4.1 Access Control AC-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: AC-01_ODP[01] personnel or roles to whom the access control policy is to be disseminated is/are defined; AC-01_ODP[02] personnel or roles to whom the access control procedures are to be disseminated is/are defined; AC-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; AC-01_ODP[04] an official to manage the access control policy and procedures is defined; AC-01_ODP[05] the frequency at which the current access control policy is reviewed and updated is defined; AC-01_ODP[06] events that would require the current access control policy to be reviewed and updated are defined; AC-01_ODP[07] the frequency at which the current access control procedures are reviewed and updated is defined; AC-01_ODP[08] events that would require procedures to be reviewed and updated are defined; AC-01a.[01] an access control policy is developed and documented; AC-01a.[02] the access control policy is disseminated to ; AC-01a.[03] access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented; AC-01a.[04] the access control procedures are disseminated to ; AC-01a.01(a)[01] the access control policy addresses purpose; AC-01a.01(a)[02] the access control policy addresses scope; AC-01a.01(a)[03] the access control policy addresses roles; AC-01a.01(a)[04] the access control policy addresses responsibilities; AC-01a.01(a)[05] the access control policy addresses management commitment; AC-01a.01(a)[06] the access control policy addresses coordination among organizational entities; AC-01a.01(a)[07] the access control policy addresses compliance; AC-01a.01(b) the access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; AC-01b. the is designated to manage the development, documentation, and dissemination of the access control policy and procedures; AC-01c.01[01] the current access control policy is reviewed and updated ; AC-01c.01[02] the current access control policy is reviewed and updated following ; AC-01c.02[01] the current access control procedures are reviewed and updated ; AC-01c.02[02] the current access control procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-01-Examine [SELECT FROM: Access control policy and procedures; system security plan; privacy plan; other relevant documents or records]. AC-01-Interview [SELECT FROM: Organizational personnel with access control responsibilities; organizational personnel with information security with information security and privacy responsibilities]. AC-02 ACCOUNT MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: AC-02_ODP[01] prerequisites and criteria for group and role membership are defined; AC-02_ODP[02] attributes (as required) for each account are defined; AC-02_ODP[03] personnel or roles required to approve requests to create accounts is/are defined; AC-02_ODP[04] policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined; AC-02_ODP[05] personnel or roles to be notified is/are defined; AC-02_ODP[06] time period within which to notify account managers when accounts are no longer required is defined; AC-02_ODP[07] time period within which to notify account managers when users are terminated or transferred is defined; AC-02_ODP[08] time period within which to notify account managers when system usage or the need to know changes for an individual is defined; AC-02_ODP[09] attributes needed to authorize system access (as required) are defined; AC-02_ODP[10] the frequency of account review is defined; AC-02a.[01] account types allowed for use within the system are defined and documented; AC-02a.[02] account types specifically prohibited for use within the system are defined and documented; AC-02b. account managers are assigned; AC-02c. for group and role membership are required; AC-02d.01 authorized users of the system are specified; AC-02d.02 group and role membership are specified; AC-02d.03[01] access authorizations (i.e., privileges) are specified for each account; AC-02d.03[02] are specified for each account; AC-02e. approvals are required by for requests to create accounts; AC-02f.[01] accounts are created in accordance with ; AC-02f.[02] accounts are enabled in accordance with ; AC-02f.[03] accounts are modified in accordance with ; AC-02f.[04] accounts are disabled in accordance with ; AC-02f.[05] accounts are removed in accordance with ; AC-02g. the use of accounts is monitored; AC-02h.01 account managers and are notified within when accounts are no longer required; AC-02h.02 account managers and are notified within when users are terminated or transferred; AC-02h.03 account managers and are notified within when system usage or the need to know changes for an individual; AC-02i.01 access to the system is authorized based on a valid access authorization; AC-02i.02 access to the system is authorized based on intended system usage; AC-02i.03 access to the system is authorized based on ; AC-02j. accounts are reviewed for compliance with account management requirements ; AC-02k.[01] a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group; AC-02k.[02] a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group; AC-02l.[01] account management processes are aligned with personnel termination processes; AC-02l.[02] account management processes are aligned with personnel transfer processes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02-Examine [SELECT FROM: Access control policy; personnel termination policy and procedure; personnel transfer policy and procedure; procedures for addressing account management; system design documentation; system configuration settings and associated documentation; list of active system accounts along with the name of the individual associated with each account; list of recently disabled system accounts and the name of the individual associated with each account; list of conditions for group and role membership; notifications of recent transfers, separations, or terminations of employees; access authorization records; account management compliance reviews; system monitoring records; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-02-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security with information security and privacy responsibilities]. AC-02-Test [SELECT FROM: Organizational processes for account management on the system; automated mechanisms for implementing account management]. AC-02(01) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: AC-02(01)_ODP automated mechanisms used to support the management of system accounts are defined; AC-02(01) the management of system accounts is supported using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(01)-Examine [SELECT FROM: Access control policy; procedures for addressing account management; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-02(01)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security with information security responsibilities; system developers]. AC-02(01)-Test [SELECT FROM: Automated mechanisms for implementing account management functions]. AC-02(02) ACCOUNT MANAGEMENT | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: AC-02(02)_ODP[01] one of the following PARAMETER VALUES is selected: {remove; disable}; AC-02(02)_ODP[02] the time period after which to automatically remove or disable temporary or emergency accounts is defined; AC-02(02) temporary and emergency accounts are automatically after . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(02)-Examine [SELECT FROM: Access control policy; procedures for addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of temporary accounts removed and/or disabled; system-generated list of emergency accounts removed and/or disabled; system audit records; system security plan; other relevant documents or records]. AC-02(02)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security with information security responsibilities; system developers]. AC-02(02)-Test [SELECT FROM: Automated mechanisms for implementing account management functions]. AC-02(03) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: AC-02(03)_ODP[01] time period within which to disable accounts is defined; AC-02(03)_ODP[02] time period for account inactivity before disabling is defined; AC-02(03)(a) accounts are disabled within when the accounts have expired; AC-02(03)(b) accounts are disabled within when the accounts are no longer associated with a user or individual; AC-02(03)(c) accounts are disabled within when the accounts are in violation of organizational policy; AC-02(03)(d) accounts are disabled within when the accounts have been inactive for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(03)-Examine [SELECT FROM: Access control policy; procedures for addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; system-generated list of temporary accounts removed and/or disabled; system-generated list of emergency accounts removed and/or disabled; system audit records; system security plan; other relevant documents or records]. AC-02(03)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-02(03)-Test [SELECT FROM: Automated mechanisms for implementing account management functions]. AC-02(04) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS ASSESSMENT OBJECTIVE: Determine if: AC-02(04)[01] account creation is automatically audited; AC-02(04)[02] account modification is automatically audited; AC-02(04)[03] account enabling is automatically audited; AC-02(04)[04] account disabling is automatically audited; AC-02(04)[05] account removal actions are automatically audited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(04)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; notifications/alerts of account creation, modification, enabling, disabling, and removal actions; system audit records; system security plan; other relevant documents or records]. AC-02(04)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-02(04)-Test [SELECT FROM: Automated mechanisms implementing account management functions]. AC-02(05) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT ASSESSMENT OBJECTIVE: Determine if: AC-02(05)_ODP the time period of expected inactivity or description of when to log out is defined; AC-02(05) users are required to log out when . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(05)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; security violation reports; system audit records; system security plan; other relevant documents or records]. AC-02(05)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; users that must comply with inactivity logout policy]. AC-02(06) ACCOUNT MANAGEMENT | DYNAMIC PRIVILEGE MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: AC-02(06)_ODP dynamic privilege management capabilities are defined; AC-02(06) are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(06)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of dynamic privilege management capabilities; system audit records; system security plan; other relevant documents or records]. AC-02(06)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-02(06)-Test [SELECT FROM: system or mechanisms implementing dynamic privilege management capabilities]. AC-02(07) ACCOUNT MANAGEMENT | PRIVILEGED USER ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: AC-02(07)_ODP one of the following PARAMETER VALUES is selected: {a role-based access scheme; an attribute-based access scheme}; AC-02(07)(a) privileged user accounts are established and administered in accordance with ; AC-02(07)(b) privileged role or attribute assignments are monitored; AC-02(07)(c) changes to roles or attributes are monitored; AC-02(07)(d) access is revoked when privileged role or attribute assignments are no longer appropriate. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(07)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of privileged user accounts and associated roles; records of actions taken when privileged role assignments are no longer appropriate; system audit records; audit tracking and monitoring reports; system monitoring records; system security plan; other relevant documents or records]. AC-02(07)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-02(07)-Test [SELECT FROM: Automated mechanisms implementing account management functions; automated mechanisms monitoring privileged role assignments]. AC-02(08) ACCOUNT MANAGEMENT | DYNAMIC ACCOUNT MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: AC-02(08)_ODP system accounts that are dynamically created, activated, managed, and deactivated are defined; AC-02(08)[01] are created dynamically; AC-02(08)[02] are activated dynamically; AC-02(08)[03] are managed dynamically; AC-02(08)[04] are deactivated dynamically. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(08)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of system accounts; system audit records; system security plan; other relevant documents or records]. AC-02(08)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-02(08)-Test [SELECT FROM: Automated mechanisms implementing account management functions]. AC-02(09) ACCOUNT MANAGEMENT | RESTRICTIONS ON USE OF SHARED AND GROUP ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: AC-02(09)_ODP conditions for establishing shared and group accounts are defined; AC-02(09) the use of shared and group accounts is only permitted if are met. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(09)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of shared/group accounts and associated roles; system audit records; system security plan; other relevant documents or records]. AC-02(09)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-02(09)-Test [SELECT FROM: Automated mechanisms implementing management of shared/group accounts]. AC-02(10) ACCOUNT MANAGEMENT | SHARED AND GROUP ACCOUNT CREDENTIAL CHANGE [WITHDRAWN: Incorporated into AC-2k.] AC-02(11) ACCOUNT MANAGEMENT | USAGE CONDITIONS ASSESSMENT OBJECTIVE: Determine if: AC-02(11)_ODP[01] circumstances and/or usage conditions to be enforced for system accounts are defined; AC-02(11)_ODP[02] system accounts subject to enforcement of circumstances and/or usage conditions are defined; AC-02(11) for are enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(11)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of system accounts and associated assignments of usage circumstances and/or usage conditions; system audit records; system security plan; other relevant documents or records]. AC-02(11)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-02(11)-Test [SELECT FROM: Automated mechanisms implementing account management functions]. AC-02(12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING FOR ATYPICAL USAGE ASSESSMENT OBJECTIVE: Determine if: AC-02(12)_ODP[01] atypical usage for which to monitor system accounts is defined; AC-02(12)_ODP[02] personnel or roles to report atypical usage is/are defined; AC-02(12)(a) system accounts are monitored for ; AC-02(12)(b) atypical usage of system accounts is reported to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(12)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system monitoring records; system audit records; audit tracking and monitoring reports; privacy impact assessment; system security plan; privacy plan; other relevant documents or records]. AC-02(12)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-02(12)-Test [SELECT FROM: Automated mechanisms implementing account management functions]. AC-02(13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS ASSESSMENT OBJECTIVE: Determine if: AC-02(13)_ODP[01] time period within which to disable accounts of individuals who are discovered to pose significant risk is defined; AC-02(13)_ODP[02] significant risks leading to disabling accounts are defined; AC-02(13) accounts of individuals are disabled within of discovery of . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-02(13)-Examine [SELECT FROM: Access control policy; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system-generated list of disabled accounts; list of user activities posing significant organizational risk; system audit records; system security plan; other relevant documents or records]. AC-02(13)-Interview [SELECT FROM: Organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-02(13)-Test [SELECT FROM: Automated mechanisms implementing account management functions]. AC-03 ACCESS ENFORCEMENT ASSESSMENT OBJECTIVE: Determine if: AC-03 approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of approved authorizations (user privileges); system audit records; system security plan; privacy plan; other relevant documents or records]. AC-03-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-03-Test [SELECT FROM: Automated mechanisms implementing access control policy]. AC-03(01) ACCESS ENFORCEMENT | RESTRICTED ACCESS TO PRIVILEGED FUNCTIONS [WITHDRAWN: Incorporated into AC-06.] AC-03(02) ACCESS ENFORCEMENT | DUAL AUTHORIZATION ASSESSMENT OBJECTIVE: Determine if: AC-03(02)_ODP privileged commands and/or other actions requiring dual authorization are defined; AC-03(02) dual authorization is enforced for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(02)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement and dual authorization; system design documentation; system configuration settings and associated documentation; list of privileged commands requiring dual authorization; list of actions requiring dual authorization; list of approved authorizations (user privileges); system security plan; other relevant documents or records]. AC-03(02)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-03(02)-Test [SELECT FROM: Dual authorization mechanisms implementing access control policy]. AC-03(03) ACCESS ENFORCEMENT | MANDATORY ACCESS CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-03(03)_ODP[01] mandatory access control policy enforced over the set of covered subjects is defined; AC-03(03)_ODP[02] mandatory access control policy enforced over the set of covered objects is defined; AC-03(03)_ODP[03] subjects to be explicitly granted privileges are defined; AC-03(03)_ODP[04] privileges to be explicitly granted to subjects are defined; AC-03(03)[01] is enforced over the set of covered subjects specified in the policy; AC-03(03)[02] is enforced over the set of covered objects specified in the policy; AC-03(03)(a)[01] is uniformly enforced across the covered subjects within the system; AC-03(03)(a)[02] is uniformly enforced across the covered objects within the system; AC-03(03)(b)(01) and specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced; AC-03(03)(b)(02) and specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced; AC-03(03)(b)(03) and specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced; AC-03(03)(b)(4) and specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced; AC-03(03)(b)(5) and specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced; AC-03(03)(c) and specifying that may explicitly be granted such that they are not limited by any defined subset (or all) of the above constraints are enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(03)-Examine [SELECT FROM: Access control policy; mandatory access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies; system audit records; system security plan; other relevant documents or records]. AC-03(03)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-03(03)-Test [SELECT FROM: Automated mechanisms implementing mandatory access control]. AC-03(04) ACCESS ENFORCEMENT | DISCRETIONARY ACCESS CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-03(04)_ODP[01] discretionary access control policy enforced over the set of covered subjects is defined; AC-03(04)_ODP[02] discretionary access control policy enforced over the set of covered objects is defined; AC-03(04)[01] is enforced over the set of covered subjects specified in the policy; AC-03(04)[02] is enforced over the set of covered objects specified in the policy; AC-03(04)(a) and are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects; AC-03(04)(b) and are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects; AC-03(04)(c) and are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components; AC-03(04)(d) and are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects; AC-03(04)(e) and are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(04)-Examine [SELECT FROM: Access control policy; discretionary access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies; system audit records; system security plan; other relevant documents or records]. AC-03(04)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-03(04)-Test [SELECT FROM: Automated mechanisms implementing discretionary access control policy]. AC-03(05) ACCESS ENFORCEMENT | SECURITY-RELEVANT INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-03(05)_ODP security-relevant information to which access is prevented except during secure, non-operable system states is defined; AC-03(05) access to is prevented except during secure, non-operable system states. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(05)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-03(05)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-03(05)-Test [SELECT FROM: Automated mechanisms preventing access to security-relevant information within the system]. AC-03(06) ACCESS ENFORCEMENT | PROTECTION OF USER AND SYSTEM INFORMATION [WITHDRAWN: Incorporated into MP-04, SC-28.] AC-03(07) ACCESS ENFORCEMENT | ROLE-BASED ACCESS CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-03(07)_ODP[01] roles upon which to base control of access are defined; AC-03(07)_ODP[02] users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined; AC-03(07)[01] a role-based access control policy is enforced over defined subjects; AC-03(07)[02] a role-based access control policy is enforced over defined objects; AC-03(07)[03] access is controlled based on and . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(07)-Examine [SELECT FROM: Access control policy; role-based access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of roles, users, and associated privileges required to control system access; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-03(07)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-03(07)-Test [SELECT FROM: Automated mechanisms implementing role-based access control policy]. AC-03(08) ACCESS ENFORCEMENT | REVOCATION OF ACCESS AUTHORIZATIONS ASSESSMENT OBJECTIVE: Determine if: AC-03(08)_ODP rules governing the timing of revocations of access authorizations are defined; AC-03(08)[01] revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on ; AC-03(08)[02] revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(08)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; rules governing revocation of access authorizations, system audit records; system security plan; other relevant documents or records]. AC-03(08)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-03(08)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-03(09) ACCESS ENFORCEMENT | CONTROLLED RELEASE ASSESSMENT OBJECTIVE: Determine if: AC-03(09)_ODP[01] the outside system or system component to which to release information is defined; AC-03(09)_ODP[02] controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined; AC-03(09)_ODP[03] controls used to validate appropriateness of information to be released are defined; AC-03(09)(a) information is released outside of the system only if the receiving provides ; AC-03(09)(b) information is released outside of the system only if are used to validate the appropriateness of the information designated for release. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(09)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of security and privacy safeguards provided by receiving system or system components; list of security and privacy safeguards validating appropriateness of information designated for release; system audit records; results of period assessments (inspections/tests) of the external system; information sharing agreements; memoranda of understanding; acquisitions/contractual agreements; system security plan; privacy plan; other relevant documents or records]. AC-03(09)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements; legal counsel; system developers]. AC-03(09)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-03(10) ACCESS ENFORCEMENT | AUDITED OVERRIDE OF ACCESS CONTROL MECHANISMS ASSESSMENT OBJECTIVE: Determine if: AC-03(10)_ODP[01] conditions under which to employ an audited override of automated access control mechanisms are defined; AC-03(10)_ODP[02] roles allowed to employ an audited override of automated access control mechanisms are defined; AC-03(10) an audited override of automated access control mechanisms is employed under by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(10)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; conditions for employing audited override of automated access control mechanisms; system audit records; system security plan; other relevant documents or records]. AC-03(10)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-03(10)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-03(11) ACCESS ENFORCEMENT | RESTRICT ACCESS TO SPECIFIC INFORMATION TYPES ASSESSMENT OBJECTIVE: Determine if: AC-03(11)_ODP information types requiring restricted access to data repositories are defined; AC-03(11) access to data repositories containing is restricted. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(11)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-03(11)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; organizational personnel with responsibilities for data repositories; system/network administrators; organizational personnel with information security responsibilities]. AC-03(11)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-03(12) ACCESS ENFORCEMENT | ASSERT AND ENFORCE APPLICATION ACCESS ASSESSMENT OBJECTIVE: Determine if: AC-03(12)_ODP system applications and functions requiring access assertion are defined; AC-03(12)(a) as part of the installation process, applications are required to assert the access needed to the following system applications and functions: ; AC-03(12)(b) an enforcement mechanism to prevent unauthorized access is provided; AC-03(12)(c) access changes after initial installation of the application are approved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(12)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-03(12)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-03(12)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-03(13) ACCESS ENFORCEMENT | ATTRIBUTE-BASED ACCESS CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-03(13)_ODP attributes to assume access permissions are defined; AC-03(13)[01] the attribute-based access control policy is enforced over defined subjects; AC-03(13)[02] the attribute-based access control policy is enforced over defined objects; AC-03(13)[03] access is controlled based on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(13)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies; system audit records; system security plan; other relevant documents or records]. AC-03(13)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-03(13)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-03(14) ACCESS ENFORCEMENT | INDIVIDUAL ACCESS ASSESSMENT OBJECTIVE: Determine if: AC-03(14)_ODP[01] mechanisms enabling individuals to have access to elements of their personally identifiable information are defined; AC-03(14)_ODP[02] elements of personally identifiable information to which individuals have access are defined; AC-03(14) are provided to enable individuals to have access to of their personally identifiable information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(14)-Examine [SELECT FROM: Access mechanisms (e.g., request forms and application interfaces); access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; documentation regarding access to an individual’s personally identifiable information; system audit records; system security plan; privacy plan; privacy impact assessment; privacy assessment findings and/or reports; other relevant documents or records]. AC-03(14)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; legal counsel]. AC-03(14)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions; mechanisms enabling individual access to personally identifiable information]. AC-03(15) ACCESS ENFORCEMENT | DISCRETIONARY AND MANDATORY ACCESS CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-03(15)_ODP[01] a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined; AC-03(15)_ODP[02] a mandatory access control policy enforced over the set of covered objects specified in the policy is defined; AC-03(15)_ODP[03] a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined; AC-03(15)_ODP[04] a discretionary access control policy enforced over the set of covered objects specified in the policy is defined; AC-03(15)(a)[01] is enforced over the set of covered subjects specified in the policy; AC-03(15)(a)[02] is enforced over the set of covered objects specified in the policy; AC-03(15)(b)[01] is enforced over the set of covered subjects specified in the policy; AC-03(15)(b)[02] is enforced over the set of covered objects specified in the policy. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-03(15)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies; list of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies; system audit records; system security plan; other relevant documents or records]. AC-03(15)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-03(15)-Test [SELECT FROM: Automated mechanisms implementing mandatory and discretionary access control policy]. AC-04 INFORMATION FLOW ENFORCEMENT ASSESSMENT OBJECTIVE: Determine if: AC-04_ODP information flow control policies within the system and between connected systems are defined; AC-04 approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; security architecture documentation; privacy architecture documentation; system design documentation; system configuration settings and associated documentation; system baseline configuration; list of information flow authorizations; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with information security and privacy responsibilities; system developers]. AC-04-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(01) INFORMATION FLOW ENFORCEMENT | OBJECT SECURITY AND PRIVACY ATTRIBUTES ASSESSMENT OBJECTIVE: Determine if: AC-04(01)_ODP[01] security attributes to be associated with information, source, and destination objects are defined; AC-04(01)_ODP[02] privacy attributes to be associated with information, source, and destination objects are defined; AC-04(01)_ODP[03] information objects to be associated with information security attributes are defined; AC-04(01)_ODP[04] information objects to be associated with privacy attributes are defined; AC-04(01)_ODP[05] source objects to be associated with information security attributes are defined; AC-04(01)_ODP[06] source objects to be associated with privacy attributes are defined; AC-04(01)_ODP[07] destination objects to be associated with information security attributes are defined; AC-04(01)_ODP[08] destination objects to be associated with privacy attributes are defined; AC-04(01)_ODP[09] information flow control policies as a basis for enforcement of flow control decisions are defined; AC-04(01)[01] associated with , , and are used to enforce as a basis for flow control decisions; AC-04(01)[02] associated with , , and are used to enforce as a basis for flow control decisions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(01)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security and privacy attributes and associated source and destination objects; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities; system developers]. AC-04(01)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(02) INFORMATION FLOW ENFORCEMENT | PROCESSING DOMAINS ASSESSMENT OBJECTIVE: Determine if: AC-04(02)_ODP information flow control policies to be enforced by use of protected processing domains are defined; AC-04(02) protected processing domains are used to enforce as a basis for flow control decisions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(02)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system security architecture and associated documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-04(02)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(03) INFORMATION FLOW ENFORCEMENT | DYNAMIC INFORMATION FLOW CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-04(03)_ODP information flow control policies to be enforced are defined; AC-04(03) are enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(03)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system security architecture and associated documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(03)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(04) INFORMATION FLOW ENFORCEMENT | FLOW CONTROL OF ENCRYPTED INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-04(04)_ODP[01] information flow control mechanisms that encrypted information is prevented from bypassing are defined; AC-04(04)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; }; AC-04(04)_ODP[03] the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected); AC-04(04) encrypted information is prevented from bypassing by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(04)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(04)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(05) INFORMATION FLOW ENFORCEMENT | EMBEDDED DATA TYPES ASSESSMENT OBJECTIVE: Determine if: AC-04(05)_ODP limitations on embedding data types within other data types are defined; AC-04(05) are enforced on embedding data types within other data types. