draft" } ] }, { "uuid" : "1c71b420-2bd9-4e52-9fc8-390f58b85b59", "title" : "SP 800-177", "citation" : { "text" : "Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-177r1" } ] }, { "uuid" : "388a3aa2-5d85-4bad-b8a3-77db80d63c4f", "title" : "SP 800-178", "citation" : { "text" : "Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-178" } ] }, { "uuid" : "276bd50a-7e58-48e5-a405-8c8cb91d7a5f", "title" : "SP 800-181", "citation" : { "text" : "Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-181r1" } ] }, { "uuid" : "31ae65ab-3f26-46b7-9d64-f25a4dac5778", "title" : "SP 800-184", "citation" : { "text" : "Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-184" } ] }, { "uuid" : "c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2", "title" : "SP 800-188", "citation" : { "text" : "Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188." }, "rlinks" : [ { "href" : "https://csrc.nist.gov/publications/detail/sp/800-188/draft" } ] }, { "uuid" : "f5edfe51-d1f2-422e-9b27-5d0e90b49c72", "title" : "SP 800-189", "citation" : { "text" : "Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-189" } ] }, { "uuid" : "30eb758a-2707-4bca-90ad-949a74d4eb16", "title" : "SP 800-18", "citation" : { "text" : "Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-18r1" } ] }, { "uuid" : "53df282b-8b3f-483a-bad1-6a8b8ac00114", "title" : "SP 800-192", "citation" : { "text" : "Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-192" } ] }, { "uuid" : "f641309f-a3ad-48be-8c67-2b318648b2f5", "title" : "SP 800-28", "citation" : { "text" : "Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-28ver2" } ] }, { "uuid" : "08b07465-dbdc-48d6-8a0b-37279602ac16", "title" : "SP 800-30", "citation" : { "text" : "Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-30r1" } ] }, { "uuid" : "8cb338a4-e493-4177-818f-3af18983ddc5", "title" : "SP 800-32", "citation" : { "text" : "Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-32" } ] }, { "uuid" : "bc39f179-c735-4da2-b7a7-b2b622119755", "title" : "SP 800-34", "citation" : { "text" : "Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-34r1" } ] }, { "uuid" : "77faf0bc-c394-44ad-9154-bbac3b79c8ad", "title" : "SP 800-35", "citation" : { "text" : "Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-35" } ] }, { "uuid" : "482e4c99-9dc4-41ad-bba8-0f3f0032c1f8", "title" : "SP 800-37", "citation" : { "text" : "Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-37r2" } ] }, { "uuid" : "cec037f3-8aba-4c97-84b4-4082f9e515d2", "title" : "SP 800-39", "citation" : { "text" : "Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-39" } ] }, { "uuid" : "155f941a-cba9-4afd-9ca6-5d040d697ba9", "title" : "SP 800-40", "citation" : { "text" : "Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-40r3" } ] }, { "uuid" : "a7f0e897-29a3-45c4-bd88-40dfef0e034a", "title" : "SP 800-41", "citation" : { "text" : "Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-41r1" } ] }, { "uuid" : "314e33cb-3681-4b50-a2a2-3fae9604accd", "title" : "SP 800-45", "citation" : { "text" : "Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-45ver2" } ] }, { "uuid" : "83b9d63b-66b1-467c-9f3b-3a0b108771e9", "title" : "SP 800-46", "citation" : { "text" : "Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-46r2" } ] }, { "uuid" : "c3a76872-e160-4267-99e8-6952de967d04", "title" : "SP 800-47", "citation" : { "text" : "Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-47" } ] }, { "uuid" : "511f6832-23ca-49a3-8c0f-ce493373cab8", "title" : "SP 800-50", "citation" : { "text" : "Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-50" } ] }, { "uuid" : "7537638e-2837-407d-844b-40fb3fafdd99", "title" : "SP 800-52", "citation" : { "text" : "McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-52r2" } ] }, { "uuid" : "4e0d3c99-0f4e-496f-8951-d4f57c122fc2", "title" : "SP 800-53 RES", "citation" : { "text" : "NIST Special Publication 800-53, Revision 5 Resource Center." }, "rlinks" : [ { "href" : "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final" } ] }, { "uuid" : "a21aef46-7330-48a0-b2e1-c5bb8b2dd11d", "title" : "SP 800-53A", "citation" : { "text" : "Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-53Ar4" } ] }, { "uuid" : "46d9e201-840e-440e-987c-2c773333c752", "title" : "SP 800-53B", "citation" : { "text" : "Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-53B" } ] }, { "uuid" : "7798067b-4ed0-4adc-a505-79dad4741693", "title" : "SP 800-55", "citation" : { "text" : "Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-55r1" } ] }, { "uuid" : "20957dbb-6a1e-40a2-b38a-66f67d33ac2e", "title" : "SP 800-56A", "citation" : { "text" : "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-56Ar3" } ] }, { "uuid" : "0d083d8a-5cc6-46f1-8d79-3081d42bcb75", "title" : "SP 800-56B", "citation" : { "text" : "Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-56Br2" } ] }, { "uuid" : "eef62b16-c796-4554-955c-505824135b8a", "title" : "SP 800-56C", "citation" : { "text" : "Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-56Cr2" } ] }, { "uuid" : "110e26af-4765-49e1-8740-6750f83fcda1", "title" : "SP 800-57-1", "citation" : { "text" : "Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-57pt1r5" } ] }, { "uuid" : "e7942589-e267-4a5a-a3d9-f39a7aae81f0", "title" : "SP 800-57-2", "citation" : { "text" : "Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-57pt2r1" } ] }, { "uuid" : "8306620b-1920-4d73-8b21-12008528595f", "title" : "SP 800-57-3", "citation" : { "text" : "Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-57pt3r1" } ] }, { "uuid" : "e72fde0b-6fc2-497e-a9db-d8fce5a11b8a", "title" : "SP 800-60-1", "citation" : { "text" : "Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-60v1r1" } ] }, { "uuid" : "9be5d661-421f-41ad-854e-86f98b811891", "title" : "SP 800-60-2", "citation" : { "text" : "Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-60v2r1" } ] }, { "uuid" : "49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb", "title" : "SP 800-61", "citation" : { "text" : "Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-61r2" } ] }, { "uuid" : "737513fa-6758-403f-831d-5ddab5e23cb3", "title" : "SP 800-63-3", "citation" : { "text" : "Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-63-3" } ] }, { "uuid" : "9099ed2c-922a-493d-bcb4-d896192243ff", "title" : "SP 800-63A", "citation" : { "text" : "Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-63a" } ] }, { "uuid" : "e59c5a7c-8b1f-49ca-8de0-6ee0882180ce", "title" : "SP 800-63B", "citation" : { "text" : "Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-63b" } ] }, { "uuid" : "4895b4cd-34c5-4667-bf8a-27d443c12047", "title" : "SP 800-70", "citation" : { "text" : "Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-70r4" } ] }, { "uuid" : "858705be-3c1f-48aa-a328-0ce398d95ef0", "title" : "SP 800-73-4", "citation" : { "text" : "Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-73-4" } ] }, { "uuid" : "7af2e6ec-9f7e-4232-ad3f-09888eb0793a", "title" : "SP 800-76-2", "citation" : { "text" : "Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-76-2" } ] }, { "uuid" : "d4d7c760-2907-403b-8b2a-767ca5370ecd", "title" : "SP 800-77", "citation" : { "text" : "Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-77r1" } ] }, { "uuid" : "828856bd-d7c4-427b-8b51-815517ec382d", "title" : "SP 800-78-4", "citation" : { "text" : "Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-78-4" } ] }, { "uuid" : "10963761-58fc-4b20-b3d6-b44a54daba03", "title" : "SP 800-79-2", "citation" : { "text" : "Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-79-2" } ] }, { "uuid" : "fe209006-bfd4-4033-a79a-9fee1adaf372", "title" : "SP 800-81-2", "citation" : { "text" : "Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-81-2" } ] }, { "uuid" : "6264c85d-19f5-408a-aa44-d737daaf311e", "title" : "SP 800-82", "citation" : { "text" : "Stouffer KA, Lightman S, Pillitteri VY, Abrams M, Hahn A (2015) Guide to Industrial Control Systems (ICS) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-82, Rev. 2." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-82r2" } ] }, { "uuid" : "3dd249b0-f57d-44ba-a03e-c3eab1b835ff", "title" : "SP 800-83", "citation" : { "text" : "Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-83r1" } ] }, { "uuid" : "53be2fcf-cfd1-4bcb-896b-9a3b65c22098", "title" : "SP 800-84", "citation" : { "text" : "Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-84" } ] }, { "uuid" : "cfdb1858-c473-46b3-89f9-a700308d0be2", "title" : "SP 800-86", "citation" : { "text" : "Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-86" } ] }, { "uuid" : "a5b1d18d-e670-4586-9e6d-4a88b7ba3df6", "title" : "SP 800-88", "citation" : { "text" : "Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-88r1" } ] }, { "uuid" : "5eee45d8-3313-4fdc-8d54-1742092bbdd6", "title" : "SP 800-92", "citation" : { "text" : "Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-92" } ] }, { "uuid" : "25e3e57b-dc2f-4934-af9b-050b020c6f0e", "title" : "SP 800-94", "citation" : { "text" : "Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-94" } ] }, { "uuid" : "a6b9907a-2a14-4bb4-a142-d4c73026a8b4", "title" : "SP 800-95", "citation" : { "text" : "Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-95" } ] }, { "uuid" : "03fb73bc-1b12-4182-bd96-e5719254ea61", "title" : "SP 800-97", "citation" : { "text" : "Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97." }, "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-97" } ] }, { "uuid" : "13f0c39d-eaf7-417a-baef-69a041878bb5", "title" : "USA PATRIOT", "citation" : { "text" : "USA Patriot Act (P.L. 107-56), October 2001." }, "rlinks" : [ { "href" : "https://www.congress.gov/107/plaws/publ56/PLAW-107publ56.pdf" } ] }, { "uuid" : "dd1a42a3-20c0-43ba-bbdb-6ea3624f1d38", "title" : "USC 11101", "citation" : { "text" : "\"Definitions,\" Title 40 U.S. Code, Sec. 11101. 2018 ed." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/app/details/USCODE-2018-title40/USCODE-2018-title40-subtitleIII-chap111-sec11101" } ] }, { "uuid" : "e922fc50-b1f9-469f-92ef-ed7d9803611c", "title" : "USC 2901", "citation" : { "text" : "United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/USCODE-2011-title44/pdf/USCODE-2011-title44-chap29-sec2901.pdf" } ] }, { "uuid" : "82460f0b-1060-420e-9181-554e2dc921df", "title" : "USC 3502", "citation" : { "text" : "\"Definitions,\" Title 44 U.S. Code, Sec. 3502. 2011 ed." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502" } ] }, { "uuid" : "ef3550b5-60a0-4489-8d4e-08223a929c7a", "title" : "USC 552", "citation" : { "text" : "United States Code, 2006 Edition, Supplement 4, Title 5 - *Government Organization and Employees* , January 2011." }, "rlinks" : [ { "href" : "https://www.govinfo.gov/content/pkg/USCODE-2010-title5/pdf/USCODE-2010-title5-partI-chap5-subchapII-sec552a.pdf" } ] }, { "uuid" : "40b78258-c892-480e-9af8-77ac36648301", "title" : "USCERT IR", "citation" : { "text" : "Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017." }, "rlinks" : [ { "href" : "https://us-cert.cisa.gov/incident-notification-guidelines" } ] }, { "uuid" : "98498928-3ca3-44b3-8b1e-f48685373087", "title" : "USGCB", "citation" : { "text" : "National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at" }, "rlinks" : [ { "href" : "https://csrc.nist.gov/projects/united-states-government-configuration-baseline" } ] }, { "uuid" : "c3397cc9-83c6-4459-adb2-836739dc1b94", "title" : "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)", "rlinks" : [ { "href" : "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf", "media-type" : "application/pdf" } ] }, { "uuid" : "f7cf488d-bc64-4a91-a994-810e153ee481", "title" : "NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (DOI link)", "rlinks" : [ { "href" : "https://doi.org/10.6028/NIST.SP.800-53r5", "media-type" : "application/pdf" } ] } ] } } }