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(05)-Examine [SELECT FROM: Access control policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of limitations to be enforced on embedding data types within other data types; system audit records; system security plan; other relevant documents or records]. AC-04(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(05)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(06) INFORMATION FLOW ENFORCEMENT | METADATA ASSESSMENT OBJECTIVE: Determine if: AC-04(06)_ODP metadata on which to base enforcement of information flow control is defined; AC-04(06) information flow control enforcement is based on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(06)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; types of metadata used to enforce information flow control decisions; system audit records; system security plan; other relevant documents or records]. AC-04(06)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(06)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(07) INFORMATION FLOW ENFORCEMENT | ONE-WAY FLOW MECHANISMS ASSESSMENT OBJECTIVE: Determine if: AC-04(07) one-way information flows are enforced through hardware-based flow control mechanisms. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(07)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system hardware mechanisms and associated configurations; system audit records; system security plan; other relevant documents or records]. AC-04(07)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(07)-Test [SELECT FROM: Hardware mechanisms implementing information flow enforcement policy]. AC-04(08) INFORMATION FLOW ENFORCEMENT | SECURITY AND PRIVACY POLICY FILTERS ASSESSMENT OBJECTIVE: Determine if: AC-04(08)_ODP[01] security policy filters to be used as a basis for enforcing information flow control are defined; AC-04(08)_ODP[02] privacy policy filters to be used as a basis for enforcing information flow control are defined; AC-04(08)_ODP[03] information flows for which information flow control is enforced by security filters are defined; AC-04(08)_ODP[04] information flows for which information flow control is enforced by privacy filters are defined; AC-04(08)_ODP[05] one or more of the following PARAMETER VALUES is/are selected: {block; strip; modify; quarantine}; AC-04(08)_ODP[06] security policy identifying actions to be taken after a filter processing failure are defined; AC-04(08)_ODP[07] privacy policy identifying actions to be taken after a filter processing failure are defined; AC-04(08)(a)[01] information flow control is enforced using as a basis for flow control decisions for ; AC-04(08)(a)[02] information flow control is enforced using as a basis for flow control decisions for ; AC-04(08)(b) data after a filter processing failure in accordance with ; data after a filter processing failure in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(08)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security policy filters regulating flow control decisions; list of privacy policy filters regulating flow control decisions; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(08)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-04(08)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy; security and privacy policy filters]. AC-04(09) INFORMATION FLOW ENFORCEMENT | HUMAN REVIEWS ASSESSMENT OBJECTIVE: Determine if: AC-04(09)_ODP[01] information flows requiring the use of human reviews are defined; AC-04(09)_ODP[02] conditions under which the use of human reviews for information flows are to be enforced are defined; AC-04(09) human reviews are used for under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(09)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; records of human reviews regarding information flows; list of information flows requiring the use of human reviews; list of conditions requiring human reviews for information flows; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(09)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel with information flow enforcement responsibilities; system developers]. AC-04(09)-Test [SELECT FROM: Automated mechanisms enforcing the use of human reviews]. AC-04(10) INFORMATION FLOW ENFORCEMENT | ENABLE AND DISABLE SECURITY OR PRIVACY POLICY FILTERS ASSESSMENT OBJECTIVE: Determine if: AC-04(10)_ODP[01] security policy filters that privileged administrators have the capability to enable and disable are defined; AC-04(10)_ODP[02] privacy policy filters that privileged administrators have the capability to enable and disable are defined; AC-04(10)_ODP[03] conditions under which privileged administrators have the capability to enable and disable security policy filters are defined; AC-04(10)_ODP[04] conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined; AC-04(10)[01] capability is provided for privileged administrators to enable and disable under ; AC-04(10)[02] capability is provided for privileged administrators to enable and disable under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(10)-Examine [SELECT FROM: Access control policy; information flow information policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security policy filters enabled/disabled by privileged administrators; list of privacy policy filters enabled/disabled by privileged administrators; list of approved data types for enabling/disabling by privileged administrators; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(10)-Interview [SELECT FROM: Organizational personnel with responsibilities for enabling/disabling security and privacy policy filters; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-04(10)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy; security and privacy policy filters]. AC-04(11) INFORMATION FLOW ENFORCEMENT | CONFIGURATION OF SECURITY OR PRIVACY POLICY FILTERS ASSESSMENT OBJECTIVE: Determine if: AC-04(11)_ODP[01] security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined; AC-04(11)_ODP[02] privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined; AC-04(11)[01] capability is provided for privileged administrators to configure to support different security or privacy policies; AC-04(11)[02] capability is provided for privileged administrators to configure to support different security or privacy policies. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(11)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security policy filters; list of privacy policy filters; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(11)-Interview [SELECT FROM: Organizational personnel with responsibilities for configuring security and privacy policy filters; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-04(11)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy; security and privacy policy filters]. AC-04(12) INFORMATION FLOW ENFORCEMENT | DATA TYPE IDENTIFIERS ASSESSMENT OBJECTIVE: Determine if: AC-04(12)_ODP data type identifiers to be used to validate data essential for information flow decisions are defined; AC-04(12) when transferring information between different security domains, are used to validate data essential for information flow decisions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(12)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of data type identifiers; system audit records; system security plan; other relevant documents or records]. AC-04(12)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(12)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(13) INFORMATION FLOW ENFORCEMENT | DECOMPOSITION INTO POLICY-RELEVANT SUBCOMPONENTS ASSESSMENT OBJECTIVE: Determine if: AC-04(13)_ODP policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined; AC-04(13) when transferring information between different security domains, information is decomposed into for submission to policy enforcement mechanisms. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(13)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(13)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(13)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(14) INFORMATION FLOW ENFORCEMENT | SECURITY OR PRIVACY POLICY FILTER CONSTRAINTS ASSESSMENT OBJECTIVE: Determine if: AC-04(14)_ODP[01] security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined; AC-04(14)_ODP[02] privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined; AC-04(14)[01] when transferring information between different security domains, implemented require fully enumerated formats that restrict data structure and content; AC-04(14)[02] when transferring information between different security domains, implemented require fully enumerated formats that restrict data structure and content. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(14)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security and privacy policy filters; list of data structure policy filters; list of data content policy filters; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(14)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-04(14)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy; security and privacy policy filters]. AC-04(15) INFORMATION FLOW ENFORCEMENT | DETECTION OF UNSANCTIONED INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-04(15)_ODP[01] unsanctioned information to be detected is defined; AC-04(15)_ODP[02] security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined; AC-04(15)_ODP[03] privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined; AC-04(15)[01] when transferring information between different security domains, information is examined for the presence of ; AC-04(15)[02] when transferring information between different security domains, transfer of is prohibited in accordance with the . AC-04(15)[03] when transferring information between different security domains, transfer of is prohibited in accordance with the . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(15)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of unsanctioned information types and associated information; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(15)-Interview [SELECT FROM: Organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities; system developers]. AC-04(15)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(16) INFORMATION FLOW ENFORCEMENT | INFORMATION TRANSFERS ON INTERCONNECTED SYSTEMS [WITHDRAWN: Incorporated into AC-04.] AC-04(17) INFORMATION FLOW ENFORCEMENT | DOMAIN AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: AC-04(17)_ODP one or more of the following PARAMETER VALUES is/are selected: {organization, system, application, service, individual}; AC-04(17) source and destination points are uniquely identified and authenticated by for information transfer. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(17)-Examine [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; procedures addressing source and destination domain identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of system labels; system security plan; privacy plan; other relevant documents or records]. AC-04(17)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-04(17)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement policy]. AC-04(18) INFORMATION FLOW ENFORCEMENT | SECURITY ATTRIBUTE BINDING [WITHDRAWN: Incorporated into AC-16.] AC-04(19) INFORMATION FLOW ENFORCEMENT | VALIDATION OF METADATA ASSESSMENT OBJECTIVE: Determine if: AC-04(19)_ODP[01] security policy filters to be implemented on metadata are defined; AC-04(19)_ODP[02] privacy policy filters to be implemented on metadata are defined; AC-04(19)[01] when transferring information between different security domains, are implemented on metadata; AC-04(19)[02] when transferring information between different security domains, are implemented on metadata. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(19)-Examine [SELECT FROM: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of security policy filtering criteria applied to metadata and data payloads; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-04(19)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities; system developers]. AC-04(19)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions; security and policy filters]. AC-04(20) INFORMATION FLOW ENFORCEMENT | APPROVED SOLUTIONS ASSESSMENT OBJECTIVE: Determine if: AC-04(20)_ODP[01] solutions in approved configurations to control the flow of information across security domains are defined; AC-04(20)_ODP[02] information to be controlled when it flows across security domains is defined; AC-04(20) are employed to control the flow of across security domains. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(20)-Examine [SELECT FROM: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of solutions in approved configurations; approved configuration baselines; system audit records; system security plan; other relevant documents or records]. AC-04(20)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(20)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(21) INFORMATION FLOW ENFORCEMENT | PHYSICAL OR LOGICAL SEPARATION OF INFORMATION FLOWS ASSESSMENT OBJECTIVE: Determine if: AC-04(21)_ODP[01] mechanisms and/or techniques used to logically separate information flows are defined; AC-04(21)_ODP[02] mechanisms and/or techniques used to physically separate information flows are defined; AC-04(21)_ODP[03] required separations by types of information are defined; AC-04(21)[01] information flows are separated logically using to accomplish ; AC-04(21)[02] information flows are separated physically using to accomplish . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(21)-Examine [SELECT FROM: Information flow enforcement policy; information flow control policies; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; list of required separation of information flows by information types; list of mechanisms and/or techniques used to logically or physically separate information flows; system audit records; system security plan; other relevant documents or records]. AC-04(21)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-04(21)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(22) INFORMATION FLOW ENFORCEMENT | ACCESS ONLY ASSESSMENT OBJECTIVE: Determine if: AC-04(22) access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(22)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(22)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(22)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(23) INFORMATION FLOW ENFORCEMENT | MODIFY NON-RELEASABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-04(23)_ODP modification action implemented on non-releasable information is defined; AC-04(23) when transferring information between security domains, non-releasable information is modified by implementing . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(23)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(23)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(23)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(24) INFORMATION FLOW ENFORCEMENT | INTERNAL NORMALIZED FORMAT ASSESSMENT OBJECTIVE: Determine if: AC-04(24)[01] when transferring information between different security domains, incoming data is parsed into an internal, normalized format; AC-04(24)[02] when transferring information between different security domains, the data is regenerated to be consistent with its intended specification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(24)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(24)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(24)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(25) INFORMATION FLOW ENFORCEMENT | DATA SANITIZATION ASSESSMENT OBJECTIVE: Determine if: AC-04(25)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data; spillage of sensitive information}; AC-04(25)_ODP[02] policy for sanitizing data is defined; AC-04(25) when transferring information between different security domains, data is sanitized to minimize in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(25)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(25)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(25)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(26) INFORMATION FLOW ENFORCEMENT | AUDIT FILTERING ACTIONS ASSESSMENT OBJECTIVE: Determine if: AC-04(26)[01] when transferring information between different security domains, content-filtering actions are recorded and audited; AC-04(26)[02] when transferring information between different security domains, results for the information being filtered are recorded and audited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(26)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(26)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(26)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions; mechanisms implementing content filtering; mechanisms recording and auditing content filtering]. AC-04(27) INFORMATION FLOW ENFORCEMENT | REDUNDANT/INDEPENDENT FILTERING MECHANISMS ASSESSMENT OBJECTIVE: Determine if: AC-04(27) when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(27)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(27)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(27)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(28) INFORMATION FLOW ENFORCEMENT | LINEAR FILTER PIPELINES ASSESSMENT OBJECTIVE: Determine if: AC-04(28) when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(28)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(28)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(28)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions; mechanisms implementing linear content filters]. AC-04(29) INFORMATION FLOW ENFORCEMENT | FILTER ORCHESTRATION ENGINES ASSESSMENT OBJECTIVE: Determine if: AC-04(29)_ODP policy for content-filtering actions is defined; AC-04(29)(a) when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors; AC-04(29)(b)[01] when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order; AC-04(29)(b)[02] when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(29)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(29)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(29)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions; mechanisms implementing content filter orchestration engines]. AC-04(30) INFORMATION FLOW ENFORCEMENT | FILTER MECHANISMS USING MULTIPLE PROCESSES ASSESSMENT OBJECTIVE: Determine if: AC-04(30) when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(30)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(30)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(30)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions; mechanisms implementing content filtering]. AC-04(31) INFORMATION FLOW ENFORCEMENT | FAILED CONTENT TRANSFER PREVENTION ASSESSMENT OBJECTIVE: Determine if: AC-04(31) when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(31)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(31)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(31)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions]. AC-04(32) INFORMATION FLOW ENFORCEMENT | PROCESS REQUIREMENTS FOR INFORMATION TRANSFER ASSESSMENT OBJECTIVE: Determine if: AC-04(32)(a) when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content; AC-04(32)(b) when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata; AC-04(32)(c) when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering; AC-04(32)(d) when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-04(32)-Examine [SELECT FROM: Information flow enforcement policy; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-04(32)-Interview [SELECT FROM: Organizational personnel with information flow enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-04(32)-Test [SELECT FROM: Automated mechanisms implementing information flow enforcement functions; mechanisms implementing content filtering]. AC-05 SEPARATION OF DUTIES ASSESSMENT OBJECTIVE: Determine if: AC-05_ODP duties of individuals requiring separation are defined; AC-05a. are identified and documented; AC-05b. system access authorizations to support separation of duties are defined. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-05-Examine [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; system access authorizations; system audit records; system security plan; other relevant documents or records]. AC-05-Interview [SELECT FROM: Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties; organizational personnel with information security responsibilities; system/network administrators]. AC-05-Test [SELECT FROM: Automated mechanisms implementing separation of duties policy]. AC-06 LEAST PRIVILEGE ASSESSMENT OBJECTIVE: Determine if: AC-06 the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-06-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. AC-06-Test [SELECT FROM: Automated mechanisms implementing least privilege functions]. AC-06(01) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: AC-06(01)_ODP[01] individuals and roles with authorized access to security functions and security-relevant information are defined; AC-06(01)_ODP[02] security functions (deployed in hardware) for authorized access are defined; AC-06(01)_ODP[03] security functions (deployed in software) for authorized access are defined; AC-06(01)_ODP[04] security functions (deployed in firmware) for authorized access are defined; AC-06(01)_ODP[05] security-relevant information for authorized access is defined; AC-06(01)(a)[01] access is authorized for to ; AC-06(01)(a)[02] access is authorized for to ; AC-06(01)(a)[03] access is authorized for to ; AC-06(01)(b) access is authorized for to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(01)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-06(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. AC-06(01)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions]. AC-06(02) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: AC-06(02)_ODP security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined; AC-06(02) users of system accounts (or roles) with access to are required to use non-privileged accounts or roles when accessing non-security functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(02)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated security functions or security-relevant information assigned to system accounts or roles; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-06(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. AC-06(02)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions]. AC-06(03) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS ASSESSMENT OBJECTIVE: Determine if: AC-06(03)_ODP[01] privileged commands to which network access is to be authorized only for compelling operational needs are defined; AC-06(03)_ODP[02] compelling operational needs necessitating network access to privileged commands are defined; AC-06(03)[01] network access to is authorized only for ; AC-06(03)[02] the rationale for authorizing network access to privileged commands is documented in the security plan for the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(03)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; system configuration settings and associated documentation; system audit records; list of operational needs for authorizing network access to privileged commands; system security plan; other relevant documents or records]. AC-06(03)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities]. AC-06(03)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions]. AC-06(04) LEAST PRIVILEGE | SEPARATE PROCESSING DOMAINS ASSESSMENT OBJECTIVE: Determine if: AC-06(04) separate processing domains are provided to enable finer-grain allocation of user privileges. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(04)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-06(04)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system developers]. AC-06(04)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions]. AC-06(05) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: AC-06(05)_ODP personnel or roles to which privileged accounts on the system are to be restricted is/are defined; AC-06(05) privileged accounts on the system are restricted to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(05)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated privileged accounts; list of system administration personnel; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-06(05)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. AC-06(05)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions]. AC-06(06) LEAST PRIVILEGE | PRIVILEGED ACCESS BY NON-ORGANIZATIONAL USERS ASSESSMENT OBJECTIVE: Determine if: AC-06(06) privileged access to the system by non-organizational users is prohibited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(06)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated privileged accounts; list of non-organizational users; system configuration settings and associated documentation; audit records; system security plan; other relevant documents or records]. AC-06(06)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. AC-06(06)-Test [SELECT FROM: Automated mechanisms prohibiting privileged access to the system]. AC-06(07) LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES ASSESSMENT OBJECTIVE: Determine if: AC-06(07)_ODP[01] the frequency at which to review the privileges assigned to roles or classes of users is defined; AC-06(07)_ODP[02] roles or classes of users to which privileges are assigned are defined; AC-06(07)(a) privileges assigned to are reviewed to validate the need for such privileges; AC-06(07)(b) privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(07)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of system-generated roles or classes of users and assigned privileges; system design documentation; system configuration settings and associated documentation; validation reviews of privileges assigned to roles or classes or users; records of privilege removals or reassignments for roles or classes of users; system audit records; system security plan; other relevant documents or records]. AC-06(07)-Interview [SELECT FROM: Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators]. AC-06(07)-Test [SELECT FROM: Automated mechanisms implementing review of user privileges]. AC-06(08) LEAST PRIVILEGE | PRIVILEGE LEVELS FOR CODE EXECUTION ASSESSMENT OBJECTIVE: Determine if: AC-06(08)_ODP software to be prevented from executing at higher privilege levels than users executing the software is defined; AC-06(08) is prevented from executing at higher privilege levels than users executing the software. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(08)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; list of software that should not execute at higher privilege levels than users executing software; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-06(08)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators; system developers]. AC-06(08)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions for software execution]. AC-06(09) LEAST PRIVILEGE | LOG USE OF PRIVILEGED FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: AC-06(09) the execution of privileged functions is logged. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(09)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; system design documentation; system configuration settings and associated documentation; list of privileged functions to be audited; list of audited events; system audit records; system security plan; other relevant documents or records]. AC-06(09)-Interview [SELECT FROM: Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system/network administrators; system developers]. AC-06(09)-Test [SELECT FROM: Automated mechanisms auditing the execution of least privilege functions]. AC-06(10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: AC-06(10) non-privileged users are prevented from executing privileged functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-06(10)-Examine [SELECT FROM: Access control policy; procedures addressing least privilege; system design documentation; system configuration settings and associated documentation; list of privileged functions and associated user account assignments; system audit records; system security plan; other relevant documents or records]. AC-06(10)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; organizational personnel with information security responsibilities; system developers]. AC-06(10)-Test [SELECT FROM: Automated mechanisms implementing least privilege functions for non-privileged users]. AC-07 UNSUCCESSFUL LOGON ATTEMPTS ASSESSMENT OBJECTIVE: Determine if: AC-07_ODP[01] the number of consecutive invalid logon attempts by a user allowed during a time period is defined; AC-07_ODP[02] the time period to which the number of consecutive invalid logon attempts by a user is limited is defined; AC-07_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {lock the account or node for an; lock the account or node until released by an administrator; delay next logon prompt per; notify system administrator; take other}; AC-07_ODP[04] time period for an account or node to be locked is defined (if selected); AC-07_ODP[05] delay algorithm for the next logon prompt is defined (if selected); AC-07_ODP[06] other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected); AC-07a. a limit of consecutive invalid logon attempts by a user during a is enforced; AC-07b. automatically when the maximum number of unsuccessful attempts is exceeded. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-07-Examine [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-07-Interview [SELECT FROM: Organizational personnel with information security responsibilities; system developers; system/network administrators]. AC-07-Test [SELECT FROM: Automated mechanisms implementing access control policy for unsuccessful logon attempts]. AC-07(01) UNSUCCESSFUL LOGON ATTEMPTS | AUTOMATIC ACCOUNT LOCK [WITHDRAWN: Incorporated into AC-07.] AC-07(02) UNSUCCESSFUL LOGON ATTEMPTS | PURGE OR WIPE MOBILE DEVICE ASSESSMENT OBJECTIVE: Determine if: AC-07(02)_ODP[01] mobile devices to be purged or wiped of information are defined; AC-07(02)_ODP[02] purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined; AC-07(02)_ODP[03] the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined; AC-07(02) information is purged or wiped from based on after consecutive, unsuccessful device logon attempts. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-07(02)-Examine [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts on mobile devices; system design documentation; system configuration settings and associated documentation; list of mobile devices to be purged/wiped after organization-defined consecutive, unsuccessful device logon attempts; list of purging/wiping requirements or techniques for mobile devices; system audit records; system security plan; other relevant documents or records]. AC-07(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-07(02)-Test [SELECT FROM: Automated mechanisms implementing access control policy for unsuccessful device logon attempts]. AC-07(03) UNSUCCESSFUL LOGON ATTEMPTS | BIOMETRIC ATTEMPT LIMITING ASSESSMENT OBJECTIVE: Determine if: AC-07(03)_ODP the number of unsuccessful biometric logon attempts is defined; AC-07(03) unsuccessful biometric logon attempts are limited to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-07(03)-Examine [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts on biometric devices; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-07(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-07(03)-Test [SELECT FROM: Automated mechanisms implementing access control policy for unsuccessful logon attempts]. AC-07(04) UNSUCCESSFUL LOGON ATTEMPTS | USE OF ALTERNATE AUTHENTICATION FACTOR ASSESSMENT OBJECTIVE: Determine if: AC-07(04)_ODP[01] authentication factors allowed to be used that are different from the primary authentication factors are defined; AC-07(04)_ODP[02] the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined; AC-07(04)_ODP[03] time period during which a user can attempt logons through alternative factors is defined; AC-07(04)(a) that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded; AC-07(04)(b) a limit of consecutive invalid logon attempts through the use of the alternative factors by the user during a is enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-07(04)-Examine [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts for primary and alternate authentication factors; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-07(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-07(04)-Test [SELECT FROM: Automated mechanisms implementing access control policy for unsuccessful logon attempts]. AC-08 SYSTEM USE NOTIFICATION ASSESSMENT OBJECTIVE: Determine if: AC-08_ODP[01] system use notification message or banner to be displayed by the system to users before granting access to the system is defined; AC-08_ODP[02] conditions for system use to be displayed by the system before granting further access are defined; AC-08a. is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; AC-08a.01 the system use notification states that users are accessing a U.S. Government system; AC-08a.02 the system use notification states that system usage may be monitored, recorded, and subject to audit; AC-08a.03 the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and AC-08a.04 the system use notification states that use of the system indicates consent to monitoring and recording; AC-08b. the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; AC-08c.01 for publicly accessible systems, system use information is displayed before granting further access to the publicly accessible system; AC-08c.02 for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed; AC-08c.03 for publicly accessible systems, a description of the authorized uses of the system is included. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-08-Examine [SELECT FROM: Access control policy; privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit records; user acknowledgements of notification message or banner; system design documentation; system configuration settings and associated documentation; system use notification messages; system security plan; privacy plan; privacy impact assessment; privacy assessment report; other relevant documents or records]. AC-08-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; legal counsel; system developers]. AC-08-Test [SELECT FROM: Automated mechanisms implementing system use notification]. AC-09 PREVIOUS LOGON NOTIFICATION ASSESSMENT OBJECTIVE: Determine if: AC-09 the user is notified, upon successful logon to the system, of the date and time of the last logon. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-09-Examine [SELECT FROM: Access control policy; procedures addressing previous logon notification; system design documentation; system configuration settings and associated documentation; system notification messages; system security plan; other relevant documents or records]. AC-09-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-09-Test [SELECT FROM: Automated mechanisms implementing access control policy for previous logon notification]. AC-09(01) PREVIOUS LOGON NOTIFICATION | UNSUCCESSFUL LOGONS ASSESSMENT OBJECTIVE: Determine if: AC-09(01) the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-09(01)-Examine [SELECT FROM: Access control policy; procedures addressing previous logon notification; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-09(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-09(01)-Test [SELECT FROM: Automated mechanisms implementing access control policy for previous logon notification]. AC-09(02) PREVIOUS LOGON NOTIFICATION | SUCCESSFUL AND UNSUCCESSFUL LOGONS ASSESSMENT OBJECTIVE: Determine if: AC-09(02)_ODP[01] one of the following PARAMETER VALUES is selected: {successful logons; unsuccessful logon attempts; both}; AC-09(02)_ODP[02] the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined; AC-09(02) the user is notified, upon successful logon, of the number of during . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-09(02)-Examine [SELECT FROM: Access control policy; procedures addressing previous logon notification; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-09(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-09(02)-Test [SELECT FROM: Automated mechanisms implementing access control policy for previous logon notification]. AC-09(03) PREVIOUS LOGON NOTIFICATION | NOTIFICATION OF ACCOUNT CHANGES ASSESSMENT OBJECTIVE: Determine if: AC-09(03)_ODP[01] changes to security-related characteristics or parameters of the user’s account that require notification are defined; AC-09(03)_ODP[02] the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined; AC-09(03) the user is notified, upon successful logon, of changes to during . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-09(03)-Examine [SELECT FROM: Access control policy; procedures addressing previous logon notification; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-09(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-09(03)-Test [SELECT FROM: Automated mechanisms implementing access control policy for previous logon notification]. AC-09(04) PREVIOUS LOGON NOTIFICATION | ADDITIONAL LOGON INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-09(04)_ODP additional information about which to notify the user is defined; AC-09(04) the user is notified, upon successful logon, of . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-09(04)-Examine [SELECT FROM: Access control policy; procedures addressing previous logon notification; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-09(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-09(04)-Test [SELECT FROM: Automated mechanisms implementing access control policy for previous logon notification]. AC-10 CONCURRENT SESSION CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-10_ODP[01] accounts and/or account types for which to limit the number of concurrent sessions is defined; AC-10_ODP[02] the number of concurrent sessions to be allowed for each account and/or account type is defined; AC-10 the number of concurrent sessions for each is limited to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-10-Examine [SELECT FROM: Access control policy; procedures addressing concurrent session control; system design documentation; system configuration settings and associated documentation; security plan; system security plan; other relevant documents or records]. AC-10-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-10-Test [SELECT FROM: Automated mechanisms implementing access control policy for concurrent session control]. AC-11 DEVICE LOCK ASSESSMENT OBJECTIVE: Determine if: AC-11_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {initiating a device lock afterof inactivity; requiring the user to initiate a device lock before leaving the system unattended}; AC-11_ODP[02] time period of inactivity after which a device lock is initiated is defined (if selected); AC-11a. further access to the system is prevented by ; AC-11b. device lock is retained until the user re-establishes access using established identification and authentication procedures. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-11-Examine [SELECT FROM: Access control policy; procedures addressing session lock; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; security plan; system security plan; other relevant documents or records]. AC-11-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-11-Test [SELECT FROM: Automated mechanisms implementing access control policy for session lock]. AC-11(01) DEVICE LOCK | PATTERN-HIDING DISPLAYS ASSESSMENT OBJECTIVE: Determine if: AC-11(01) information previously visible on the display is concealed, via device lock, with a publicly viewable image. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-11(01)-Examine [SELECT FROM: Access control policy; procedures addressing session lock; display screen with session lock activated; system design documentation; system configuration settings and associated documentation; system security plan; other relevant documents or records]. AC-11(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-11(01)-Test [SELECT FROM: System session lock mechanisms]. AC-12 SESSION TERMINATION ASSESSMENT OBJECTIVE: Determine if: AC-12_ODP conditions or trigger events requiring session disconnect are defined; AC-12 a user session is automatically terminated after . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-12-Examine [SELECT FROM: Access control policy; procedures addressing session termination; system design documentation; system configuration settings and associated documentation; list of conditions or trigger events requiring session disconnect; system audit records; system security plan; other relevant documents or records]. AC-12-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-12-Test [SELECT FROM: Automated mechanisms implementing user session termination]. AC-12(01) SESSION TERMINATION | USER-INITIATED LOGOUTS ASSESSMENT OBJECTIVE: Determine if: AC-12(01)_ODP information resources for which a logout capability for user-initiated communications sessions is required are defined; AC-12(01) a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-12(01)-Examine [SELECT FROM: Access control policy; procedures addressing session termination; user logout messages; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-12(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-12(01)-Test [SELECT FROM: System session termination mechanisms; logout capabilities for user-initiated communications sessions]. AC-12(02) SESSION TERMINATION | TERMINATION MESSAGE ASSESSMENT OBJECTIVE: Determine if: AC-12(02) an explicit logout message is displayed to users indicating the termination of authenticated communication sessions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-12(02)-Examine [SELECT FROM: Access control policy; procedures addressing session termination; user logout messages; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-12(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-12(02)-Test [SELECT FROM: System session termination mechanisms; display of logout messages]. AC-12(03) SESSION TERMINATION | TIMEOUT WARNING MESSAGE ASSESSMENT OBJECTIVE: Determine if: AC-12(03)_ODP time until the end of session for display to users is defined; AC-12(03) an explicit message to users is displayed indicating that the session will end in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-12(03)-Examine [SELECT FROM: Access control policy; procedures addressing session termination; time until end of session messages; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-12(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-12(03)-Test [SELECT FROM: System session termination mechanisms; display of end of session time]. AC-13 SUPERVISION AND REVIEW — ACCESS CONTROL [WITHDRAWN: Incorporated into AC-02, AU-06.] AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: AC-14_ODP user actions that can be performed on the system without identification or authentication are defined; AC-14a. that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified; AC-14b.[01] user actions not requiring identification or authentication are documented in the security plan for the system; AC-14b.[02] a rationale for user actions not requiring identification or authentication is provided in the security plan for the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-14-Examine [SELECT FROM: Access control policy; procedures addressing permitted actions without identification or authentication; system configuration settings and associated documentation; security plan; list of user actions that can be performed without identification or authentication; system audit records; system security plan; other relevant documents or records]. AC-14-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-14(01) PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION | NECESSARY USES [WITHDRAWN: Incorporated into AC-14.] AC-15 AUTOMATED MARKING [WITHDRAWN: Incorporated into MP-03.] AC-16 SECURITY AND PRIVACY ATTRIBUTES ASSESSMENT OBJECTIVE: Determine if: AC-16_ODP[01] types of security attributes to be associated with information security attribute values for information in storage, in process, and/or in transmission are defined; AC-16_ODP[02] types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and/or in transmission are defined; AC-16_ODP[03] security attribute values for types of security attributes are defined; AC-16_ODP[04] privacy attribute values for types of privacy attributes are defined; AC-16_ODP[05] systems for which permitted security attributes are to be established are defined; AC-16_ODP[06] systems for which permitted privacy attributes are to be established are defined; AC-16_ODP[07] security attributes defined as part of AC-16a that are permitted for systems are defined; AC-16_ODP[08] privacy attributes defined as part of AC-16a that are permitted for systems are defined; AC-16_ODP[09] attribute values or ranges for established attributes are defined; AC-16_ODP[10] the frequency at which to review security attributes for applicability is defined; AC-16_ODP[11] the frequency at which to review privacy attributes for applicability is defined; AC-16a.[01] the means to associate with for information in storage, in process, and/or in transmission are provided; AC-16a.[02] the means to associate with for information in storage, in process, and/or in transmission are provided; AC-16b.[01] attribute associations are made; AC-16b.[02] attribute associations are retained with the information; AC-16c.[01] the following permitted security attributes are established from the attributes defined in AC-16a. for : ; AC-16c.[02] the following permitted privacy attributes are established from the attributes defined in AC-16a. for : ; AC-16d. the following permitted attribute values or ranges for each of the established attributes are determined: ; AC-16e. changes to attributes are audited; AC-16f.[01] are reviewed for applicability ; AC-16f.[02] are reviewed for applicability . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16-Examine [SELECT FROM: Access control policy; procedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-16-Test [SELECT FROM: Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission]. AC-16(01) SECURITY AND PRIVACY ATTRIBUTES | DYNAMIC ATTRIBUTE ASSOCIATION ASSESSMENT OBJECTIVE: Determine if: AC-16(01)_ODP[01] subjects with which security attributes are to be dynamically associated as information is created and combined are defined; AC-16(01)_ODP[02] objects with which security attributes are to be dynamically associated as information is created and combined are defined; AC-16(01)_ODP[03] subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined; AC-16(01)_ODP[04] objects with which privacy attributes are to be dynamically associated as information is created and combined are defined; AC-16(01)_ODP[05] security policies requiring dynamic association of security attributes with subjects and objects are defined; AC-16(01)_ODP[06] privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined; AC-16(01)[01] security attributes are dynamically associated with in accordance with the following security policies as information is created and combined: ; AC-16(01)[02] security attributes are dynamically associated with in accordance with the following security policies as information is created and combined: ; AC-16(01)[03] privacy attributes are dynamically associated with in accordance with the following privacy policies as information is created and combined: ; AC-16(01)[04] privacy attributes are dynamically associated with in accordance with the following privacy policies as information is created and combined: . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(01)-Examine [SELECT FROM: Access control policy; procedures addressing dynamic association of security and privacy attributes to information; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(01)-Test [SELECT FROM: Automated mechanisms implementing dynamic association of security and privacy attributes to information]. AC-16(02) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE VALUE CHANGES BY AUTHORIZED INDIVIDUALS ASSESSMENT OBJECTIVE: Determine if: AC-16(02)[01] authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes; AC-16(02)[02] authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(02)-Examine [SELECT FROM: Access control policy; procedures addressing the change of security and privacy attribute values; system design documentation; system configuration settings and associated documentation; list of individuals authorized to change security and privacy attributes; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for changing values of security and privacy attributes; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(02)-Test [SELECT FROM: Automated mechanisms permitting changes to values of security and privacy attributes]. AC-16(03) SECURITY AND PRIVACY ATTRIBUTES | MAINTENANCE OF ATTRIBUTE ASSOCIATIONS BY SYSTEM ASSESSMENT OBJECTIVE: Determine if: AC-16(03)_ODP[01] security attributes that require association and integrity maintenance are defined; AC-16(03)_ODP[02] privacy attributes that require association and integrity maintenance are defined; AC-16(03)_ODP[03] subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined; AC-16(03)_ODP[04] objects requiring the association and integrity of security attributes to such objects to be maintained are defined; AC-16(03)_ODP[05] subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined; AC-16(03)_ODP[06] objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined; AC-16(03)[01] the association and integrity of to is maintained; AC-16(03)[02] the association and integrity of to is maintained. AC-16(03)[03] the association and integrity of to is maintained; AC-16(03)[04] the association and integrity of to is maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(03)-Examine [SELECT FROM: Access control policy; procedures addressing the association of security and privacy attributes to information; procedures addressing labeling or marking; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records]. AC-16(03)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system developers]. AC-16(03)-Test [SELECT FROM: Automated mechanisms maintaining association and integrity of security and privacy attributes to information]. AC-16(04) SECURITY AND PRIVACY ATTRIBUTES | ASSOCIATION OF ATTRIBUTES BY AUTHORIZED INDIVIDUALS ASSESSMENT OBJECTIVE: Determine if: AC-16(04)_ODP[01] security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[02] security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[03] privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[04] privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[05] subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[06] objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[07] subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)_ODP[08] objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined; AC-16(04)[01] authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ; AC-16(04)[02] authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ; AC-16(04)[03] authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ; AC-16(04)[04] authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(04)-Examine [SELECT FROM: Access control policy; procedures addressing the association of security and privacy attributes to information; system design documentation; system configuration settings and associated documentation; list of users authorized to associate security and privacy attributes to information; system prompts for privileged users to select security and privacy attributes to be associated with information objects; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(04)-Interview [SELECT FROM: Organizational personnel with responsibilities for associating security and privacy attributes to information; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(04)-Test [SELECT FROM: Automated mechanisms supporting user associations of security and privacy attributes to information]. AC-16(05) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE DISPLAYS ON OBJECTS TO BE OUTPUT ASSESSMENT OBJECTIVE: Determine if: AC-16(05)_ODP[01] special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined; AC-16(05)_ODP[02] human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined; AC-16(05)[01] security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify using ; AC-16(05)[02] privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(05)-Examine [SELECT FROM: Access control policy; procedures addressing display of security and privacy attributes in human-readable form; special dissemination, handling, or distribution instructions; types of human-readable, standard naming conventions; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(05)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system developers]. AC-16(05)-Test [SELECT FROM: System output devices displaying security and privacy attributes in human-readable form on each object]. AC-16(06) SECURITY AND PRIVACY ATTRIBUTES | MAINTENANCE OF ATTRIBUTE ASSOCIATION ASSESSMENT OBJECTIVE: Determine if: AC-16(06)_ODP[01] security attributes to be associated with subjects are defined; AC-16(06)_ODP[02] security attributes to be associated with objects are defined; AC-16(06)_ODP[03] privacy attributes to be associated with subjects are defined; AC-16(06)_ODP[04] privacy attributes to be associated with objects are defined; AC-16(06)_ODP[05] subjects to be associated with information security attributes are defined; AC-16(06)_ODP[06] objects to be associated with information security attributes are defined; AC-16(06)_ODP[07] subjects to be associated with privacy attributes are defined; AC-16(06)_ODP[08] objects to be associated with privacy attributes are defined; AC-16(06)_ODP[09] security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects; AC-16(06)_ODP[10] privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects; AC-16(06)[01] personnel are required to associate and maintain the association of with in accordance with ; AC-16(06)[02] personnel are required to associate and maintain the association of with in accordance with ; AC-16(06)[03] personnel are required to associate and maintain the association of with in accordance with ; AC-16(06)[04] personnel are required to associate and maintain the association of with in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(06)-Examine [SELECT FROM: Access control policy; procedures addressing association of security and privacy attributes with subjects and objects; system security plan; privacy plan; other relevant documents or records]. AC-16(06)-Interview [SELECT FROM: Organizational personnel with responsibilities for associating and maintaining association of security and privacy attributes with subjects and objects; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(06)-Test [SELECT FROM: Automated mechanisms supporting associations of security and privacy attributes to subjects and objects]. AC-16(07) SECURITY AND PRIVACY ATTRIBUTES | CONSISTENT ATTRIBUTE INTERPRETATION ASSESSMENT OBJECTIVE: Determine if: AC-16(07)[01] a consistent interpretation of security attributes transmitted between distributed system components is provided; AC-16(07)[02] a consistent interpretation of privacy attributes transmitted between distributed system components is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(07)-Examine [SELECT FROM: Access control policies and procedures; procedures addressing consistent interpretation of security and privacy attributes transmitted between distributed system components; procedures addressing access enforcement; procedures addressing information flow enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy access control policy; other relevant documents or records]. AC-16(07)-Interview [SELECT FROM: Organizational personnel with responsibilities for providing consistent interpretation of security and privacy attributes used in access enforcement and information flow enforcement actions; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(07)-Test [SELECT FROM: Automated mechanisms implementing access enforcement and information flow enforcement functions]. AC-16(08) SECURITY AND PRIVACY ATTRIBUTES | ASSOCIATION TECHNIQUES AND TECHNOLOGIES ASSESSMENT OBJECTIVE: Determine if: AC-16(08)_ODP[01] techniques and technologies to be implemented in associating security attributes to information are defined; AC-16(08)_ODP[02] techniques and technologies to be implemented in associating privacy attributes to information are defined; AC-16(08)[01] are implemented in associating security attributes to information; AC-16(08)[02] are implemented in associating privacy attributes to information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(08)-Examine [SELECT FROM: Access control policy; procedures addressing association of security and privacy attributes to information; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(08)-Interview [SELECT FROM: Organizational personnel with responsibilities for associating security and privacy attributes to information; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(08)-Test [SELECT FROM: Automated mechanisms implementing techniques or technologies associating security and privacy attributes to information]. AC-16(09) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE REASSIGNMENT — REGRADING MECHANISMS ASSESSMENT OBJECTIVE: Determine if: AC-16(09)_ODP[01] techniques or procedures used to validate regrading mechanisms for security attributes are defined; AC-16(09)_ODP[02] techniques or procedures used to validate regrading mechanisms for privacy attributes are defined; AC-16(09)[01] security attributes associated with information are changed only via regarding mechanisms validated using ; AC-16(09)[02] privacy attributes associated with information are changed only via regarding mechanisms validated using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(09)-Examine [SELECT FROM: Access control policy; procedures addressing reassignment of security attributes to information; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(09)-Interview [SELECT FROM: Organizational personnel with responsibilities for reassigning association of security and privacy attributes to information; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(09)-Test [SELECT FROM: Automated mechanisms implementing techniques or procedures for reassigning association of security and privacy attributes to information]. AC-16(10) SECURITY AND PRIVACY ATTRIBUTES | ATTRIBUTE CONFIGURATION BY AUTHORIZED INDIVIDUALS ASSESSMENT OBJECTIVE: Determine if: AC-16(10)[01] authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects; AC-16(10)[02] authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-16(10)-Examine [SELECT FROM: Access control policy; procedures addressing configuration of security and privacy attributes by authorized individuals; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-16(10)-Interview [SELECT FROM: Organizational personnel with responsibilities for defining or changing security and privacy attributes associated with information; organizational personnel with information security and privacy responsibilities; system developers]. AC-16(10)-Test [SELECT FROM: Automated mechanisms implementing capability for defining or changing security and privacy attributes]. AC-17 REMOTE ACCESS ASSESSMENT OBJECTIVE: Determine if: AC-17a.[01] usage restrictions are established and documented for each type of remote access allowed; AC-17a.[02] configuration/connection requirements are established and documented for each type of remote access allowed; AC-17a.[03] implementation guidance is established and documented for each type of remote access allowed; AC-17b. each type of remote access to the system is authorized prior to allowing such connections. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17-Examine [SELECT FROM: Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; system configuration settings and associated documentation; remote access authorizations; system audit records; system security plan; other relevant documents or records]. AC-17-Interview [SELECT FROM: Organizational personnel with responsibilities for managing remote access connections; system/network administrators; organizational personnel with information security responsibilities]. AC-17-Test [SELECT FROM: Remote access management capability for the system]. AC-17(01) REMOTE ACCESS | MONITORING AND CONTROL ASSESSMENT OBJECTIVE: Determine if: AC-17(01)[01] automated mechanisms are employed to monitor remote access methods; AC-17(01)[02] automated mechanisms are employed to control remote access methods. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(01)-Examine [SELECT FROM: Access control policy; procedures addressing remote access to the system; system design documentation; system configuration settings and associated documentation; system audit records; system monitoring records; system security plan; other relevant documents or records]. AC-17(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-17(01)-Test [SELECT FROM: Automated mechanisms monitoring and controlling remote access methods]. AC-17(02) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY AND INTEGRITY USING ENCRYPTION ASSESSMENT OBJECTIVE: Determine if: AC-17(02) cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(02)-Examine [SELECT FROM: Access control policy; procedures addressing remote access to the system; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit records; system security plan; other relevant documents or records]. AC-17(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-17(02)-Test [SELECT FROM: Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions]. AC-17(03) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS ASSESSMENT OBJECTIVE: Determine if: AC-17(03) remote accesses are routed through authorized and managed network access control points. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(03)-Examine [SELECT FROM: Access control policy; procedures addressing remote access to the system; system design documentation; list of all managed network access control points; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-17(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-17(03)-Test [SELECT FROM: Automated mechanisms routing all remote accesses through managed network access control points]. AC-17(04) REMOTE ACCESS | PRIVILEGED COMMANDS AND ACCESS ASSESSMENT OBJECTIVE: Determine if: AC-17(04)_ODP[01] needs requiring execution of privileged commands via remote access are defined; AC-17(04)_ODP[02] needs requiring access to security-relevant information via remote access are defined; AC-17(04)(a)[01] the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence; AC-17(04)(a)[02] access to security-relevant information via remote access is authorized only in a format that provides assessable evidence; AC-17(04)(a)[03] the execution of privileged commands via remote access is authorized only for the following needs: ; AC-17(04)(a)[04] access to security-relevant information via remote access is authorized only for the following needs: ; AC-17(04)(b) the rationale for remote access is documented in the security plan for the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(04)-Examine [SELECT FROM: Access control policy; procedures addressing remote access to the system; system configuration settings and associated documentation; security plan; system audit records; system security plan; other relevant documents or records]. AC-17(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-17(04)-Test [SELECT FROM: Automated mechanisms implementing remote access management]. AC-17(05) REMOTE ACCESS | MONITORING FOR UNAUTHORIZED CONNECTIONS [WITHDRAWN: Incorporated into SI-04.] AC-17(06) REMOTE ACCESS | PROTECTION OF MECHANISM INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-17(06) information about remote access mechanisms is protected from unauthorized use and disclosure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(06)-Examine [SELECT FROM: Access control policy; procedures addressing remote access to the system; system security plan; other relevant documents or records]. AC-17(06)-Interview [SELECT FROM: Organizational personnel with responsibilities for implementing or monitoring remote access to the system; system users with knowledge of information about remote access mechanisms; organizational personnel with information security responsibilities]. AC-17(07) REMOTE ACCESS | ADDITIONAL PROTECTION FOR SECURITY FUNCTION ACCESS [WITHDRAWN: Incorporated into AC-03(10).] AC-17(08) REMOTE ACCESS | DISABLE NONSECURE NETWORK PROTOCOLS [WITHDRAWN: Incorporated into CM-07.] AC-17(09) REMOTE ACCESS | DISCONNECT OR DISABLE ACCESS ASSESSMENT OBJECTIVE: Determine if: AC-17(09)_ODP the time period within which to disconnect or disable remote access to the system is defined; AC-17(09) the capability to disconnect or disable remote access to the system within is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(09)-Examine [SELECT FROM: Access control policy; procedures addressing disconnecting or disabling remote access to the system; system design documentation; system configuration settings and associated documentation; security plan, system audit records; system security plan; other relevant documents or records]. AC-17(09)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-17(09)-Test [SELECT FROM: Automated mechanisms implementing capability to disconnect or disable remote access to system]. AC-17(10) REMOTE ACCESS | AUTHENTICATE REMOTE COMMANDS ASSESSMENT OBJECTIVE: Determine if: AC-17(10)_ODP[01] mechanisms implemented to authenticate remote commands are defined; AC-17(10)_ODP[02] remote commands to be authenticated by mechanisms are defined; AC-17(10) are implemented to authenticate . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-17(10)-Examine [SELECT FROM: Access control policy; procedures addressing authentication of remote commands; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-17(10)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-17(10)-Test [SELECT FROM: Automated mechanisms implementing authentication of remote commands]. AC-18 WIRELESS ACCESS ASSESSMENT OBJECTIVE: Determine if: AC-18a.[01] configuration requirements are established for each type of wireless access; AC-18a.[02] connection requirements are established for each type of wireless access; AC-18a.[03] implementation guidance is established for each type of wireless access; AC-18b. each type of wireless access to the system is authorized prior to allowing such connections. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-18-Examine [SELECT FROM: Access control policy; procedures addressing wireless access implementation and usage (including restrictions); configuration management plan; system design documentation; system configuration settings and associated documentation; wireless access authorizations; system audit records; system security plan; other relevant documents or records]. AC-18-Interview [SELECT FROM: Organizational personnel with responsibilities for managing wireless access connections; organizational personnel with information security responsibilities]. AC-18-Test [SELECT FROM: Wireless access management capability for the system]. AC-18(01) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION ASSESSMENT OBJECTIVE: Determine if: AC-18(01)_ODP one or more of the following PARAMETER VALUES is/are selected: {users; devices}; AC-18(01)[01] wireless access to the system is protected using authentication of ; AC-18(01)[02] wireless access to the system is protected using encryption. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-18(01)-Examine [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-18(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-18(01)-Test [SELECT FROM: Automated mechanisms implementing wireless access protections to the system]. AC-18(02) WIRELESS ACCESS | MONITORING UNAUTHORIZED CONNECTIONS [WITHDRAWN: Incorporated into SI-04.] AC-18(03) WIRELESS ACCESS | DISABLE WIRELESS NETWORKING ASSESSMENT OBJECTIVE: Determine if: AC-18(03) when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-18(03)-Examine [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-18(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-18(03)-Test [SELECT FROM: Automated mechanisms managing the disabling of wireless networking capabilities internally embedded within system components]. AC-18(04) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS ASSESSMENT OBJECTIVE: Determine if: AC-18(04)[01] users allowed to independently configure wireless networking capabilities are identified; AC-18(04)[02] users allowed to independently configure wireless networking capabilities are explicitly authorized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-18(04)-Examine [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-18(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-18(04)-Test [SELECT FROM: Automated mechanisms authorizing independent user configuration of wireless networking capabilities]. AC-18(05) WIRELESS ACCESS | ANTENNAS AND TRANSMISSION POWER LEVELS ASSESSMENT OBJECTIVE: Determine if: AC-18(05)[01] radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries; AC-18(05)[02] transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-18(05)-Examine [SELECT FROM: Access control policy; procedures addressing wireless implementation and usage (including restrictions); system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-18(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-18(05)-Test [SELECT FROM: Calibration of transmission power levels for wireless access; radio antenna signals for wireless access; wireless access reception outside of organization-controlled boundaries]. AC-19 ACCESS CONTROL FOR MOBILE DEVICES ASSESSMENT OBJECTIVE: Determine if: AC-19a.[01] configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area; AC-19a.[02] connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area; AC-19a.[03] implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area; AC-19b. the connection of mobile devices to organizational systems is authorized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-19-Examine [SELECT FROM: Access control policy; procedures addressing access control for mobile device usage (including restrictions); configuration management plan; system design documentation; system configuration settings and associated documentation; authorizations for mobile device connections to organizational systems; system audit records; system security plan; other relevant documents or records]. AC-19-Interview [SELECT FROM: Organizational personnel using mobile devices to access organizational systems; system/network administrators; organizational personnel with information security responsibilities]. AC-19-Test [SELECT FROM: Access control capability for mobile device connections to organizational systems; configurations of mobile devices]. AC-19(01) ACCESS CONTROL FOR MOBILE DEVICES | USE OF WRITABLE AND PORTABLE STORAGE DEVICES [WITHDRAWN: Incorporated into MP-07.] AC-19(02) ACCESS CONTROL FOR MOBILE DEVICES | USE OF PERSONALLY OWNED PORTABLE STORAGE DEVICES [WITHDRAWN: Incorporated into MP-07.] AC-19(03) ACCESS CONTROL FOR MOBILE DEVICES | USE OF PORTABLE STORAGE DEVICES WITH NO IDENTIFIABLE OWNER [WITHDRAWN: Incorporated into MP-07.] AC-19(04) ACCESS CONTROL FOR MOBILE DEVICES | RESTRICTIONS FOR CLASSIFIED INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-19(04)_ODP[01] security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined; AC-19(04)_ODP[02] security policies restricting the connection of classified mobile devices to classified systems are defined; AC-19(04)(a) the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official; AC-19(04)(b)(01) prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information; AC-19(04)(b)(02) approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information; AC-19(04)(b)(03) prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information; AC-19(04)(b)(04)[01] random review and inspection of unclassified mobile devices and the information stored on those devices by are enforced; AC-19(04)(b)(04)[02] following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices; AC-19(04)(c) the connection of classified mobile devices to classified systems is restricted in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-19(04)-Examine [SELECT FROM: Access control policy; incident handling policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; evidentiary documentation for random inspections and reviews of mobile devices; system audit records; system security plan; other relevant documents or records]. AC-19(04)-Interview [SELECT FROM: Organizational personnel responsible for random reviews/inspections of mobile devices; organizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information; organizational personnel with incident response responsibilities; system/network administrators; organizational personnel with information security responsibilities]. AC-19(04)-Test [SELECT FROM: Automated mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices]. AC-19(05) ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE OR CONTAINER-BASED ENCRYPTION ASSESSMENT OBJECTIVE: Determine if: AC-19(05)_ODP[01] one of the following PARAMETER VALUES is selected: {full-device encryption; container-based encryption}; AC-19(05)_ODP[02] mobile devices on which to employ encryption are defined; AC-19(05) is employed to protect the confidentiality and integrity of information on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-19(05)-Examine [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; system audit records; system security plan; other relevant documents or records]. AC-19(05)-Interview [SELECT FROM: Organizational personnel with access control responsibilities for mobile devices; system/network administrators; organizational personnel with information security responsibilities]. AC-19(05)-Test [SELECT FROM: Encryption mechanisms protecting confidentiality and integrity of information on mobile devices]. AC-20 USE OF EXTERNAL SYSTEMS ASSESSMENT OBJECTIVE: Determine if: AC-20_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {establish; identify}; AC-20_ODP[02] terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); AC-20_ODP[03] controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected); AC-20_ODP[04] types of external systems prohibited from use are defined; AC-20a.1 is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable); AC-20a.2 is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable); AC-20b. the use of is prohibited (if applicable). POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-20-Examine [SELECT FROM: Access control policy; procedures addressing the use of external systems; external systems terms and conditions; list of types of applications accessible from external systems; maximum security categorization for information processed, stored, or transmitted on external systems; system configuration settings and associated documentation; system security plan; other relevant documents or records]. AC-20-Interview [SELECT FROM: Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system/network administrators; organizational personnel with information security responsibilities]. AC-20-Test [SELECT FROM: Automated mechanisms implementing terms and conditions on use of external systems]. AC-20(01) USE OF EXTERNAL SYSTEMS | LIMITS ON AUTHORIZED USE ASSESSMENT OBJECTIVE: Determine if: AC-20(01)(a) authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable); AC-20(01)(b) authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable). POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-20(01)-Examine [SELECT FROM: Access control policy; procedures addressing the use of external systems; system connection or processing agreements; account management documents; system security plan; other relevant documents or records]. AC-20(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. AC-20(01)-Test [SELECT FROM: Automated mechanisms implementing limits on use of external systems]. AC-20(02) USE OF EXTERNAL SYSTEMS | PORTABLE STORAGE DEVICES — RESTRICTED USE ASSESSMENT OBJECTIVE: Determine if: AC-20(02)_ODP restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined; AC-20(02) the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-20(02)-Examine [SELECT FROM: Access control policy; procedures addressing the use of external systems; system configuration settings and associated documentation; system connection or processing agreements; account management documents; system security plan; other relevant documents or records]. AC-20(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems; system/network administrators; organizational personnel with information security responsibilities]. AC-20(02)-Test [SELECT FROM: Automated mechanisms implementing restrictions on use of portable storage devices]. AC-20(03) USE OF EXTERNAL SYSTEMS | NON-ORGANIZATIONALLY OWNED SYSTEMS — RESTRICTED USE ASSESSMENT OBJECTIVE: Determine if: AC-20(03)_ODP restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined; AC-20(03) the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-20(03)-Examine [SELECT FROM: Access control policy; procedures addressing the use of external systems; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; account management documents; system audit records, other relevant documents or records]. AC-20(03)-Interview [SELECT FROM: Organizational personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices; system/network administrators; organizational personnel with information security responsibilities]. AC-20(03)-Test [SELECT FROM: Automated mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices]. AC-20(04) USE OF EXTERNAL SYSTEMS | NETWORK ACCESSIBLE STORAGE DEVICES — PROHIBITED USE ASSESSMENT OBJECTIVE: Determine if: AC-20(04)_ODP network-accessible storage devices prohibited from use in external systems are defined; AC-20(04) the use of is prohibited in external systems. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-20(04)-Examine [SELECT FROM: Access control policy; procedures addressing use of network-accessible storage devices in external systems; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; list of network-accessible storage devices prohibited from use in external systems; system audit records; system security plan; other relevant documents or records]. AC-20(04)-Interview [SELECT FROM: Organizational personnel with responsibilities for prohibiting the use of network-accessible storage devices in external systems; system/network administrators; organizational personnel with information security responsibilities]. AC-20(04)-Test [SELECT FROM: Automated mechanisms prohibiting the use of network-accessible storage devices in external systems]. AC-20(05) USE OF EXTERNAL SYSTEMS | PORTABLE STORAGE DEVICES — PROHIBITED USE ASSESSMENT OBJECTIVE: Determine if: AC-20(05) the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-20(05)-Examine [SELECT FROM: Access control policy; procedures addressing use of portable storage devices in external systems; system design documentation; system configuration settings and associated documentation; system connection or processing agreements; system audit records; system security plan; other relevant documents or records]. AC-20(05)-Interview [SELECT FROM: Organizational personnel with responsibilities for prohibiting the use of portable storage devices in external systems; system/network administrators; organizational personnel with information security responsibilities]. AC-21 INFORMATION SHARING ASSESSMENT OBJECTIVE: Determine if: AC-21_ODP[01] information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined; AC-21_ODP[02] automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined; AC-21a. authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; AC-21b. are employed to assist users in making information-sharing and collaboration decisions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-21-Examine [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); system design documentation; system configuration settings and associated documentation; list of users authorized to make information-sharing/collaboration decisions; list of information-sharing circumstances requiring user discretion; non-disclosure agreements; acquisitions/contractual agreements; system security plan; privacy plan; privacy impact assessment; security and privacy risk assessments; other relevant documents or records]. AC-21-Interview [SELECT FROM: Organizational personnel responsible for information-sharing/collaboration decisions; organizational personnel with responsibility for acquisitions/contractual agreements; system/network administrators; organizational personnel with information security and privacy responsibilities]. AC-21-Test [SELECT FROM: Automated mechanisms or manual process implementing access authorizations supporting information-sharing/user collaboration decisions]. AC-21(01) INFORMATION SHARING | AUTOMATED DECISION SUPPORT ASSESSMENT OBJECTIVE: Determine if: AC-21(01)_ODP automated mechanisms employed to enforce information-sharing decisions by authorized users are defined; AC-21(01) are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-21(01)-Examine [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); system design documentation; system configuration settings and associated documentation; system-generated list of users authorized to make information-sharing/collaboration decisions; system-generated list of sharing partners and access authorizations; system-generated list of access restrictions regarding information to be shared; system security plan; other relevant documents or records]. AC-21(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. AC-21(01)-Test [SELECT FROM: Automated mechanisms implementing access authorizations supporting information-sharing/user collaboration decisions]. AC-21(02) INFORMATION SHARING | INFORMATION SEARCH AND RETRIEVAL ASSESSMENT OBJECTIVE: Determine if: AC-21(02)_ODP information-sharing restrictions to be enforced by information search and retrieval services are defined; AC-21(02) information search and retrieval services that enforce are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-21(02)-Examine [SELECT FROM: Access control policy; procedures addressing user-based collaboration and information sharing (including restrictions); system design documentation; system configuration settings and associated documentation; system-generated list of access restrictions regarding information to be shared; information search and retrieval records; system audit records; system security plan; other relevant documents or records]. AC-21(02)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities for system search and retrieval services; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-21(02)-Test [SELECT FROM: System search and retrieval services enforcing information-sharing restrictions]. AC-22 PUBLICLY ACCESSIBLE CONTENT ASSESSMENT OBJECTIVE: Determine if: AC-22_ODP the frequency at which to review the content on the publicly accessible system for non-public information is defined; AC-22a. designated individuals are authorized to make information publicly accessible; AC-22b. authorized individuals are trained to ensure that publicly accessible information does not contain non-public information; AC-22c. the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included; AC-22d.[01] the content on the publicly accessible system is reviewed for non-public information ; AC-22d.[02] non-public information is removed from the publicly accessible system, if discovered. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-22-Examine [SELECT FROM: Access control policy; procedures addressing publicly accessible content; list of users authorized to post publicly accessible content on organizational systems; training materials and/or records; records of publicly accessible information reviews; records of response to non-public information on public websites; system audit logs; security awareness training records; system security plan; other relevant documents or records]. AC-22-Interview [SELECT FROM: Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems; organizational personnel with information security responsibilities]. AC-22-Test [SELECT FROM: Automated mechanisms implementing management of publicly accessible content]. AC-23 DATA MINING PROTECTION ASSESSMENT OBJECTIVE: Determine if: AC-23_ODP[01] data mining prevention and detection techniques are defined; AC-23_ODP[02] data storage objects to be protected against unauthorized data mining are defined; AC-23 are employed for to detect and protect against unauthorized data mining. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-23-Examine [SELECT FROM: Access control policy; procedures for preventing and detecting data mining; policies and procedures addressing authorized data mining techniques; procedures addressing protection of data storage objects against data mining; system design documentation; system configuration settings and associated documentation; system audit logs; system audit records; procedures addressing differential privacy techniques; notifications of atypical database queries or accesses; documentation or reports of insider threat program; system security plan; privacy plan; other relevant documents or records]. AC-23-Interview [SELECT FROM: Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects; legal counsel; organizational personnel with information security and privacy responsibilities; system developers]. AC-23-Test [SELECT FROM: Automated mechanisms implementing data mining prevention and detection]. AC-24 ACCESS CONTROL DECISIONS ASSESSMENT OBJECTIVE: Determine if: AC-24_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {establish procedures; implement mechanisms}; AC-24_ODP[02] access control decisions applied to each access request prior to access enforcement are defined; AC-24 are taken to ensure that are applied to each access request prior to access enforcement. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-24-Examine [SELECT FROM: Access control policy; procedures addressing access control decisions; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-24-Interview [SELECT FROM: Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the system; organizational personnel with information security responsibilities]. AC-24-Test [SELECT FROM: Automated mechanisms applying established access control decisions and procedures]. AC-24(01) ACCESS CONTROL DECISIONS | TRANSMIT ACCESS AUTHORIZATION INFORMATION ASSESSMENT OBJECTIVE: Determine if: AC-24(01)_ODP[01] access authorization information transmitted to systems that enforce access control decisions is defined; AC-24(01)_ODP[02] controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined; AC-24(01)_ODP[03] systems that enforce access control decisions are defined; AC-24(01) is transmitted using to that enforce access control decisions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-24(01)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-24(01)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-24(01)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-24(02) ACCESS CONTROL DECISIONS | NO USER OR PROCESS IDENTITY ASSESSMENT OBJECTIVE: Determine if: AC-24(02)_ODP[01] security attributes that do not include the identity of the user or process acting on behalf of the user are defined; AC-24(02)_ODP[02] privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined; AC-24(02)[01] access control decisions are enforced based on that do not include the identity of the user or process acting on behalf of the user; AC-24(02)[02] access control decisions are enforced based on that do not include the identity of the user or process acting on behalf of the user. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-24(02)-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. AC-24(02)-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. AC-24(02)-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. AC-25 REFERENCE MONITOR ASSESSMENT OBJECTIVE: Determine if: AC-25_ODP access control policies for which a reference monitor is implemented are defined; AC-25 a reference monitor is implemented for that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AC-25-Examine [SELECT FROM: Access control policy; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. AC-25-Interview [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security responsibilities; system developers]. AC-25-Test [SELECT FROM: Automated mechanisms implementing access enforcement functions]. 4.2 Awareness and Training AT-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: AT-01_ODP[01] personnel or roles to whom the awareness and training policy is to be disseminated is/are defined; AT-01_ODP[02] personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined; AT-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; AT-01_ODP[04] an official to manage the awareness and training policy and procedures is defined; AT-01_ODP[05] the frequency at which the current awareness and training policy is reviewed and updated is defined; AT-01_ODP[06] events that would require the current awareness and training policy to be reviewed and updated are defined; AT-01_ODP[07] the frequency at which the current awareness and training procedures are reviewed and updated is defined; AT-01_ODP[08] events that would require procedures to be reviewed and updated are defined; AT-01a.[01] an awareness and training policy is developed and documented; AT-01a.[02] the awareness and training policy is disseminated to ; AT-01a.[03] awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented; AT-01a.[04] the awareness and training procedures are disseminated to . AT-01a.01(a)[01] the awareness and training policy addresses purpose; AT-01a.01(a)[02] the awareness and training policy addresses scope; AT-01a.01(a)[03] the awareness and training policy addresses roles; AT-01a.01(a)[04] the awareness and training policy addresses responsibilities; AT-01a.01(a)[05] the awareness and training policy addresses management commitment; AT-01a.01(a)[06] the awareness and training policy addresses coordination among organizational entities; AT-01a.01(a)[07] the awareness and training policy addresses compliance; and AT-01a.01(b) the awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and AT-01b. the is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures; AT-01c.01[01] the current awareness and training policy is reviewed and updated ; AT-01c.01[02] the current awareness and training policy is reviewed and updated following ; AT-01c.02[01] the current awareness and training procedures are reviewed and updated ; AT-01c.02[02] the current awareness and training procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-01-Examine [SELECT FROM: System security plan; privacy plan; awareness and training policy and procedures; other relevant documents or records]. AT-01-Interview [SELECT FROM: Organizational personnel with awareness and training responsibilities; organizational personnel with information security and privacy responsibilities]. AT-02 LITERACY TRAINING AND AWARENESS ASSESSMENT OBJECTIVE: Determine if: AT-02_ODP[01] the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined; AT-02_ODP[02] the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined; AT-02_ODP[03] events that require security literacy training for system users are defined; AT-02_ODP[04] events that require privacy literacy training for system users are defined; AT-02_ODP[05] techniques to be employed to increase the security and privacy awareness of system users are defined; AT-02_ODP[06] the frequency at which to update literacy training and awareness content is defined; AT-02_ODP[07] events that would require literacy training and awareness content to be updated are defined; AT-02a.01[01] security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users; AT-02a.01[02] privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users; AT-02a.01[03] security literacy training is provided to system users (including managers, senior executives, and contractors) thereafter; AT-02a.01[04] privacy literacy training is provided to system users (including managers, senior executives, and contractors) thereafter; AT-02a.02[01] security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ; AT-02a.02[02] privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ; AT-02b are employed to increase the security and privacy awareness of system users; AT-02c.[01] literacy training and awareness content is updated ; AT-02c.[02] literacy training and awareness content is updated following ; AT-02d. lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02-Examine [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness implementation; appropriate codes of federal regulations; security and privacy literacy training curriculum; security and privacy literacy training materials; training records; other relevant documents or records]. AT-02-Interview [SELECT FROM: Organizational personnel with responsibilities for literacy training and awareness; organizational personnel with information security and privacy responsibilities; organizational personnel comprising the general system user community]. AT-02-Test [SELECT FROM: Automated mechanisms managing information security and privacy literacy training]. AT-02(01) LITERACY TRAINING AND AWARENESS | PRACTICAL EXERCISES ASSESSMENT OBJECTIVE: Determine if: AT-02(01) practical exercises in literacy training that simulate events and incidents are provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02(01)-Examine [SELECT FROM: System security plan; privacy plan; security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; other relevant documents or records]. AT-02(01)-Interview [SELECT FROM: Organizational personnel who participate in security awareness training; organizational personnel with responsibilities for security awareness training; organizational personnel with information security responsibilities]. AT-02(01)-Test [SELECT FROM: Automated mechanisms implementing cyber-attack simulations in practical exercises]. AT-02(02) LITERACY TRAINING AND AWARENESS | INSIDER THREAT ASSESSMENT OBJECTIVE: Determine if: AT-02(02)[01] literacy training on recognizing potential indicators of insider threat is provided; AT-02(02)[02] literacy training on reporting potential indicators of insider threat is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02(02)-Examine [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness implementation; literacy training and awareness curriculum; literacy training and awareness materials; other relevant documents or records]. AT-02(02)-Interview [SELECT FROM: Organizational personnel who participate in literacy training and awareness; organizational personnel with responsibilities for literacy training and awareness; organizational personnel with information security and privacy responsibilities]. AT-02(03) LITERACY TRAINING AND AWARENESS | SOCIAL ENGINEERING AND MINING ASSESSMENT OBJECTIVE: Determine if: AT-02(03)[01] literacy training on recognizing potential and actual instances of social engineering is provided; AT-02(03)[02] literacy training on reporting potential and actual instances of social engineering is provided; AT-02(03)[03] literacy training on recognizing potential and actual instances of social mining is provided; AT-02(03)[04] literacy training on reporting potential and actual instances of social mining is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02(03)-Examine [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness implementation; literacy training and awareness curriculum; literacy training and awareness materials; other relevant documents or records]. AT-02(03)-Interview [SELECT FROM: Organizational personnel who participate in literacy training and awareness; organizational personnel with responsibilities for literacy training and awareness; organizational personnel with information security and privacy responsibilities]. AT-02(04) LITERACY TRAINING AND AWARENESS | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR ASSESSMENT OBJECTIVE: Determine if: AT-02(04)_ODP indicators of malicious code are defined; AT-02(04) literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02(04)-Examine [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness implementation; literacy training and awareness curriculum; literacy training and awareness materials; other relevant documents or records]. AT-02(04)-Interview [SELECT FROM: Organizational personnel who participate in literacy training and awareness; organizational personnel with responsibilities for basic literacy training and awareness; organizational personnel with information security and privacy responsibilities]. AT-02(05) LITERACY TRAINING AND AWARENESS | ADVANCED PERSISTENT THREAT ASSESSMENT OBJECTIVE: Determine if: AT-02(05) literacy training on the advanced persistent threat is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02(05)-Examine [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness implementation; literacy training and awareness curriculum; literacy training and awareness materials; other relevant documents or records]. AT-02(05)-Interview [SELECT FROM: Organizational personnel who participate in literacy training and awareness; organizational personnel with responsibilities for basic literacy training and awareness; organizational personnel with information security and privacy responsibilities]. AT-02(06) LITERACY TRAINING AND AWARENESS | CYBER THREAT ENVIRONMENT ASSESSMENT OBJECTIVE: Determine if: AT-02(06)(a) literacy training on the cyber threat environment is provided; AT-02(06)(b) system operations reflects current cyber threat information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-02(06)-Examine [SELECT FROM: System security plan; privacy plan; literacy training and awareness policy; procedures addressing literacy training and awareness training implementation; literacy training and awareness curriculum; literacy training and awareness materials; other relevant documents or records]. AT-02(06)-Interview [SELECT FROM: Organizational personnel who participate in literacy training and awareness; organizational personnel with responsibilities for basic literacy training and awareness; organizational personnel with information security and privacy responsibilities]. AT-03 ROLE-BASED TRAINING ASSESSMENT OBJECTIVE: Determine if: AT-03_ODP[01] roles and responsibilities for role-based security training are defined; AT-03_ODP[02] roles and responsibilities for role-based privacy training are defined; AT-03_ODP[03] the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined; AT-03_ODP[04] the frequency at which to update role-based training content is defined; AT-03_ODP[05] events that require role-based training content to be updated are defined; AT-03a.01[01] role-based security training is provided to before authorizing access to the system, information, or performing assigned duties; AT-03a.01[02] role-based privacy training is provided to before authorizing access to the system, information, or performing assigned duties; AT-03a.01[03] role-based security training is provided to thereafter; AT-03a.01[04] role-based privacy training is provided to thereafter; AT-03a.02[01] role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes; AT-03a.02[02] role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes; AT-03b.[01] role-based training content is updated ; AT-03b.[02] role-based training content is updated following ; AT-03c. lessons learned from internal or external security incidents or breaches are incorporated into role-based training. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-03-Examine [SELECT FROM: System security plan; privacy plan; security and privacy awareness and training policy; procedures addressing security and privacy training implementation; codes of federal regulations; security and privacy training curriculum; security and privacy training materials; training records; other relevant documents or records]. AT-03-Interview [SELECT FROM: Organizational personnel with responsibilities for role-based security and privacy training; organizational personnel with assigned system security and privacy roles and responsibilities]. AT-03-Test [SELECT FROM: Automated mechanisms managing role-based security and privacy training]. AT-03(01) ROLE-BASED TRAINING | ENVIRONMENTAL CONTROLS ASSESSMENT OBJECTIVE: Determine if: AT-03(01)_ODP[01] personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined; AT-03(01)_ODP[02] the frequency at which to provide refresher training in the employment and operation of environmental controls is defined; AT-03(01) are provided with initial and refresher training in the employment and operation of environmental. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-03(01)-Examine [SELECT FROM: Security and privacy awareness and training policy; procedures addressing security and privacy training implementation; security and privacy training curriculum; security and privacy training materials; system security plan; privacy plan; training records; other relevant documents or records]. AT-03(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for role-based security and privacy training; organizational personnel with responsibilities for employing and operating environmental controls]. AT-03(02) ROLE-BASED TRAINING | PHYSICAL SECURITY CONTROLS ASSESSMENT OBJECTIVE: Determine if: AT-03(02)_ODP[01] personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is/are defined; AT-03(02)_ODP[02] the frequency at which to provide refresher training in the employment and operation of physical security controls is defined; AT-03(02) is/are provided with initial and refresher training in the employment and operation of physical security controls. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-03(02)-Examine [SELECT FROM: Security and privacy awareness and training policy; procedures addressing security and privacy training implementation; security and privacy training curriculum; security and privacy training materials; system security plan; privacy plan; training records; other relevant documents or records]. AT-03(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for role-based security and privacy training; organizational personnel with responsibilities for employing and operating physical security controls]. AT-03(03) ROLE-BASED TRAINING | PRACTICAL EXERCISES ASSESSMENT OBJECTIVE: Determine if: AT-03(03)[01] practical exercises in security training that reinforce training objectives are provided; AT-03(03)[02] practical exercises in privacy training that reinforce training objectives are provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-03(03)-Examine [SELECT FROM: Security and privacy awareness and training policy; procedures addressing security and privacy awareness training implementation; security and privacy awareness training curriculum; security and privacy awareness training materials; security and privacy awareness training reports and results; system security plan; privacy plan; other relevant documents or records]. AT-03(03)-Interview [SELECT FROM: Organizational personnel with responsibilities for role-based security and privacy training; organizational personnel who participate in security and privacy awareness training]. AT-03(04) ROLE-BASED TRAINING | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR [WITHDRAWN: Moved to AT-02(04).] AT-03(05) ROLE-BASED TRAINING | PROCESSING PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: AT-03(05)_ODP[01] personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is/are defined; AT-03(05)_ODP[02] the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined; AT-03(05) are provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-03(05)-Examine [SELECT FROM: Security and privacy awareness and training policy; procedures addressing security and privacy awareness training implementation; security and privacy awareness training curriculum; security and privacy awareness training materials; system security plan; privacy plan; organizational privacy notices; organizational policies; system of records notices; Privacy Act statements; computer matching agreements and notices; privacy impact assessments; information sharing agreements; other relevant documents or records]. AT-03(05)-Interview [SELECT FROM: Organizational personnel with responsibilities for role-based security and privacy training; organizational personnel who participate in security and privacy awareness training]. AT-04 TRAINING RECORDS ASSESSMENT OBJECTIVE: Determine if: AT-04_ODP time period for retaining individual training records is defined; AT-04a.[01] information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented; AT-04a.[02] information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored; AT-04b. individual training records are retained for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-04-Examine [SELECT FROM: Security and privacy awareness and training policy; procedures addressing security and privacy training records; security and privacy awareness and training records; system security plan; privacy plan; other relevant documents or records]. AT-04-Interview [SELECT FROM: Organizational personnel with information security and privacy training record retention responsibilities]. AT-04-Test [SELECT FROM: Automated mechanisms supporting management of security and privacy training records]. AT-05 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS [WITHDRAWN: Incorporated into PM-15.] AT-06 TRAINING FEEDBACK ASSESSMENT OBJECTIVE: Determine if: AT-06_ODP[01] frequency at which to provide feedback on organizational training results is defined; AT-06_ODP[02] personnel to whom feedback on organizational training results will be provided is/are assigned; AT-06 feedback on organizational training results is provided to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AT-06-Examine [SELECT FROM: Security awareness and training policy; procedures addressing security training records; security awareness and training records; security plan; other relevant documents or records]. AT-06-Interview [SELECT FROM: Organizational personnel with information security training record retention responsibilities]. AT-06-Test [SELECT FROM: Automated mechanisms supporting management of security training records]. 4.3 Audit and Accountability AU-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: AU-01_ODP[01] personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined; AU-01_ODP[02] personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined; AU-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; AU-01_ODP[04] an official to manage the audit and accountability policy and procedures is defined; AU-01_ODP[05] the frequency at which the current audit and accountability policy is reviewed and updated is defined; AU-01_ODP[06] events that would require the current audit and accountability policy to be reviewed and updated are defined; AU-01_ODP[07] the frequency at which the current audit and accountability procedures are reviewed and updated is defined; AU-01_ODP[08] events that would require audit and accountability procedures to be reviewed and updated are defined; AU-01a.[01] an audit and accountability policy is developed and documented; AU-01a.[02] the audit and accountability policy is disseminated to ; AU-01a.[03] audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented; AU-01a.[04] the audit and accountability procedures are disseminated to ; AU-01a.01(a)[01] the of the audit and accountability policy addresses purpose; AU-01a.01(a)[02] the of the audit and accountability policy addresses scope; AU-01a.01(a)[03] the of the audit and accountability policy addresses roles; AU-01a.01(a)[04] the of the audit and accountability policy addresses responsibilities; AU-01a.01(a)[05] the of the audit and accountability policy addresses management commitment; AU-01a.01(a)[06] the of the audit and accountability policy addresses coordination among organizational entities; AU-01a.01(a)[07] the of the audit and accountability policy addresses compliance; AU-01a.01(b) the of the audit and accountability policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; AU-01b. the is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; AU-01c.01[01] the current audit and accountability policy is reviewed and updated ; AU-01c.01[02] the current audit and accountability policy is reviewed and updated following ; AU-01c.02[01] the current audit and accountability procedures are reviewed and updated ; AU-01c.02[02] the current audit and accountability procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-01-Examine [SELECT FROM: Audit and accountability policy and procedures; system security plan; privacy plan; other relevant documents or records]. AU-01-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities]. AU-02 EVENT LOGGING ASSESSMENT OBJECTIVE: Determine if: AU-02_ODP[01] the event types that the system is capable of logging in support of the audit function are defined; AU-02_ODP[02] the event types (subset of AU-02_ODP[01]) for logging within the system are defined; AU-02_ODP[03] the frequency or situation requiring logging for each specified event type is defined; AU-02_ODP[04] the frequency of event types selected for logging are reviewed and updated; AU-02a. that the system is capable of logging are identified in support of the audit logging function; AU-02b. the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; AU-02c.[01] are specified for logging within the system; AU-02c.[02] the specified event types are logged within the system ; AU-02d. a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; AU-02e. the event types selected for logging are reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-02-Examine [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; system security plan; privacy plan; system design documentation; system configuration settings and associated documentation; system audit records; system auditable events; other relevant documents or records]. AU-02-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-02-Test [SELECT FROM: Automated mechanisms implementing system auditing]. AU-02(01) EVENT LOGGING | COMPILATION OF AUDIT RECORDS FROM MULTIPLE SOURCES [WITHDRAWN: Incorporated into AU-12.] AU-02(02) EVENT LOGGING | SELECTION OF AUDIT EVENTS BY COMPONENT [WITHDRAWN: Incorporated into AU-12.] AU-02(03) EVENT LOGGING | REVIEWS AND UPDATES [WITHDRAWN: Incorporated into AU-02.] AU-02(04) EVENT LOGGING | PRIVILEGED FUNCTIONS [WITHDRAWN: Incorporated into AC-06(09).] AU-03 CONTENT OF AUDIT RECORDS ASSESSMENT OBJECTIVE: Determine if: AU-03a. audit records contain information that establishes what type of event occurred; AU-03b. audit records contain information that establishes when the event occurred; AU-03c. audit records contain information that establishes where the event occurred; AU-03d. audit records contain information that establishes the source of the event; AU-03e. audit records contain information that establishes the outcome of the event; AU-03f. audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-03-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing content of audit records; system design documentation; system configuration settings and associated documentation; list of organization-defined auditable events; system audit records; system incident reports; other relevant documents or records]. AU-03-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-03-Test [SELECT FROM: Automated mechanisms implementing system auditing of auditable events]. AU-03(01) CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION ASSESSMENT OBJECTIVE: Determine if: AU-03(01)_ODP additional information to be included in audit records is defined; AU-03(01) generated audit records contain the following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-03(01)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing content of audit records; system security plan; privacy plan; system design documentation; system configuration settings and associated documentation; list of organization-defined auditable events; system audit records; other relevant documents or records]. AU-03(01)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-03(01)-Test [SELECT FROM: system audit capability]. AU-03(02) CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT [WITHDRAWN: Incorporated into PL-09.] AU-03(03) CONTENT OF AUDIT RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS ASSESSMENT OBJECTIVE: Determine if: AU-03(03)_ODP elements identified in the privacy risk assessment are defined; AU-03(03) personally identifiable information contained in audit records is limited to identified in the privacy risk assessment. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-03(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; privacy risk assessment; privacy risk assessment results; procedures addressing content of audit records; system design documentation; system configuration settings and associated documentation; list of organization-defined auditable events; system audit records; third party contracts; other relevant documents or records]. AU-03(03)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-03(03)-Test [SELECT FROM: system audit capability]. AU-04 AUDIT LOG STORAGE CAPACITY ASSESSMENT OBJECTIVE: Determine if: AU-04_ODP audit log retention requirements are defined; AU-04 audit log storage capacity is allocated to accommodate . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-04-Examine [SELECT FROM: Audit and accountability policy; procedures addressing audit storage capacity; system security plan; privacy plan; system design documentation; system configuration settings and associated documentation; audit record storage requirements; audit record storage capability for system components; system audit records; other relevant documents or records]. AU-04-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-04-Test [SELECT FROM: Audit record storage capacity and related configuration settings]. AU-04(01) AUDIT LOG STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE ASSESSMENT OBJECTIVE: Determine if: AU-04(01)_ODP the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined; AU-04(01) audit logs are transferred to a different system, system component, or media other than the system or system component conducting the logging. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-04(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit storage capacity; procedures addressing transfer of system audit records to secondary or alternate systems; system design documentation; system configuration settings and associated documentation; logs of audit record transfers to secondary or alternate systems; system audit records transferred to secondary or alternate systems; other relevant documents or records]. AU-04(01)-Interview [SELECT FROM: Organizational personnel with audit storage capacity planning responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-04(01)-Test [SELECT FROM: Automated mechanisms supporting transfer of audit records onto a different system]. AU-05 RESPONSE TO AUDIT LOGGING PROCESS FAILURES ASSESSMENT OBJECTIVE: Determine if: AU-05_ODP[01] personnel or roles receiving audit logging process failure alerts are defined; AU-05_ODP[02] time period for personnel or roles receiving audit logging process failure alerts is defined; AU-05_ODP[03] additional actions to be taken in the event of an audit logging process failure are defined; AU-05a. are alerted in the event of an audit logging process failure within ; AU-05b. are taken in the event of an audit logging process failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-05-Examine [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; system design documentation; system security plan; privacy plan; system configuration settings and associated documentation; list of personnel to be notified in case of an audit processing failure; system audit records; other relevant documents or records]. AU-05-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-05-Test [SELECT FROM: Automated mechanisms implementing system response to audit processing failures]. AU-05(01) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | STORAGE CAPACITY WARNING ASSESSMENT OBJECTIVE: Determine if: AU-05(01)_ODP[01] personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity. AU-05(01)_ODP[02] time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined; AU-05(01)_ODP[03] percentage of repository maximum audit log storage capacity is defined; AU-05(01) a warning is provided to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-05(01)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; system design documentation; system security plan; privacy system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-05(01)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-05(01)-Test [SELECT FROM: Automated mechanisms implementing audit storage limit warnings]. AU-05(02) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | REAL-TIME ALERTS ASSESSMENT OBJECTIVE: Determine if: AU-05(02)_ODP[01] real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined; AU-05(02)_ODP[02] personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined; AU-05(02)_ODP[03] audit logging failure events requiring real-time alerts are defined; AU-05(02) an alert is provided within to when occurs. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-05(02)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; system design documentation; system security plan; privacy plan; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-05(02)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-05(03) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | CONFIGURABLE TRAFFIC VOLUME THRESHOLDS ASSESSMENT OBJECTIVE: Determine if: AU-05(03)_ODP one or more of the following PARAMETER VALUES is/are selected: {reject; delay}; AU-05(03)[01] configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced; AU-05(03)[02] network traffic is if network traffic volume reaches thresholds. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-05(03)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; system design documentation; system security plan; privacy plan; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-05(03)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-05(04) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | SHUTDOWN ON FAILURE ASSESSMENT OBJECTIVE: Determine if: AU-05(04)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available}; AU-05(04)_ODP[02] audit logging failures that trigger a change in operational mode are defined; AU-05(04) is invoked in the event of , unless an alternate audit logging capability exists. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-05(04)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; system design documentation; system security plan; privacy plan; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-05(04)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-05(04)-Test [SELECT FROM: System capability invoking system shutdown or degraded operational mode in the event of an audit processing failure]. AU-05(05) RESPONSE TO AUDIT LOGGING PROCESS FAILURES | ALTERNATE AUDIT LOGGING CAPABILITY ASSESSMENT OBJECTIVE: Determine if: AU-05(05)_ODP an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined; AU-05(05) an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-05(05)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing response to audit processing failures; system design documentation; system security plan; privacy plan; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-05(05)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-05(05)-Test [SELECT FROM: Alternate audit logging capability]. AU-06 AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING ASSESSMENT OBJECTIVE: Determine if: AU-06_ODP[01] frequency at which system audit records are reviewed and analyzed is defined; AU-06_ODP[02] inappropriate or unusual activity is defined; AU-06_ODP[03] personnel or roles to receive findings from reviews and analyses of system records is/are defined; AU-06a system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity; AU-06b findings are reported to ; AU-06c the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit review, analysis, and reporting; reports of audit findings; records of actions taken in response to reviews/analyses of audit records; other relevant documents or records]. AU-06-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(01) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUTOMATED PROCESS INTEGRATION ASSESSMENT OBJECTIVE: Determine if: AU-06(01)_ODP automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined; AU-06(01) audit record review, analysis, and reporting processes are integrated using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit review, analysis, and reporting; procedures addressing investigation and response to suspicious activities; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-06(01)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(01)-Test [SELECT FROM: Automated mechanisms integrating audit review, analysis, and reporting processes]. AU-06(02) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUTOMATED SECURITY ALERTS [WITHDRAWN: Incorporated into SI-04.] AU-06(03) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT RECORD REPOSITORIES ASSESSMENT OBJECTIVE: Determine if: AU-06(03) audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit review, analysis, and reporting; system design documentation; system configuration settings and associated documentation; system audit records across different repositories; other relevant documents or records]. AU-06(03)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(03)-Test [SELECT FROM: Automated mechanisms supporting analysis and correlation of audit records]. AU-06(04) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CENTRAL REVIEW AND ANALYSIS ASSESSMENT OBJECTIVE: Determine if: AU-06(04)[01] the capability to centrally review and analyze audit records from multiple components within the system is provided; AU-06(04)[02] the capability to centrally review and analyze audit records from multiple components within the system is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(04)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; system audit records; other relevant documents or records]. AU-06(04)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities; system developers]. AU-06(04)-Test [SELECT FROM: System capability to centralize review and analysis of audit records]. AU-06(05) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | INTEGRATED ANALYSIS OF AUDIT RECORDS ASSESSMENT OBJECTIVE: Determine if: AU-06(05)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {vulnerability scanning information; performance data; system monitoring information; }; AU-06(05)_ODP[02] data/information collected from other sources to be analyzed is defined (if selected); AU-06(05) analysis of audit records is integrated with analysis of to further enhance the ability to identify inappropriate or unusual activity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(05)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit review, analysis, and reporting; system design documentation; system configuration settings and associated documentation; integrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation; other relevant documents or records]. AU-06(05)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(05)-Test [SELECT FROM: Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data/information sources]. AU-06(06) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSICAL MONITORING ASSESSMENT OBJECTIVE: Determine if: AU-06(06) information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(06)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; procedures addressing physical access monitoring; system design documentation; system configuration settings and associated documentation; documentation providing evidence of correlated information obtained from audit records and physical access monitoring records; system security plan; privacy plan; other relevant documents or records]. AU-06(06)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with physical access monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(06)-Test [SELECT FROM: Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access]. AU-06(07) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | PERMITTED ACTIONS ASSESSMENT OBJECTIVE: Determine if: AU-06(07)_ODP one or more of the following PARAMETER VALUES is/are selected: {system process; role; user}; AU-06(07) the permitted actions for each associated with the review, analysis, and reporting of audit record information is specified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(07)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing process, role and/or user permitted actions from audit review, analysis, and reporting; system security plan; privacy plan; other relevant documents or records]. AU-06(07)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(07)-Test [SELECT FROM: Automated mechanisms supporting permitted actions for review, analysis, and reporting of audit information]. AU-06(08) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | FULL TEXT ANALYSIS OF PRIVILEGED COMMANDS ASSESSMENT OBJECTIVE: Determine if: AU-06(08) a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(08)-Examine [SELECT FROM: Audit and accountability policy; procedures addressing audit review, analysis, and reporting; system design documentation; system configuration settings and associated documentation; text analysis tools and techniques; text analysis documentation of audited privileged commands; system security plan; privacy plan; other relevant documents or records]. AU-06(08)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(08)-Test [SELECT FROM: Automated mechanisms implementing capability to perform a full text analysis of audited privilege commands]. AU-06(09) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH INFORMATION FROM NONTECHNICAL SOURCES ASSESSMENT OBJECTIVE: Determine if: AU-06(09) information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-06(09)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit review, analysis, and reporting; system design documentation; system configuration settings and associated documentation; documentation providing evidence of correlated information obtained from audit records and organization-defined non-technical sources; list of information types from non-technical sources for correlation with audit information; other relevant documents or records]. AU-06(09)-Interview [SELECT FROM: Organizational personnel with audit review, analysis, and reporting responsibilities; organizational personnel with information security and privacy responsibilities]. AU-06(09)-Test [SELECT FROM: Automated mechanisms implementing capability to correlate information from non-technical sources]. AU-06(10) AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUDIT LEVEL ADJUSTMENT [WITHDRAWN: Incorporated into AU-06.] AU-07 AUDIT RECORD REDUCTION AND REPORT GENERATION ASSESSMENT OBJECTIVE: Determine if: AU-07a.[01] an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; AU-07a.[02] an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; AU-07b.[01] an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records; AU-07b.[02] an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-07-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit reduction and report generation; system design documentation; system configuration settings and associated documentation; audit reduction, review, analysis, and reporting tools; system audit records; other relevant documents or records]. AU-07-Interview [SELECT FROM: Organizational personnel with audit reduction and report generation responsibilities; organizational personnel with information security and privacy responsibilities]. AU-07-Test [SELECT FROM: Audit reduction and report generation capability]. AU-07(01) AUDIT RECORD REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING ASSESSMENT OBJECTIVE: Determine if: AU-07(01)_ODP fields within audit records that can be processed, sorted, or searched are defined; AU-07(01)[01] the capability to process, sort, and search audit records for events of interest based on are provided; AU-07(01)[02] the capability to process, sort, and search audit records for events of interest based on are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-07(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit reduction and report generation; system design documentation; system configuration settings and associated documentation; audit reduction, review, analysis, and reporting tools; audit record criteria (fields) establishing events of interest; system audit records; other relevant documents or records]. AU-07(01)-Interview [SELECT FROM: Organizational personnel with audit reduction and report generation responsibilities; organizational personnel with information security and privacy responsibilities; system developers]. AU-07(01)-Test [SELECT FROM: Audit reduction and report generation capability]. AU-07(02) AUDIT RECORD REDUCTION AND REPORT GENERATION | AUTOMATIC SORT AND SEARCH [WITHDRAWN: Incorporated into AU-07(01).] AU-08 TIME STAMPS ASSESSMENT OBJECTIVE: Determine if: AU-08_ODP granularity of time measurement for audit record timestamps is defined; AU-08a. internal system clocks are used to generate timestamps for audit records; AU-08b. timestamps are recorded for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-08-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing timestamp generation; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-08-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-08-Test [SELECT FROM: Automated mechanisms implementing timestamp generation]. AU-08(01) TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE [WITHDRAWN: Moved to SC-45(01).] AU-08(02) TIME STAMPS | SECONDARY AUTHORITATIVE TIME SOURCE [WITHDRAWN: Moved to SC-45(02).] AU-09 PROTECTION OF AUDIT INFORMATION ASSESSMENT OBJECTIVE: Determine if: AU-09_ODP personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined; AU-09a. audit information and audit logging tools are protected from unauthorized access, modification, and deletion; AU-09b. are alerted upon detection of unauthorized access, modification, or deletion of audit information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system configuration settings and associated documentation; system audit records; audit tools; other relevant documents or records]. AU-09-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-09-Test [SELECT FROM: Mechanisms implementing audit information protection]. AU-09(01) PROTECTION OF AUDIT INFORMATION | HARDWARE WRITE-ONCE MEDIA ASSESSMENT OBJECTIVE: Determine if: AU-09(01) audit trails are written to hardware-enforced, write-once media. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system hardware settings; system configuration settings and associated documentation; system storage media; system audit records; other relevant documents or records]. AU-09(01)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-09(01)-Test [SELECT FROM: System media storing audit trails]. AU-09(02) PROTECTION OF AUDIT INFORMATION | STORE ON SEPARATE PHYSICAL SYSTEMS OR COMPONENTS ASSESSMENT OBJECTIVE: Determine if: AU-09(02)_ODP the frequency of storing audit records in a repository is defined; AU-09(02) audit records are stored in a repository that is part of a physically different system or system component than the system or component being audited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(02)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing protection of audit information; system design documentation; system configuration settings and associated documentation; system or media storing backups of system audit records; system audit records; other relevant documents or records]. AU-09(02)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-09(02)-Test [SELECT FROM: Automated mechanisms implementing the backing up of audit records]. AU-09(03) PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: AU-09(03) cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system hardware settings; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-09(03)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-09(03)-Test [SELECT FROM: Cryptographic mechanisms protecting integrity of audit information and tools]. AU-09(04) PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS ASSESSMENT OBJECTIVE: Determine if: AU-09(04)_ODP a subset of privileged users or roles authorized to access management of audit logging functionality is defined; AU-09(04) access to management of audit logging functionality to only is authorized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(04)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system configuration settings and associated documentation; system-generated list of privileged users with access to management of audit functionality; access authorizations; access control list; system audit records; other relevant documents or records]. AU-09(04)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-09(04)-Test [SELECT FROM: Automated mechanisms managing access to audit functionality]. AU-09(05) PROTECTION OF AUDIT INFORMATION | DUAL AUTHORIZATION ASSESSMENT OBJECTIVE: Determine if: AU-09(05)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {movement; deletion}; AU-09(05)_ODP[02] audit information for which dual authorization is to be enforced is defined; AU-09(05) dual authorization is enforced for the of . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(05)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system configuration settings and associated documentation; access authorizations; system audit records; other relevant documents or records]. AU-09(05)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-09(05)-Test [SELECT FROM: Automated mechanisms implementing enforcement of dual authorization]. AU-09(06) PROTECTION OF AUDIT INFORMATION | READ-ONLY ACCESS ASSESSMENT OBJECTIVE: Determine if: AU-09(06)_ODP a subset of privileged users or roles with authorized read-only access to audit information is defined; AU-09(06) read-only access to audit information is authorized to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(06)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system configuration settings and associated documentation; system-generated list of privileged users with read-only access to audit information; access authorizations; access control list; system audit records; other relevant documents or records]. AU-09(06)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-09(06)-Test [SELECT FROM: Automated mechanisms managing access to audit information]. AU-09(07) PROTECTION OF AUDIT INFORMATION | STORE ON COMPONENT WITH DIFFERENT OPERATING SYSTEM ASSESSMENT OBJECTIVE: Determine if: AU-09(07) audit information is stored on a component running a different operating system than the system or component being audited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-09(07)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; access control policy and procedures; procedures addressing protection of audit information; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-09(07)-Interview [SELECT FROM: Organizational personnel with audit and accountability responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-09(07)-Test [SELECT FROM: Mechanisms implementing operating system verification capability; mechanisms verifying audit information storage location]. AU-10 NON-REPUDIATION ASSESSMENT OBJECTIVE: Determine if: AU-10_ODP actions to be covered by non-repudiation are defined; AU-10 irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-10-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing non-repudiation; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-10-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-10-Test [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. AU-10(01) NON-REPUDIATION | ASSOCIATION OF IDENTITIES ASSESSMENT OBJECTIVE: Determine if: AU-10(01)_ODP the strength of binding between the identity of the information producer and the information is defined; AU-10(01)(a) the identity of the information producer is bound with the information to ; AU-10(01)(b) the means for authorized individuals to determine the identity of the producer of the information is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-10(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing non-repudiation; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-10(01)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-10(01)-Test [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. AU-10(02) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION PRODUCER IDENTITY ASSESSMENT OBJECTIVE: Determine if: AU-10(02)_ODP[01] the frequency at which to validate the binding of the information producer identity to the information is defined; AU-10(02)_ODP[02] the actions to be performed in the event of a validation error are defined; AU-10(02)(a) the binding of the information producer identity to the information is validated; AU-10(02)(b) in the event of a validation error are performed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-10(02)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing non-repudiation; system design documentation; system configuration settings and associated documentation; validation records; system audit records; other relevant documents or records]. AU-10(02)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-10(02)-Test [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. AU-10(03) NON-REPUDIATION | CHAIN OF CUSTODY ASSESSMENT OBJECTIVE: Determine if: AU-10(03) reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-10(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing non-repudiation; system design documentation; system configuration settings and associated documentation; records of information reviews and releases; system audit records; other relevant documents or records]. AU-10(03)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-10(03)-Test [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. AU-10(04) NON-REPUDIATION | VALIDATE BINDING OF INFORMATION REVIEWER IDENTITY ASSESSMENT OBJECTIVE: Determine if: AU-10(04)_ODP[01] security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined; AU-10(04)_ODP[02] actions to be performed in the event of a validation error are defined; AU-10(04)(a) the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between is validated; AU-10(04)(b) are performed in the event of a validation error. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-10(04)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing non-repudiation; system design documentation; system configuration settings and associated documentation; validation records; system audit records; other relevant documents or records]. AU-10(04)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-10(04)-Test [SELECT FROM: Automated mechanisms implementing non-repudiation capability]. AU-10(05) NON-REPUDIATION | DIGITAL SIGNATURES [WITHDRAWN: Incorporated into SI-07.] AU-11 AUDIT RECORD RETENTION ASSESSMENT OBJECTIVE: Determine if: AU-11_ODP a time period to retain audit records that is consistent with the records retention policy is defined; AU-11 audit records are retained for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-11-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; audit record retention policy and procedures; security plan; organization-defined retention period for audit records; audit record archives; audit logs; audit records; other relevant documents or records]. AU-11-Interview [SELECT FROM: Organizational personnel with audit record retention responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-11(01) AUDIT RECORD RETENTION | LONG-TERM RETRIEVAL CAPABILITY ASSESSMENT OBJECTIVE: Determine if: AU-11(01)_ODP measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined; AU-11(01) are employed to ensure that long-term audit records generated by the system can be retrieved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-11(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; audit record retention policy and procedures; system design documentation; system configuration settings and associated documentation; audit record archives; audit logs; audit records; other relevant documents or records]. AU-11(01)-Interview [SELECT FROM: Organizational personnel with audit record retention responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. AU-11(01)-Test [SELECT FROM: Automated mechanisms implementing audit record retention capability]. AU-12 AUDIT RECORD GENERATION ASSESSMENT OBJECTIVE: Determine if: AU-12_ODP[01] system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined; AU-12_ODP[02] personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined; AU-12a. audit record generation capability for the event types the system is capable of auditing, as defined in AU-2a, are provided on ; AU-12b. is/are allowed to select the event types that are to be logged by specific components of the system; AU-12c. audit records for the event types defined in AU-2c that include the audit record content defined in AU-3 are generated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-12-Examine [SELECT FROM: Audit and accountability policy; procedures addressing audit record generation; system security plan; privacy plan; system design documentation; system configuration settings and associated documentation; list of auditable events; system audit records; other relevant documents or records]. AU-12-Interview [SELECT FROM: Organizational personnel with audit record generation responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-12-Test [SELECT FROM: Automated mechanisms implementing audit record generation capability]. AU-12(01) AUDIT RECORD GENERATION | SYSTEM-WIDE AND TIME-CORRELATED AUDIT TRAIL ASSESSMENT OBJECTIVE: Determine if: AU-12(01)_ODP[01] system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined; AU-12(01)_ODP[02] level of tolerance for the relationship between timestamps of individual records in the audit trail is defined; AU-12(01) audit records from are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-12(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit record generation; system design documentation; system configuration settings and associated documentation; system-wide audit trail (logical or physical); system audit records; other relevant documents or records]. AU-12(01)-Interview [SELECT FROM: Organizational personnel with audit record generation responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-12(01)-Test [SELECT FROM: Automated mechanisms implementing audit record generation capability]. AU-12(02) AUDIT RECORD GENERATION | STANDARDIZED FORMATS ASSESSMENT OBJECTIVE: Determine if: AU-12(02) a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-12(02)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit record generation; system design documentation; system configuration settings and associated documentation; system-wide audit trail (logical or physical); system audit records; other relevant documents or records]. AU-12(02)-Interview [SELECT FROM: Organizational personnel with audit record generation responsibilities; organizational personnel with security responsibilities; system/network administrators; system developers]. AU-12(02)-Test [SELECT FROM: Automated mechanisms implementing audit record generation capability]. AU-12(03) AUDIT RECORD GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS ASSESSMENT OBJECTIVE: Determine if: AU-12(03)_ODP[01] individuals or roles authorized to change logging on system components are defined; AU-12(03)_ODP[02] system components on which logging is to be performed are defined; AU-12(03)_ODP[03] selectable event criteria with which change logging to be performed are defined; AU-12(03)_ODP[04] time thresholds in which logging actions are to change is defined; AU-12(03)[01] the capability for to change the logging to be performed on based on within are provided; AU-12(03)[02] the capability for to change the logging to be performed on based on within are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-12(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit record generation; system design documentation; system configuration settings and associated documentation; system-generated list of individuals or roles authorized to change auditing to be performed; system audit records; other relevant documents or records]. AU-12(03)-Interview [SELECT FROM: Organizational personnel with audit record generation responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-12(03)-Test [SELECT FROM: Automated mechanisms implementing audit record generation capability]. AU-12(04) AUDIT RECORD GENERATION | QUERY PARAMETER AUDITS OF PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: AU-12(04)[01] the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided; AU-12(04)[02] the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-12(04)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing audit record generation; query event records; system design documentation; system configuration settings and associated documentation; map of system data actions; system audit records; other relevant documents or records]. AU-12(04)-Interview [SELECT FROM: Organizational personnel with audit record generation responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-12(04)-Test [SELECT FROM: Automated mechanisms implementing audit record generation capability]. AU-13 MONITORING FOR INFORMATION DISCLOSURE ASSESSMENT OBJECTIVE: Determine if: AU-13_ODP[01] open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined; AU-13_ODP[02] frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined; AU-13_ODP[03] personnel or roles to be notified if an information disclosure is discovered is/are defined; AU-13_ODP[04] additional actions to be taken if an information disclosure is discovered are defined; AU-13a. are monitored for evidence of unauthorized disclosure of organizational information; AU-13b.01 are notified if an information disclosure is discovered; AU-13b.02 are taken if an information disclosure is discovered. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-13-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing information disclosure monitoring; system design documentation; system configuration settings and associated documentation; monitoring records; system audit records; other relevant documents or records]. AU-13-Interview [SELECT FROM: Organizational personnel with responsibilities for monitoring open-source information and/or information sites; organizational personnel with security and privacy responsibilities]. AU-13-Test [SELECT FROM: Mechanisms implementing monitoring for information disclosure]. AU-13(01) MONITORING FOR INFORMATION DISCLOSURE | USE OF AUTOMATED TOOLS ASSESSMENT OBJECTIVE: Determine if: AU-13(01)_ODP automated mechanisms for monitoring open-source information and information sites are defined; AU-13(01) open-source information and information sites are monitored using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-13(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing information disclosure monitoring; system design documentation; system configuration settings and associated documentation; automated monitoring tools; system audit records; other relevant documents or records]. AU-13(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for monitoring information disclosures; organizational personnel with information security and privacy responsibilities]. AU-13(01)-Test [SELECT FROM: Automated mechanisms implementing monitoring for information disclosure]. AU-13(02) MONITORING FOR INFORMATION DISCLOSURE | REVIEW OF MONITORED SITES ASSESSMENT OBJECTIVE: Determine if: AU-13(02)_ODP the frequency at which to review the open-source information sites being monitored is defined; AU-13(02) the list of open-source information sites being monitored is reviewed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-13(02)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing information disclosure monitoring; system design documentation; system configuration settings and associated documentation; reviews for open-source information sites being monitored; system audit records; other relevant documents or records]. AU-13(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for monitoring open-source information sites; organizational personnel with information security and privacy responsibilities]. AU-13(02)-Test [SELECT FROM: Automated mechanisms implementing monitoring for information disclosure]. AU-13(03) MONITORING FOR INFORMATION DISCLOSURE | UNAUTHORIZED REPLICATION OF INFORMATION ASSESSMENT OBJECTIVE: Determine if: AU-13(03) discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-13(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing information disclosure monitoring; procedures addressing information replication; system design documentation; system configuration settings and associated documentation; system audit records; training resources for staff to recognize the unauthorized use of organizational information; other relevant documents or records]. AU-13(03)-Interview [SELECT FROM: Organizational personnel with responsibilities for monitoring unauthorized replication of information; organizational personnel with information security and privacy responsibilities]. AU-13(03)-Test [SELECT FROM: Discovery tools for identifying unauthorized information replication]. AU-14 SESSION AUDIT ASSESSMENT OBJECTIVE: Determine if: AU-14_ODP[01] users or roles who can audit the content of a user session are defined; AU-14_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {record; view; hear; log}; AU-14_ODP[03] circumstances under which the content of a user session can be audited are defined; AU-14a.[01] provided with the capability to the content of a user session under ; AU-14a.[02] the capability for to the content of a user session under is implemented; AU-14b.[01] session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; AU-14b.[02] session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; AU-14b.[03] session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-14-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing user session auditing; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-14-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers; legal counsel; personnel with civil liberties responsibilities]. AU-14-Test [SELECT FROM: Mechanisms implementing user session auditing capability]. AU-14(01) SESSION AUDIT | SYSTEM START-UP ASSESSMENT OBJECTIVE: Determine if: AU-14(01) session audits are initiated automatically at system start-up. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-14(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing user session auditing; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-14(01)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. AU-14(01)-Test [SELECT FROM: Automated mechanisms implementing user session auditing capability]. AU-14(02) SESSION AUDIT | CAPTURE AND RECORD CONTENT [WITHDRAWN: Incorporated into AU-14.] AU-14(03) SESSION AUDIT | REMOTE VIEWING AND LISTENING ASSESSMENT OBJECTIVE: Determine if: AU-14(03)[01] the capability for authorized users to remotely view and hear content related to an established user session in real time is provided; AU-14(03)[02] the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-14(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing user session auditing; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-14(03)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; system/network administrators; system developers; legal counsel; personnel with civil liberties responsibilities]. AU-14(03)-Test [SELECT FROM: Automated mechanisms implementing user session auditing capability]. AU-15 ALTERNATE AUDIT LOGGING CAPABILITY [WITHDRAWN: Moved to AU-05(05).] AU-16 CROSS-ORGANIZATIONAL AUDIT LOGGING ASSESSMENT OBJECTIVE: Determine if: AU-16_ODP[01] methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined; AU-16_ODP[02] audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined; AU-16 for coordinating among external organizations when audit information is transmitted across organizational boundaries are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-16-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing methods for coordinating audit information among external organizations; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-16-Interview [SELECT FROM: Organizational personnel with responsibilities for coordinating audit information among external organizations; organizational personnel with information security and privacy responsibilities]. AU-16-Test [SELECT FROM: Automated mechanisms implementing cross-organizational auditing]. AU-16(01) CROSS-ORGANIZATIONAL AUDIT LOGGING | IDENTITY PRESERVATION ASSESSMENT OBJECTIVE: Determine if: AU-16(01) the identity of individuals in cross-organizational audit trails is preserved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-16(01)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing cross-organizational audit trails; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-16(01)-Interview [SELECT FROM: Organizational personnel with cross-organizational audit responsibilities; organizational personnel with information security and privacy responsibilities]. AU-16(01)-Test [SELECT FROM: Automated mechanisms implementing cross-organizational auditing (if applicable)]. AU-16(02) CROSS-ORGANIZATIONAL AUDIT LOGGING | SHARING OF AUDIT INFORMATION ASSESSMENT OBJECTIVE: Determine if: AU-16(02)_ODP[01] organizations with which cross-organizational audit information is to be shared are defined; AU-16(02)_ODP[02] cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined; AU-16(02) cross-organizational audit information is provided to based on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-16(02)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing cross-organizational sharing of audit information; information sharing agreements; other relevant documents or records]. AU-16(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for sharing cross-organizational audit information; organizational personnel with information security and privacy responsibilities]. AU-16(03) CROSS-ORGANIZATIONAL AUDIT LOGGING | DISASSOCIABILITY ASSESSMENT OBJECTIVE: Determine if: AU-16(03)_ODP measures to disassociate individuals from audit information transmitted across organizational boundaries are defined; AU-16(03) are implemented to disassociate individuals from audit information transmitted across organizational boundaries. POTENTIAL ASSESSMENT METHODS AND OBJECTS: AU-16(03)-Examine [SELECT FROM: Audit and accountability policy; system security plan; privacy plan; procedures addressing cross-organizational sharing of audit information; policy and/or procedures regarding the deidentification of PII; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. AU-16(03)-Interview [SELECT FROM: Organizational personnel with responsibilities for sharing cross-organizational audit information; organizational personnel with information security and privacy responsibilities]. AU-16(03)-Test [SELECT FROM: Automated mechanisms implementing disassociability]. 4.4 Assessment, Authorization, and Monitoring CA-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: CA-01_ODP[01] personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined; CA-01_ODP[02] personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined; CA-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; CA-01_ODP[04] an official to manage the assessment, authorization, and monitoring policy and procedures is defined; CA-01_ODP[05] the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined; CA-01_ODP[06] events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined; CA-01_ODP[07] the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined; CA-01_ODP[08] events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined; CA-01a.[01] an assessment, authorization, and monitoring policy is developed and documented; CA-01a.[02] the assessment, authorization, and monitoring policy is disseminated to ; CA-01a.[03] assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented; CA-01a.[04] the assessment, authorization, and monitoring procedures are disseminated to ; CA-01a.01(a)[01] the assessment, authorization, and monitoring policy addresses purpose; CA-01a.01(a)[02] the assessment, authorization, and monitoring policy addresses scope;[03] SELECTED PARAMETER(S)> assessment, authorization, and monitoring policy addresses scope; CA-01a.01(a)[03] the assessment, authorization, and monitoring policy addresses roles;[03] SELECTED PARAMETER(S)> assessment, authorization, and monitoring policy addresses roles; CA-01a.01(a)[04] the assessment, authorization, and monitoring policy addresses responsibilities; CA-01a.01(a)[05] the assessment, authorization, and monitoring policy addresses management commitment; CA-01a.01(a)[06] the assessment, authorization, and monitoring policy addresses coordination among organizational entities; CA-01a.01(a)[07] the assessment, authorization, and monitoring policy addresses compliance; CA-01a.01(b) the assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; CA-01b. the is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; CA-01c.01[01] the current assessment, authorization, and monitoring policy is reviewed and updated ; CA-01c.01[02] the current assessment, authorization, and monitoring policy is reviewed and updated following ; CA-01c.02[01] the current assessment, authorization, and monitoring procedures are reviewed and updated ; CA-01c.02[02] the current assessment, authorization, and monitoring procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-01-Examine [SELECT FROM: Assessment, authorization, and monitoring policy and procedures; system security plan; privacy plan; other relevant documents or records]. CA-01-Interview [SELECT FROM: Organizational personnel with assessment, authorization, and monitoring policy responsibilities; organizational personnel with information security and privacy responsibilities]. CA-02 CONTROL ASSESSMENTS ASSESSMENT OBJECTIVE: Determine if: CA-02_ODP[01] the frequency at which to assess controls in the system and its environment of operation is defined; CA-02_ODP[02] individuals or roles to whom control assessment results are to be provided are defined; CA-02a. an appropriate assessor or assessment team is selected for the type of assessment to be conducted; CA-02b.01 a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment; CA-02b.02 a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness; CA-02b.03[01] a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities; CA-02b.03[02] a control assessment plan is developed that describes the scope of the assessment, including the assessment team; CA-02c. the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; CA-02d.[01] controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; CA-02d.[02] controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements; CA-02e. a control assessment report is produced that documents the results of the assessment; CA-02f. the results of the control assessment are provided to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-02-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing assessment planning; procedures addressing control assessments; control assessment plan; system security plan; privacy plan; other relevant documents or records]. CA-02-Interview [SELECT FROM: Organizational personnel with control assessment responsibilities; organizational personnel with information security and privacy responsibilities]. CA-02-Test [SELECT FROM: Automated mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting]. CA-02(01) CONTROL ASSESSMENTS | INDEPENDENT ASSESSORS ASSESSMENT OBJECTIVE: Determine if: CA-02(01) independent assessors or assessment teams are employed to conduct control assessments. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-02(01)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing control assessments; previous control assessment plan; previous control assessment report; plan of action and milestones; existing authorization statement; system security plan; privacy plan; other relevant documents or records]. CA-02(01)-Interview [SELECT FROM: Organizational personnel with security assessment responsibilities; organizational personnel with information security and privacy responsibilities]. CA-02(02) CONTROL ASSESSMENTS | SPECIALIZED ASSESSMENTS ASSESSMENT OBJECTIVE: Determine if: CA-02(02)_ODP[01] frequency at which to include specialized assessments as part of the control assessment is defined; CA-02(02)_ODP[02] one of the following PARAMETER VALUES is selected: {announced; unannounced}; CA-02(02)_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; }; CA-02(02)_ODP[04] other forms of assessment are defined (if selected); CA-02(02) is/are included as part of control assessments. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-02(02)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing control assessments; control assessment plan; control assessment report; control assessment evidence; system security plan; privacy plan; other relevant documents or records]. CA-02(02)-Interview [SELECT FROM: Organizational personnel with control assessment responsibilities; organizational personnel with information security and privacy responsibilities]. CA-02(02)-Test [SELECT FROM: Automated mechanisms supporting control assessment]. CA-02(03) CONTROL ASSESSMENTS | LEVERAGING RESULTS FROM EXTERNAL ORGANIZATIONS ASSESSMENT OBJECTIVE: Determine if: CA-02(03)_ODP[01] external organizations from which the results of control assessments are leveraged are defined; CA-02(03)_ODP[02] system on which a control assessment was performed by an external organization is defined; CA-02(03)_ODP[03] requirements to be met by the control assessment performed by an external organization on the system are defined; CA-02(03) the results of control assessments performed by on are leveraged when the assessment meets . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-02(03)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing control assessments; control assessment requirements; control assessment plan; control assessment report; control assessment evidence; plan of action and milestones; system security plan; privacy plan; other relevant documents or records]. CA-02(03)-Interview [SELECT FROM: Organizational personnel with control assessment responsibilities; organizational personnel with information security and privacy responsibilities; personnel performing control assessments for the specified external organization]. CA-03 INFORMATION EXCHANGE ASSESSMENT OBJECTIVE: Determine if: CA-03_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; non-disclosure agreements; }; CA-03_ODP[02] the type of agreement used to approve and manage the exchange of information is defined (if selected); CA-03_ODP[03] the frequency at which to review and update agreements is defined; CA-03a. the exchange of information between system and other systems is approved and managed using ; CA-03b.[01] the interface characteristics are documented as part of each exchange agreement; CA-03b.[02] security requirements are documented as part of each exchange agreement; CA-03b.[03] privacy requirements are documented as part of each exchange agreement; CA-03b.[04] controls are documented as part of each exchange agreement; CA-03b.[05] responsibilities for each system are documented as part of each exchange agreement; CA-03b.[06] the impact level of the information communicated is documented as part of each exchange agreement; CA-03c. agreements are reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-03-Examine [SELECT FROM: Access control policy; procedures addressing system connections; system and communications protection policy; system interconnection security agreements; information exchange security agreements; memoranda of understanding or agreements; service level agreements; non-disclosure agreements; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records]. CA-03-Interview [SELECT FROM: Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements; organizational personnel with information security and privacy responsibilities; personnel managing the system(s) to which the interconnection security agreement applies]. CA-03(01) INFORMATION EXCHANGE | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS [WITHDRAWN: Moved to SC-07(25).] CA-03(02) INFORMATION EXCHANGE | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS [WITHDRAWN: Moved to SC-07(26).] CA-03(03) INFORMATION EXCHANGE | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS [WITHDRAWN: Moved to SC-07(27).] CA-03(04) INFORMATION EXCHANGE | CONNECTIONS TO PUBLIC NETWORKS [WITHDRAWN: Moved to SC-07(28).] CA-03(05) INFORMATION EXCHANGE | RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS [WITHDRAWN: Moved to SC-07(05).] CA-03(06) INFORMATION EXCHANGE | TRANSFER AUTHORIZATIONS ASSESSMENT OBJECTIVE: Determine if: CA-03(06) individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-03(06)-Examine [SELECT FROM: Access control policy; procedures addressing system connections; system and communications protection policy; system interconnection agreements; information exchange security agreements; memoranda of understanding or agreements; service level agreements; non-disclosure agreements; system design documentation; system configuration settings and associated documentation; control assessment report; system audit records; system security plan; privacy plan; other relevant documents or records]. CA-03(06)-Interview [SELECT FROM: Organizational personnel with responsibilities for managing connections to external systems; network administrators; organizational personnel with information security and privacy responsibilities]. CA-03(06)-Test [SELECT FROM: Automated mechanisms implementing restrictions on external system connections]. CA-03(07) INFORMATION EXCHANGE | TRANSITIVE INFORMATION EXCHANGES ASSESSMENT OBJECTIVE: Determine if: CA-03(07)(a) transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified; CA-03(07)(b) measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-03(07)-Examine [SELECT FROM: Access control policy; procedures addressing system connections; system and communications protection policy; system interconnection agreements; information exchange security agreements; memoranda of understanding or agreements; service level agreements; non-disclosure agreements; system design documentation; system configuration settings and associated documentation; control assessment report; system audit records; system security plan; privacy plan; other relevant documents or records]. CA-03(07)-Interview [SELECT FROM: Organizational personnel with responsibilities for managing connections to external systems; network administrators; organizational personnel with information security and privacy responsibilities]. CA-03(07)-Test [SELECT FROM: Automated mechanisms implementing restrictions on external system connections]. CA-04 SECURITY CERTIFICATION [WITHDRAWN: Incorporated into CA-02.] CA-05 PLAN OF ACTION AND MILESTONES ASSESSMENT OBJECTIVE: Determine if: CA-05_ODP the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined; CA-05a. a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; CA-05b. existing plan of action and milestones are updated based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-05-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing plan of action and milestones; control assessment plan; control assessment report; control assessment evidence; plan of action and milestones; system security plan; privacy plan; other relevant documents or records]. CA-05-Interview [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities; organizational personnel with information security and privacy responsibilities]. CA-05-Test [SELECT FROM: Automated mechanisms for developing, implementing, and maintaining plan of action and milestones]. CA-05(01) PLAN OF ACTION AND MILESTONES | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY ASSESSMENT OBJECTIVE: Determine if: CA-05(01)_ODP automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined; CA-05(01) are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-05(01)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing plan of action and milestones; system design documentation; system configuration settings and associated documentation; system audit records; plan of action and milestones; system security plan; privacy plan; other relevant documents or records]. CA-05(01)-Interview [SELECT FROM: Organizational personnel with plan of action and milestones development and implementation responsibilities; organizational personnel with information security and privacy responsibilities]. CA-05(01)-Test [SELECT FROM: Automated mechanisms for developing, implementing, and maintaining a plan of action and milestones]. CA-06 AUTHORIZATION ASSESSMENT OBJECTIVE: Determine if: CA-06_ODP frequency at which to update the authorizations is defined; CA-06a. a senior official is assigned as the authorizing official for the system; CA-06b. a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems; CA-06c.01 before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system; CA-06c.02 before commencing operations, the authorizing official for the system authorizes the system to operate; CA-06d. the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems; CA-06e. the authorizations are updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-06-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing authorization; system security plan, privacy plan, assessment report, plan of action and milestones; authorization statement; other relevant documents or records]. CA-06-Interview [SELECT FROM: Organizational personnel with authorization responsibilities; organizational personnel with information security and privacy responsibilities]. CA-06-Test [SELECT FROM: Automated mechanisms that facilitate authorizations and updates]. CA-06(01) AUTHORIZATION | JOINT AUTHORIZATION — INTRA-ORGANIZATION ASSESSMENT OBJECTIVE: Determine if: CA-06(01)[01] a joint authorization process is employed for the system; CA-06(01)[02] the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-06(01)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing authorization; system security plan; privacy plan; assessment report; plan of action and milestones; authorization statement; other relevant documents or records]. CA-06(01)-Interview [SELECT FROM: Organizational personnel with authorization responsibilities; organizational personnel with information security and privacy responsibilities]. CA-06(01)-Test [SELECT FROM: Automated mechanisms that facilitate authorizations and updates]. CA-06(02) AUTHORIZATION | JOINT AUTHORIZATION — INTER-ORGANIZATION ASSESSMENT OBJECTIVE: Determine if: CA-06(02)[01] a joint authorization process is employed for the system; CA-06(02)[02] the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-06(02)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing authorization; system security plan; privacy plan; assessment report; plan of action and milestones; authorization statement; other relevant documents or records]. CA-06(02)-Interview [SELECT FROM: Organizational personnel with authorization responsibilities; organizational personnel with information security and privacy responsibilities]. CA-06(02)-Test [SELECT FROM: Automated mechanisms that facilitate authorizations and updates]. CA-07 CONTINUOUS MONITORING ASSESSMENT OBJECTIVE: Determine if: CA-07_ODP[01] system-level metrics to be monitored are defined; CA-07_ODP[02] frequencies at which to monitor control effectiveness are defined; CA-07_ODP[03] frequencies at which to assess control effectiveness are defined; CA-07_ODP[04] personnel or roles to whom the security status of the system is reported are defined; CA-07_ODP[05] frequency at which the security status of the system is reported is defined; CA-07_ODP[06] personnel or roles to whom the privacy status of the system is reported are defined; CA-07_ODP[07] frequency at which the privacy status of the system is reported is defined; CA-07[01] a system-level continuous monitoring strategy is developed; CA-07[02] system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy; CA-07a. system-level continuous monitoring includes establishment of the following system-level metrics to be monitored ; CA-07b.[01] system-level continuous monitoring includes established for monitoring; CA-07b.[02] system-level continuous monitoring includes established for assessment of control effectiveness; CA-07c. system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy; CA-07d. system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; CA-07e. system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring; CA-07f. system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information; CA-07g.[01] system-level continuous monitoring includes reporting the security status of the system to ; CA-07g.[02] system-level continuous monitoring includes reporting the privacy status of the system to ._ODP[07] frequency>. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-07-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures addressing continuous monitoring of system controls; procedures addressing configuration management; control assessment report; plan of action and milestones; system monitoring records; configuration management records; impact analyses; status reports; system security plan; privacy plan; other relevant documents or records]. CA-07-Interview [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. CA-07-Test [SELECT FROM: Mechanisms implementing continuous monitoring; mechanisms supporting response actions to address assessment and monitoring results; mechanisms supporting security and privacy status reporting]. CA-07(01) CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT ASSESSMENT OBJECTIVE: Determine if: CA-07(01) independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-07(01)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures addressing continuous monitoring of system controls; control assessment report; plan of action and milestones; system monitoring records; impact analyses; status reports; system security plan; privacy plan; other relevant documents or records]. CA-07(01)-Interview [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. CA-07(02) CONTINUOUS MONITORING | TYPES OF ASSESSMENTS [WITHDRAWN: Incorporated into CA-02.] CA-07(03) CONTINUOUS MONITORING | TREND ANALYSES ASSESSMENT OBJECTIVE: Determine if: CA-07(03)[01] trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data; CA-07(03)[02] trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data; CA-07(03)[03] trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-07(03)-Examine [SELECT FROM: Organizational continuous monitoring strategy; system-level continuous monitoring strategy; assessment, authorization, and monitoring policy; procedures addressing continuous monitoring of system controls; privacy controls; assessment report; plan of action and milestones; system monitoring records; impact analyses; status reports; system security plan; privacy plan; other relevant documents or records]. CA-07(03)-Interview [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. CA-07(03)-Test [SELECT FROM: Mechanisms supporting trend analyses]. CA-07(04) CONTINUOUS MONITORING | RISK MONITORING ASSESSMENT OBJECTIVE: Determine if: CA-07(04) risk monitoring is an integral part of the continuous monitoring strategy; CA-07(04)(a) effectiveness monitoring is included in risk monitoring; CA-07(04)(b) compliance monitoring is included in risk monitoring; CA-07(04)(c) change monitoring is included in risk monitoring. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-07(04)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures addressing continuous monitoring of system controls; assessment report; plan of action and milestones; system monitoring records; impact analyses; status reports; system security plan; privacy plan; other relevant documents or records]. CA-07(04)-Interview [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. CA-07(04)-Test [SELECT FROM: Mechanisms supporting risk monitoring]. CA-07(05) CONTINUOUS MONITORING | CONSISTENCY ANALYSIS ASSESSMENT OBJECTIVE: Determine if: CA-07(05)_ODP[01] actions to validate that policies are established are defined; CA-07(05)_ODP[02] actions to validate that implemented controls are operating in a consistent manner are defined; CA-07(05)[01] are employed to validate that policies are established; CA-07(05)[02] are employed to validate that implemented controls are operating in a consistent manner. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-07(05)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures addressing continuous monitoring of system security controls; assessment report; plan of action and milestones; system monitoring records; security impact analyses; status reports; system security plan; other relevant documents or records]. CA-07(05)-Interview [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. CA-07(05)-Test [SELECT FROM: Mechanisms supporting consistency analyses]. CA-07(06) CONTINUOUS MONITORING | AUTOMATION SUPPORT FOR MONITORING ASSESSMENT OBJECTIVE: Determine if: CA-07(06)_ODP automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are defined; CA-07(06) are used to ensure the accuracy, currency, and availability of monitoring results for the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-07(06)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures addressing continuous monitoring of system controls; assessment report; plan of action and milestones; system monitoring records; impact analyses; status reports; system security plan; privacy plan; other relevant documents or records]. CA-07(06)-Interview [SELECT FROM: Organizational personnel with continuous monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. CA-07(06)-Test [SELECT FROM: Mechanisms supporting automated monitoring]. CA-08 PENETRATION TESTING ASSESSMENT OBJECTIVE: Determine if: CA-08_ODP[01] frequency at which to conduct penetration testing on systems or system components is defined; CA-08_ODP[02] systems or system components on which penetration testing is to be conducted are defined; CA-08 penetration testing is conducted on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-08-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing penetration testing; assessment plan; penetration test report; assessment report; assessment evidence; system security plan; privacy plan; other relevant documents or records]. CA-08-Interview [SELECT FROM: Organizational personnel with control assessment responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. CA-08-Test [SELECT FROM: Automated mechanisms supporting penetration testing]. CA-08(01) PENETRATION TESTING | INDEPENDENT PENETRATION TESTING AGENT OR TEAM ASSESSMENT OBJECTIVE: Determine if: CA-08(01) an independent penetration testing agent or team is employed to perform penetration testing on the system or system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-08(01)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing penetration testing; assessment plan; penetration test report; assessment report; security assessment evidence; system security plan; privacy plan; other relevant documents or records]. CA-08(01)-Interview [SELECT FROM: Organizational personnel with assessment responsibilities; organizational personnel with information security and privacy responsibilities]. CA-08(02) PENETRATION TESTING | RED TEAM EXERCISES ASSESSMENT OBJECTIVE: Determine if: CA-08(02)_ODP red team exercises to simulate attempts by adversaries to compromise organizational systems are defined; CA-08(02) are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-08(02)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing penetration testing; procedures addressing red team exercises; assessment plan; results of red team exercises; penetration test report; assessment report; rules of engagement; assessment evidence; system security plan; privacy plan; other relevant documents or records]. CA-08(02)-Interview [SELECT FROM: Organizational personnel with assessment responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. CA-08(02)-Test [SELECT FROM: Automated mechanisms supporting the employment of red team exercises]. CA-08(03) PENETRATION TESTING | FACILITY PENETRATION TESTING ASSESSMENT OBJECTIVE: Determine if: CA-08(03)_ODP[01] frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined; CA-08(03)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {announced; unannounced}; CA-08(03) the penetration testing process includes attempts to bypass or circumvent controls associated with physical access points to facility. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-08(03)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; procedures addressing penetration testing; procedures addressing red team exercises; assessment plan; results of red team exercises; penetration test report; assessment report; rules of engagement; assessment evidence; system security plan; privacy plan; other relevant documents or records]. CA-08(03)-Interview [SELECT FROM: Organizational personnel with assessment responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. CA-08(03)-Test [SELECT FROM: Automated mechanisms supporting the employment of red team exercises]. CA-09 INTERNAL SYSTEM CONNECTIONS ASSESSMENT OBJECTIVE: Determine if: CA-09_ODP[01] system components or classes of components requiring internal connections to the system are defined; CA-09_ODP[02] conditions requiring termination of internal connections are defined; CA-09_ODP[03] frequency at which to review the continued need for each internal connection is defined; CA-09a. internal connections of to the system are authorized; CA-09b.[01] for each internal connection, the interface characteristics are documented; CA-09b.[02] for each internal connection, the security requirements are documented; CA-09b.[03] for each internal connection, the privacy requirements are documented; CA-09b.[04] for each internal connection, the nature of the information communicated is documented; CA-09c. internal system connections are terminated after ; CA-09d. the continued need for each internal connection is reviewed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-09-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; access control policy; procedures addressing system connections; system and communications protection policy; system design documentation; system configuration settings and associated documentation; list of components or classes of components authorized as internal system connections; assessment report; system audit records; system security plan; privacy plan; other relevant documents or records]. CA-09-Interview [SELECT FROM: Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections; organizational personnel with information security and privacy responsibilities]. CA-09-Test [SELECT FROM: Mechanisms supporting internal system connections]. CA-09(01) INTERNAL SYSTEM CONNECTIONS | COMPLIANCE CHECKS ASSESSMENT OBJECTIVE: Determine if: CA-09(01)[01] security compliance checks are performed on constituent system components prior to the establishment of the internal connection; CA-09(01)[02] privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CA-09(01)-Examine [SELECT FROM: Assessment, authorization, and monitoring policy; access control policy; procedures addressing system connections; system and communications protection policy; system design documentation; system configuration settings and associated documentation; list of components or classes of components authorized as internal system connections; assessment report; system audit records; system security plan; privacy plan; other relevant documents or records]. CA-09(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections; organizational personnel with information security and privacy responsibilities]. CA-09(01)-Test [SELECT FROM: Automated mechanisms supporting compliance checks]. 4.5 Configuration Management CM-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: CM-01_ODP[01] personnel or roles to whom the configuration management policy is to be disseminated is/are defined; CM-01_ODP[02] personnel or roles to whom the configuration management procedures are to be disseminated is/are defined; CM-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; CM-01_ODP[04] an official to manage the configuration management policy and procedures is defined; CM-01_ODP[05] the frequency at which the current configuration management policy is reviewed and updated is defined; CM-01_ODP[06] events that would require the current configuration management policy to be reviewed and updated are defined; CM-01_ODP[07] the frequency at which the current configuration management procedures are reviewed and updated is defined; CM-01_ODP[08] events that would require configuration management procedures to be reviewed and updated are defined; CM-01a.[01] a configuration management policy is developed and documented; CM-01a.[02] the configuration management policy is disseminated to ; CM-01a.[03] configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented; CM-01a.[04] the configuration management procedures are disseminated to ; CM-01a.01(a)[01] the of the configuration management policy addresses purpose; CM-01a.01(a)[02] the of the configuration management policy addresses scope; CM-01a.01(a)[03] the of the configuration management policy addresses roles; CM-01a.01(a)[04] the of the configuration management policy addresses responsibilities; CM-01a.01(a)[05] the of the configuration management policy addresses management commitment; CM-01a.01(a)[06] the of the configuration management policy addresses coordination among organizational entities; CM-01a.01(a)[07] the of the configuration management policy addresses compliance; CM-01a.01(b) the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; CM-01b. the is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures; CM-01c.01[01] the current configuration management policy is reviewed and updated ; CM-01c.01[02] the current configuration management policy is reviewed and updated following ; CM-01c.02[01] the current configuration management procedures are reviewed and updated ; CM-01c.02[02] the current configuration management procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-01-Examine [SELECT FROM: Configuration management policy and procedures; security and privacy program policies and procedures; assessment or audit findings; documentation of security incidents or breaches; system security plan; privacy plan; risk management strategy; other relevant artifacts, documents, or records]. CM-01-Interview [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security and privacy responsibilities]. CM-02 BASELINE CONFIGURATION ASSESSMENT OBJECTIVE: Determine if: CM-02_ODP[01] the frequency of baseline configuration review and update is defined; CM-02_ODP[02] the circumstances requiring baseline configuration review and update are defined; CM-02a.[01] a current baseline configuration of the system is developed and documented; CM-02a.[02] a current baseline configuration of the system is maintained under configuration control; CM-02b.01 the baseline configuration of the system is reviewed and updated ; CM-02b.02 the baseline configuration of the system is reviewed and updated when required due to ; CM-02b.03 the baseline configuration of the system is reviewed and updated when system components are installed or upgraded. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-02-Examine [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; enterprise architecture documentation; system design documentation; system security plan; privacy plan; system architecture and configuration documentation; system configuration settings and associated documentation; system component inventory; change control records; other relevant documents or records]. CM-02-Interview [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. CM-02-Test [SELECT FROM: Organizational processes for managing baseline configurations; automated mechanisms supporting configuration control of the baseline configuration]. CM-02(01) BASELINE CONFIGURATION | REVIEWS AND UPDATES [WITHDRAWN: Incorporated into CM-02.] CM-02(02) BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY AND CURRENCY ASSESSMENT OBJECTIVE: Determine if: CM-02(02)_ODP automated mechanisms for maintaining baseline configuration of the system are defined; CM-02(02)[01] the currency of the baseline configuration of the system is maintained using ; CM-02(02)[02] the completeness of the baseline configuration of the system is maintained using ; CM-02(02)[03] the accuracy of the baseline configuration of the system is maintained using ; CM-02(02)[04] the availability of the baseline configuration of the system is maintained using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-02(02)-Examine [SELECT FROM: System security plan; configuration management policy; procedures addressing the baseline configuration of the; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; system component inventory; configuration change control records; other relevant documents or records]. CM-02(02)-Interview [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-02(02)-Test [SELECT FROM: Organizational processes for managing baseline configurations; automated mechanisms implementing baseline configuration maintenance]. CM-02(03) BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS ASSESSMENT OBJECTIVE: Determine if: CM-02(03)_ODP the number of previous baseline configuration versions to be retained is defined; CM-02(03) of previous baseline configuration version(s) of the system is/are retained to support rollback. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-02(03)-Examine [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; system architecture and configuration documentation; system configuration settings and associated documentation; copies of previous baseline configuration versions; system security plan; other relevant documents or records]. CM-02(03)-Interview [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-02(03)-Test [SELECT FROM: Organizational processes for managing baseline configurations]. CM-02(04) BASELINE CONFIGURATION | UNAUTHORIZED SOFTWARE [WITHDRAWN: Incorporated into CM-07(04).] CM-02(05) BASELINE CONFIGURATION | AUTHORIZED SOFTWARE [WITHDRAWN: Incorporated into CM-07(05).] CM-02(06) BASELINE CONFIGURATION | DEVELOPMENT AND TEST ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: CM-02(06)[01] a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained; CM-02(06)[02] a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-02(06)-Examine [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; system security plan; other relevant documents or records]. CM-02(06)-Interview [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-02(06)-Test [SELECT FROM: Organizational processes for managing baseline configurations; automated mechanisms implementing separate baseline configurations for development, test, and operational environments]. CM-02(07) BASELINE CONFIGURATION | CONFIGURE SYSTEMS AND COMPONENTS FOR HIGH-RISK AREAS ASSESSMENT OBJECTIVE: Determine if: CM-02(07)_ODP[01] the systems or system components to be issued when individuals travel to high-risk areas are defined; CM-02(07)_ODP[02] configurations for systems or system components to be issued when individuals travel to high-risk areas are defined; CM-02(07)_ODP[03] the controls to be applied when the individuals return from travel are defined; CM-02(07)(a) with are issued to individuals traveling to locations that the organization deems to be of significant risk; CM-02(07)(b) are applied to the systems or system components when the individuals return from travel. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-02(07)-Examine [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the system; procedures addressing system component installations and upgrades; system architecture and configuration documentation; system configuration settings and associated documentation; system component inventory; records of system baseline configuration reviews and updates; system component installations/upgrades and associated records; change control records; system security plan; other relevant documents or records]. CM-02(07)-Interview [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-02(07)-Test [SELECT FROM: Organizational processes for managing baseline configurations]. CM-03 CONFIGURATION CHANGE CONTROL ASSESSMENT OBJECTIVE: Determine if: CM-03_ODP[01] the time period to retain records of configuration-controlled changes is defined; CM-03_ODP[02] the configuration change control element responsible for coordinating and overseeing change control activities is defined; CM-03_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {; }; CM-03_ODP[04] the frequency at which the configuration control element convenes is defined (if selected); CM-03_ODP[05] change conditions that prompt the configuration control element to convene are defined (if selected); CM-03a. the types of changes to the system that are configuration-controlled are determined and documented; CM-03b.[01] proposed configuration-controlled changes to the system are reviewed; CM-03b.[02] proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses; CM-03c. configuration change decisions associated with the system are documented; CM-03d. approved configuration-controlled changes to the system are implemented; CM-03e. records of configuration-controlled changes to the system are retained for ; CM-03f.[01] activities associated with configuration-controlled changes to the system are monitored; CM-03f.[02] activities associated with configuration-controlled changes to the system are reviewed; CM-03g.[01] configuration change control activities are coordinated and overseen by ; CM-03g.[02] the configuration control element convenes . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03-Examine [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system architecture and configuration documentation; change control records; system audit records; change control audit and review reports; agenda/minutes/documentation from configuration change control oversight meetings; system security plan; privacy plan; privacy impact assessments; system of records notices; other relevant documents or records]. CM-03-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; members of change control board or similar]. CM-03-Test [SELECT FROM: Organizational processes for configuration change control; automated mechanisms that implement configuration change control]. CM-03(01) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENTATION, NOTIFICATION, AND PROHIBITION OF CHANGES ASSESSMENT OBJECTIVE: Determine if: CM-03(01)_ODP[01] mechanisms used to automate configuration change control are defined; CM-03(01)_ODP[02] approval authorities to be notified of and request approval for proposed changes to the system are defined; CM-03(01)_ODP[03] the time period after which to highlight changes that have not been approved or disapproved is defined; CM-03(01)_ODP[04] personnel to be notified when approved changes are complete is/are defined; CM-03(01)(a) are used to document proposed changes to the system; CM-03(01)(b) are used to notify of proposed changes to the system and request change approval; CM-03(01)(c) are used to highlight proposed changes to the system that have not been approved or disapproved within ; CM-03(01)(d) are used to prohibit changes to the system until designated approvals are received; CM-03(01)(e) are used to document all changes to the system; CM-03(01)(f) are used to notify when approved changes to the system are completed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system design documentation; system architecture and configuration documentation; automated configuration control mechanisms; system configuration settings and associated documentation; change control records; system audit records; change approval requests; change approvals; system security plan; other relevant documents or records]. CM-03(01)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; members of change control board or similar]. CM-03(01)-Test [SELECT FROM: Organizational processes for configuration change control; automated mechanisms implementing configuration change control activities]. CM-03(02) CONFIGURATION CHANGE CONTROL | TESTING, VALIDATION, AND DOCUMENTATION OF CHANGES ASSESSMENT OBJECTIVE: Determine if: CM-03(02)[01] changes to the system are tested before finalizing the implementation of the changes; CM-03(02)[02] changes to the system are validated before finalizing the implementation of the changes; CM-03(02)[03] changes to the system are documented before finalizing the implementation of the changes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(02)-Examine [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing system configuration change control; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; test records; validation records; change control records; system audit records; system security plan; other relevant documents or records]. CM-03(02)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; members of change control board or similar]. CM-03(02)-Test [SELECT FROM: Organizational processes for configuration change control; automated mechanisms supporting and/or implementing, testing, validating, and documenting system changes]. CM-03(03) CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION ASSESSMENT OBJECTIVE: Determine if: CM-03(03)_ODP mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed base are defined; CM-03(03)[01] changes to the current system baseline are implemented using ; CM-03(03)[02] the updated baseline is deployed across the installed base using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(03)-Examine [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing system configuration change control; system design documentation; system architecture and configuration documentation; automated configuration control mechanisms; change control records; system component inventory; system audit records; system security plan; other relevant documents or records]. CM-03(03)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; members of change control board or similar]. CM-03(03)-Test [SELECT FROM: Organizational processes for configuration change control; automated mechanisms implementing changes to current system baseline]. CM-03(04) CONFIGURATION CHANGE CONTROL | SECURITY AND PRIVACY REPRESENTATIVES ASSESSMENT OBJECTIVE: Determine if: CM-03(04)_ODP[01] security representatives required to be members of the change control element are defined; CM-03(04)_ODP[02] privacy representatives required to be members of the change control element are defined; CM-03(04)_ODP[03] the configuration change control element of which the security and privacy representatives are to be members is defined; CM-03(04)[01] are required to be members of the ; CM-03(04)[02] are required to be members of the . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(04)-Examine [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system security plan; privacy plan; other relevant documents or records]. CM-03(04)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security and privacy responsibilities; members of change control board or similar]. CM-03(04)-Test [SELECT FROM: Organizational processes for configuration change control]. CM-03(05) CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE ASSESSMENT OBJECTIVE: Determine if: CM-03(05)_ODP security responses to be automatically implemented are defined; CM-03(05) are automatically implemented if baseline configurations are changed in an unauthorized manner. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(05)-Examine [SELECT FROM: System security plan; configuration management policy; procedures addressing system configuration change control; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; alerts/notifications of unauthorized baseline configuration changes; system audit records; other relevant documents or records]. CM-03(05)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; members of change control board or similar]. CM-03(05)-Test [SELECT FROM: Organizational processes for configuration change control; automated mechanisms implementing security responses to unauthorized changes to the baseline configurations]. CM-03(06) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: CM-03(06)_ODP controls provided by cryptographic mechanisms that are to be under configuration management are defined; CM-03(06) cryptographic mechanisms used to provide are under configuration management. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(06)-Examine [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; system security plan; other relevant documents or records]. CM-03(06)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; members of change control board or similar]. CM-03(06)-Test [SELECT FROM: Organizational processes for configuration change control; cryptographic mechanisms implementing organizational security safeguards (controls)]. CM-03(07) CONFIGURATION CHANGE CONTROL | REVIEW SYSTEM CHANGES ASSESSMENT OBJECTIVE: Determine if: CM-03(07)_ODP[01] the frequency at which changes are to be reviewed is defined; CM-03(07)_ODP[02] the circumstances under which changes are to be reviewed are defined; CM-03(07) changes to the system are reviewed or when to determine whether unauthorized changes have occurred. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(07)-Examine [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; change control records; system architecture and configuration documentation; system configuration settings and associated documentation; system audit records; system component inventory; system security plan; other relevant documents or records]. CM-03(07)-Interview [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with security responsibilities; system/network administrators; members of change control board or similar]. CM-03(07)-Test [SELECT FROM: Organizational processes for configuration change control; mechanisms implementing audit records for changes]. CM-03(08) CONFIGURATION CHANGE CONTROL | PREVENT OR RESTRICT CONFIGURATION CHANGES ASSESSMENT OBJECTIVE: Determine if: CM-03(08)_ODP the circumstances under which changes are to be prevented or restricted are defined; CM-03(08) changes to the configuration of the system are prevented or restricted under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-03(08)-Examine [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; change control records; system architecture and configuration documentation; system configuration settings and associated documentation; system component inventory; system audit records; system security plan; other relevant documents or records]. CM-04 IMPACT ANALYSES ASSESSMENT OBJECTIVE: Determine if: CM-04[01] changes to the system are analyzed to determine potential security impacts prior to change implementation; CM-04[02] changes to the system are analyzed to determine potential privacy impacts prior to change implementation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-04-Examine [SELECT FROM: Configuration management policy; procedures addressing security impact analyses for changes to the system; procedures addressing privacy impact analyses for changes to the system; configuration management plan; security impact analysis documentation; privacy impact analysis documentation; privacy impact assessment; privacy risk assessment documentation, system design documentation; analysis tools and associated outputs; change control records; system audit records; system security plan; privacy plan; other relevant documents or records]. CM-04-Interview [SELECT FROM: Organizational personnel with responsibility for conducting security impact analyses; organizational personnel with responsibility for conducting privacy impact analyses; organizational personnel with information security and privacy responsibilities; system developer; system/network administrators; members of change control board or similar]. CM-04-Test [SELECT FROM: Organizational processes for security impact analyses; organizational processes for privacy impact analyses]. CM-04(01) IMPACT ANALYSES | SEPARATE TEST ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: CM-04(01)[01] changes to the system are analyzed in a separate test environment before implementation in an operational environment; CM-04(01)[02] changes to the system are analyzed for security impacts due to flaws; CM-04(01)[03] changes to the system are analyzed for privacy impacts due to flaws; CM-04(01)[04] changes to the system are analyzed for security impacts due to weaknesses; CM-04(01)[05] changes to the system are analyzed for privacy impacts due to weaknesses; CM-04(01)[06] changes to the system are analyzed for security impacts due to incompatibility; CM-04(01)[07] changes to the system are analyzed for privacy impacts due to incompatibility; CM-04(01)[08] changes to the system are analyzed for security impacts due to intentional malice; CM-04(01)[09] changes to the system are analyzed for privacy impacts due to intentional malice. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-04(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing security impact analyses for changes to the system; procedures addressing privacy impact analyses for changes to the system; configuration management plan; security impact analysis documentation; privacy impact analysis documentation; privacy impact assessment; privacy risk assessment documentation; analysis tools and associated outputs system design documentation; system architecture and configuration documentation; change control records; procedures addressing the authority to test with PII; system audit records; documentation of separate test and operational environments; system security plan; privacy plan; other relevant documents or records]. CM-04(01)-Interview [SELECT FROM: Organizational personnel with responsibility for conducting security and privacy impact analyses; organizational personnel with information security and privacy responsibilities; system/network administrators; members of change control board or similar]. CM-04(01)-Test [SELECT FROM: Organizational processes for security and privacy impact analyses; automated mechanisms supporting and/or implementing security and privacy impact analyses of changes]. CM-04(02) IMPACT ANALYSES | VERIFICATION OF CONTROLS ASSESSMENT OBJECTIVE: Determine if: CM-04(02)[01] the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes; CM-04(02)[02] the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes; CM-04(02)[03] the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes; CM-04(02)[04] the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes; CM-04(02)[05] the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes; CM-04(02)[06] the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-04(02)-Examine [SELECT FROM: Configuration management policy; procedures addressing security impact analyses for changes to the system; procedures addressing privacy impact analyses for changes to the system; privacy risk assessment documentation; configuration management plan; security and privacy impact analysis documentation; privacy impact assessment; analysis tools and associated outputs; change control records; control assessment results; system audit records; system component inventory; system security plan; privacy plan; other relevant documents or records]. CM-04(02)-Interview [SELECT FROM: Organizational personnel with responsibility for conducting security and privacy impact analyses; organizational personnel with information security and privacy responsibilities; system/network administrators; security and privacy assessors]. CM-04(02)-Test [SELECT FROM: Organizational processes for security and privacy impact analyses; automated mechanisms supporting and/or implementing security and privacy impact analyses of changes]. CM-05 ACCESS RESTRICTIONS FOR CHANGE ASSESSMENT OBJECTIVE: Determine if: CM-05[01] physical access restrictions associated with changes to the system are defined and documented; CM-05[02] physical access restrictions associated with changes to the system are approved; CM-05[03] physical access restrictions associated with changes to the system are enforced; CM-05[04] logical access restrictions associated with changes to the system are defined and documented; CM-05[05] logical access restrictions associated with changes to the system are approved; CM-05[06] logical access restrictions associated with changes to the system are enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-05-Examine [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; logical access approvals; physical access approvals; access credentials; change control records; system audit records; system security plan; other relevant documents or records]. CM-05-Interview [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-05-Test [SELECT FROM: Organizational processes for managing access restrictions to change; automated mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system]. CM-05(01) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT AND AUDIT RECORDS ASSESSMENT OBJECTIVE: Determine if: CM-05(01)_ODP mechanisms used to automate the enforcement of access restrictions are defined; CM-05(01)(a) access restrictions for change are enforced using ; CM-05(01)(b) audit records of enforcement actions are automatically generated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-05(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system audit records; system security plan; other relevant documents or records]. CM-05(01)-Interview [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-05(01)-Test [SELECT FROM: Organizational processes for managing access restrictions to change; automated mechanisms implementing the enforcement of access restrictions for changes to the system; automated mechanisms supporting auditing of enforcement actions]. CM-05(02) ACCESS RESTRICTIONS FOR CHANGE | REVIEW SYSTEM CHANGES [WITHDRAWN: Incorporated into CM-03(07).] CM-05(03) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS [WITHDRAWN: Moved to CM-14.] CM-05(04) ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION ASSESSMENT OBJECTIVE: Determine if: CM-05(04)_ODP[01] system components requiring dual authorization for changes are defined; CM-05(04)_ODP[02] system-level information requiring dual authorization for changes is defined; CM-05(04)[01] dual authorization for implementing changes to is enforced; CM-05(04)[02] dual authorization for implementing changes to is enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-05(04)-Examine [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system audit records; system component inventory; system information types information; system security plan; other relevant documents or records]. CM-05(04)-Interview [SELECT FROM: Organizational personnel with dual authorization enforcement responsibilities for implementing system changes; organizational personnel with information security responsibilities; system/network administrators]. CM-05(04)-Test [SELECT FROM: Organizational processes for managing access restrictions to change; automated mechanisms implementing dual authorization enforcement]. CM-05(05) ACCESS RESTRICTIONS FOR CHANGE | PRIVILEGE LIMITATION FOR PRODUCTION AND OPERATION ASSESSMENT OBJECTIVE: Determine if: CM-05(05)_ODP[01] frequency at which to review privileges is defined; CM-05(05)_ODP[02] frequency at which to reevaluate privileges is defined; CM-05(05)(a)[01] privileges to change system components within a production or operational environment are limited; CM-05(05)(a)[02] privileges to change system-related information within a production or operational environment are limited; CM-05(05)(b)[01] privileges are reviewed ; CM-05(05)(b)[02] privileges are reevaluated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-05(05)-Examine [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; user privilege reviews; user privilege recertifications; system component inventory; change control records; system audit records; system security plan; other relevant documents or records]. CM-05(05)-Interview [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators]. CM-05(05)-Test [SELECT FROM: Organizational processes for managing access restrictions to change; automated mechanisms supporting and/or implementing access restrictions for change]. CM-05(06) ACCESS RESTRICTIONS FOR CHANGE | LIMIT LIBRARY PRIVILEGES ASSESSMENT OBJECTIVE: Determine if: CM-05(06) privileges to change software resident within software libraries are limited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-05(06)-Examine [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; system component inventory; change control records; system audit records; system security plan; other relevant documents or records]. CM-05(06)-Interview [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators]. CM-05(06)-Test [SELECT FROM: Organizational processes for managing access restrictions to change; automated mechanisms supporting and/or implementing access restrictions for change]. CM-05(07) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS [WITHDRAWN: Incorporated into SI-07.] CM-06 CONFIGURATION SETTINGS ASSESSMENT OBJECTIVE: Determine if: CM-06_ODP[01] common secure configurations to establish and document configuration settings for components employed within the system are defined; CM-06_ODP[02] system components for which approval of deviations is needed are defined; CM-06_ODP[03] operational requirements necessitating approval of deviations are defined; CM-06a. configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ; CM-06b. the configuration settings documented in CM-06a are implemented; CM-06c.[01] any deviations from established configuration settings for are identified and documented based on ; CM-06c.[02] any deviations from established configuration settings for are approved; CM-06d.[01] changes to the configuration settings are monitored in accordance with organizational policies and procedures; CM-06d.[02] changes to the configuration settings are controlled in accordance with organizational policies and procedures. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-06-Examine [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the system; configuration management plan; system design documentation; system configuration settings and associated documentation; common secure configuration checklists; system component inventory; evidence supporting approved deviations from established configuration settings; change control records; system data processing and retention permissions; system audit records; system security plan; privacy plan; other relevant documents or records]. CM-06-Interview [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with privacy configuration management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. CM-06-Test [SELECT FROM: Organizational processes for managing configuration settings; automated mechanisms that implement, monitor, and/or control system configuration settings; automated mechanisms that identify and/or document deviations from established configuration settings]. CM-06(01) CONFIGURATION SETTINGS | AUTOMATED MANAGEMENT, APPLICATION, AND VERIFICATION ASSESSMENT OBJECTIVE: Determine if: CM-06(01)_ODP[01] system components for which to manage, apply, and verify configuration settings are defined; CM-06(01)_ODP[02] automated mechanisms to manage configuration settings are defined; CM-06(01)_ODP[03] automated mechanisms to apply configuration settings are defined; CM-06(01)_ODP[04] automated mechanisms to verify configuration settings are defined; CM-06(01)[01] configuration settings for are managed using ; CM-06(01)[02] configuration settings for are applied using ; CM-06(01)[03] configuration settings for are verified using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-06(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the system; configuration management plan; system design documentation; system configuration settings and associated documentation; system component inventory; common secure configuration checklists; change control records; system audit records; system security plan; privacy plan; other relevant documents or records]. CM-06(01)-Interview [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. CM-06(01)-Test [SELECT FROM: Organizational processes for managing configuration settings; automated mechanisms implemented to manage, apply, and verify system configuration settings]. CM-06(02) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES ASSESSMENT OBJECTIVE: Determine if: CM-06(02)_ODP[01] actions to be taken upon an unauthorized change are defined; CM-06(02)_ODP[02] configuration settings requiring action upon an unauthorized change are defined; CM-06(02) are taken in response to unauthorized changes to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-06(02)-Examine [SELECT FROM: System security plan; privacy plan; configuration management policy; procedures addressing configuration settings for the system; configuration management plan; system design documentation; system configuration settings and associated documentation; alerts/notifications of unauthorized changes to system configuration settings; system component inventory; documented responses to unauthorized changes to system configuration settings; change control records; system audit records; other relevant documents or records]. CM-06(02)-Interview [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with security and privacy responsibilities; system/network administrators]. CM-06(02)-Test [SELECT FROM: Organizational process for responding to unauthorized changes to system configuration settings; automated mechanisms supporting and/or implementing actions in response to unauthorized changes]. CM-06(03) CONFIGURATION SETTINGS | UNAUTHORIZED CHANGE DETECTION [WITHDRAWN: Incorporated into SI-07.] CM-06(04) CONFIGURATION SETTINGS | CONFORMANCE DEMONSTRATION [WITHDRAWN: Incorporated into CM-04.] CM-07 LEAST FUNCTIONALITY ASSESSMENT OBJECTIVE: Determine if: CM-07_ODP[01] mission-essential capabilities for the system are defined; CM-07_ODP[02] functions to be prohibited or restricted are defined; CM-07_ODP[03] ports to be prohibited or restricted are defined; CM-07_ODP[04] protocols to be prohibited or restricted are defined; CM-07_ODP[05] software to be prohibited or restricted is defined; CM-07_ODP[06] services to be prohibited or restricted are defined; CM-07a. the system is configured to provide only ; CM-07b.[01] the use of is prohibited or restricted; CM-07b.[02] the use of is prohibited or restricted; CM-07b.[03] the use of is prohibited or restricted; CM-07b.[04] the use of is prohibited or restricted; CM-07b.[05] the use of is prohibited or restricted. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; system component inventory; common secure configuration checklists; system security plan; other relevant documents or records]. CM-07-Interview [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-07-Test [SELECT FROM: Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services; automated mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services]. CM-07(01) LEAST FUNCTIONALITY | PERIODIC REVIEW ASSESSMENT OBJECTIVE: Determine if: CM-07(01)_ODP[01] the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined; CM-07(01)_ODP[02] functions to be disabled or removed when deemed unnecessary or non-secure are defined; CM-07(01)_ODP[03] ports to be disabled or removed when deemed unnecessary or non-secure are defined; CM-07(01)_ODP[04] protocols to be disabled or removed when deemed unnecessary or non-secure are defined; CM-07(01)_ODP[05] software to be disabled or removed when deemed unnecessary or non-secure is defined; CM-07(01)_ODP[06] services to be disabled or removed when deemed unnecessary or non-secure are defined; CM-07(01)(a) the system is reviewed to identify unnecessary and/or non-secure functions, ports, protocols, software, and services: CM-07(01)(b)[01] deemed to be unnecessary and/or non-secure are disabled or removed; CM-07(01)(b)[02] deemed to be unnecessary and/or non-secure are disabled or removed; CM-07(01)(b)[03] deemed to be unnecessary and/or non-secure are disabled or removed; CM-07(01)(b)[04] deemed to be unnecessary and/or non-secure is disabled or removed; CM-07(01)(b)[05] deemed to be unnecessary and/or non-secure are disabled or removed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; common secure configuration checklists; documented reviews of functions, ports, protocols, and/or services; change control records; system audit records; system security plan; other relevant documents or records]. CM-07(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system; organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-07(01)-Test [SELECT FROM: Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system; automated mechanisms implementing review and disabling of functions, ports, protocols, and/or services]. CM-07(02) LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION ASSESSMENT OBJECTIVE: Determine if: CM-07(02)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {; rules authorizing the terms and conditions of software program usage}; CM-07(02)_ODP[02] policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected); CM-07(02) program execution is prevented in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(02)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; system component inventory; common secure configuration checklists; specifications for preventing software program execution; change control records; system audit records; system security plan; other relevant documents or records]. CM-07(02)-Interview [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-07(02)-Test [SELECT FROM: Organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; automated mechanisms preventing program execution on the system; automated mechanisms supporting and/or implementing software program usage and restrictions]. CM-07(03) LEAST FUNCTIONALITY | REGISTRATION COMPLIANCE ASSESSMENT OBJECTIVE: Determine if: CM-07(03)_ODP registration requirements for functions, ports, protocols, and services are defined; CM-07(03) are complied with. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(03)-Examine [SELECT FROM: System security plan; configuration management policy; procedures addressing least functionality in the system; configuration management plan; system configuration settings and associated documentation; system component inventory; audit and compliance reviews; system audit records; other relevant documents or records]. CM-07(03)-Interview [SELECT FROM: Organizational personnel with security responsibilities; system/network administrators; system developers]. CM-07(03)-Test [SELECT FROM: Organizational processes ensuring compliance with registration requirements for functions, ports, protocols, and/or services; automated mechanisms implementing compliance with registration requirements for functions, ports, protocols, and/or services]. CM-07(04) LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE — DENY-BY-EXCEPTION ASSESSMENT OBJECTIVE: Determine if: CM-07(04)_ODP[01] software programs not authorized to execute on the system are defined; CM-07(04)_ODP[02] frequency at which to review and update the list of unauthorized software programs is defined; CM-07(04)(a) are identified; CM-07(04)(b) an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system; CM-07(04)(c) the list of unauthorized software programs is reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(04)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; system component inventory; common secure configuration checklists; review and update records associated with list of unauthorized software programs; change control records; system audit records; system security plan; other relevant documents or records]. CM-07(04)-Interview [SELECT FROM: Organizational personnel with responsibilities for identifying software not authorized to execute on the system; organizational personnel with information security responsibilities; system/network administrators]. CM-07(04)-Test [SELECT FROM: Organizational process for identifying, reviewing, and updating programs not authorized to execute on the system; organizational process for implementing unauthorized software policy; automated mechanisms supporting and/or implementing unauthorized software policy]. CM-07(05) LEAST FUNCTIONALITY | AUTHORIZED SOFTWARE — ALLOW-BY-EXCEPTION ASSESSMENT OBJECTIVE: Determine if: CM-07(05)_ODP[01] software programs authorized to execute on the system are defined; CM-07(05)_ODP[02] frequency at which to review and update the list of authorized software programs is defined; CM-07(05)(a) are identified; CM-07(05)(b) a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed; CM-07(05)(c) the list of authorized software programs is reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(05)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs authorized to execute on the system; system component inventory; common secure configuration checklists; review and update records associated with list of authorized software programs; change control records; system audit records; system security plan; other relevant documents or records]. CM-07(05)-Interview [SELECT FROM: Organizational personnel with responsibilities for identifying software authorized to execute on the system; organizational personnel with information security responsibilities; system/network administrators]. CM-07(05)-Test [SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized to execute on the system; organizational process for implementing authorized software policy; automated mechanisms supporting and/or implementing authorized software policy]. CM-07(06) LEAST FUNCTIONALITY | CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES ASSESSMENT OBJECTIVE: Determine if: CM-07(06)_ODP user-installed software required to be executed in a confined environment is defined; CM-07(06) is required to be executed in a confined physical or virtual machine environment with limited privileges. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(06)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list or record of software required to execute in a confined environment; system component inventory; common secure configuration checklists; system audit records; system security plan; other relevant documents or records]. CM-07(06)-Interview [SELECT FROM: Organizational personnel with responsibilities for identifying and/or managing user-installed software and associated privileges; organizational personnel with information security responsibilities; system/network administrators]. CM-07(06)-Test [SELECT FROM: Organizational process for identifying user-installed software required to execute in a confined environment; automated mechanisms supporting and/or implementing the confinement of user-installed software to physical or virtual machine environments; automated mechanisms supporting and/or implementing privilege limitations on user-installed software]. CM-07(07) LEAST FUNCTIONALITY | CODE EXECUTION IN PROTECTED ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: CM-07(07)_ODP personnel or roles to explicitly approve execution of binary or machine-executable code is/are defined; CM-07(07) the execution of binary or machine-executable code is only allowed in confined physical or virtual machine environments; CM-07(07)(a) the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of ; CM-07(07)(b) the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(07)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system design documentation; system configuration settings and associated documentation; list or record of binary or machine-executable code; system component inventory; common secure configuration checklists; system audit records; system security plan; other relevant documents or records]. CM-07(07)-Interview [SELECT FROM: Organizational personnel with responsibilities for approving execution of binary or machine-executable code; organizational personnel with information security responsibilities; organizational personnel with software management responsibilities; system/network administrators; system developers]. CM-07(07)-Test [SELECT FROM: Organizational process for approving execution of binary or machine-executable code; organizational process for confining binary or machine-executable code to physical or virtual machine environments; automated mechanisms supporting and/or implementing the confinement of binary or machine-executable code to physical or virtual machine environments]. CM-07(08) LEAST FUNCTIONALITY | BINARY OR MACHINE EXECUTABLE CODE ASSESSMENT OBJECTIVE: Determine if: CM-07(08)(a) the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code; CM-07(08)(b)[01] exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements; CM-07(08)(b)[02] exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(08)-Examine [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; list or record of binary or machine-executable code; system component inventory; common secure configuration checklists; system audit records; system security plan; other relevant documents or records]. CM-07(08)-Interview [SELECT FROM: Organizational personnel with responsibilities for determining mission and operational requirements; authorizing official for the system; organizational personnel with information security responsibilities; organizational personnel with software management responsibilities; system/network administrators]. CM-07(08)-Test [SELECT FROM: Organizational process for approving execution of binary or machine-executable code; automated mechanisms supporting and/or implementing the prohibition of binary or machine-executable code]. CM-07(09) LEAST FUNCTIONALITY | PROHIBITING THE USE OF UNAUTHORIZED HARDWARE ASSESSMENT OBJECTIVE: Determine if: CM-07(09)_ODP[01] hardware components authorized for system use are defined; CM-07(09)_ODP[02] frequency at which to review and update the list of authorized hardware components is defined; CM-07(09)(a) are identified; CM-07(09)(b) the use or connection of unauthorized hardware components is prohibited; CM-07(09)(c) the list of authorized hardware components is reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-07(09)-Examine [SELECT FROM: Configuration management policy; network connection policy and procedures; configuration management plan; system security plan; system design documentation; system component inventory; system audit records; system security plan; other relevant documents or records]. CM-07(09)-Interview [SELECT FROM: Organizational personnel with system hardware management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-07(09)-Test [SELECT FROM: Organizational process for approving execution of binary or machine-executable code; automated mechanisms supporting and/or implementing the prohibition of binary or machine-executable code]. CM-08 SYSTEM COMPONENT INVENTORY ASSESSMENT OBJECTIVE: Determine if: CM-08_ODP[01] information deemed necessary to achieve effective system component accountability is defined; CM-08_ODP[02] frequency at which to review and update the system component inventory is defined; CM-08a.01 an inventory of system components that accurately reflects the system is developed and documented; CM-08a.02 an inventory of system components that includes all components within the system is developed and documented; CM-08a.03 an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented; CM-08a.04 an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented; CM-08a.05 an inventory of system components that includes is developed and documented; CM-08b. the system component inventory is reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system security plan; system design documentation; system component inventory; inventory reviews and update records; system security plan; other relevant documents or records]. CM-08-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-08-Test [SELECT FROM: Organizational processes for managing the system component inventory; automated mechanisms supporting and/or implementing system component inventory]. CM-08(01) SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATION AND REMOVAL ASSESSMENT OBJECTIVE: Determine if: CM-08(01)[01] the inventory of system components is updated as part of component installations; CM-08(01)[02] the inventory of system components is updated as part of component removals; CM-08(01)[03] the inventory of system components is updated as part of system updates. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system security plan; system component inventory; inventory reviews and update records; change control records; component installation records; component removal records; system security plan; other relevant documents or records]. CM-08(01)-Interview [SELECT FROM: Organizational personnel with component inventory updating responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-08(01)-Test [SELECT FROM: Organizational processes for updating the system component inventory; automated mechanisms supporting and/or implementing system component inventory updates]. CM-08(02) SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: CM-08(02)_ODP[01] automated mechanisms used to maintain the currency of the system component inventory are defined; CM-08(02)_ODP[02] automated mechanisms used to maintain the completeness of the system component inventory are defined; CM-08(02)_ODP[03] automated mechanisms used to maintain the accuracy of the system component inventory are defined; CM-08(02)_ODP[04] automated mechanisms used to maintain the availability of the system component inventory are defined; CM-08(02)[01] are used to maintain the currency of the system component inventory; CM-08(02)[02] are used to maintain the completeness of the system component inventory; CM-08(02)[03] are used to maintain the accuracy of the system component inventory; CM-08(02)[04] are used to maintain the availability of the system component inventory. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(02)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system design documentation; system security plan; system component inventory; change control records; system maintenance records; system audit records; system security plan; other relevant documents or records]. CM-08(02)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-08(02)-Test [SELECT FROM: Organizational processes for maintaining the system component inventory; automated mechanisms supporting and/or implementing the system component inventory]. CM-08(03) SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION ASSESSMENT OBJECTIVE: Determine if: CM-08(03)_ODP[01] automated mechanisms used to detect the presence of unauthorized hardware within the system are defined; CM-08(03)_ODP[02] automated mechanisms used to detect the presence of unauthorized software within the system are defined; CM-08(03)_ODP[03] automated mechanisms used to detect the presence of unauthorized firmware within the system are defined; CM-08(03)_ODP[04] frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined; CM-08(03)_ODP[05] one or more of the following PARAMETER VALUES is/are selected: {disable network access by unauthorized components; isolate unauthorized components; notify}; CM-08(03)_ODP[06] personnel or roles to be notified when unauthorized components are detected is/are defined (if selected); CM-08(03)(a)[01] the presence of unauthorized hardware within the system is detected using ; CM-08(03)(a)[02] the presence of unauthorized software within the system is detected using ; CM-08(03)(a)[03] the presence of unauthorized firmware within the system is detected using ; CM-08(03)(b)[01] are taken when unauthorized hardware is detected; CM-08(03)(b)[02] are taken when unauthorized software is detected; CM-08(03)(b)[03] are taken when unauthorized firmware is detected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(03)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system design documentation; system security plan; system component inventory; change control records; alerts/notifications of unauthorized components within the system; system monitoring records; system maintenance records; system audit records; system security plan; other relevant documents or records]. CM-08(03)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection; organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-08(03)-Test [SELECT FROM: Organizational processes for detection of unauthorized system components; organizational processes for taking action when unauthorized system components are detected; automated mechanisms supporting and/or implementing the detection of unauthorized system components; automated mechanisms supporting and/or implementing actions taken when unauthorized system components are detected]. CM-08(04) SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION ASSESSMENT OBJECTIVE: Determine if: CM-08(04)_ODP one or more of the following PARAMETER VALUES is/are selected: {name; position; role}; CM-08(04) individuals responsible and accountable for administering system components are identified by in the system component inventory. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(04)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system security plan; system component inventory; system security plan; other relevant documents or records]. CM-08(04)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-08(04)-Test [SELECT FROM: Organizational processes for managing the system component inventory; automated mechanisms supporting and/or implementing the system component inventory]. CM-08(05) SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS [WITHDRAWN: Incorporated into CM-08.] CM-08(06) SYSTEM COMPONENT INVENTORY | ASSESSED CONFIGURATIONS AND APPROVED DEVIATIONS ASSESSMENT OBJECTIVE: Determine if: CM-08(06)[01] assessed component configurations are included in the system component inventory; CM-08(06)[02] any approved deviations to current deployed configurations are included in the system component inventory. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(06)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system security plan; system design documentation; system component inventory; system configuration settings and associated documentation; change control records; system security plan; other relevant documents or records]. CM-08(06)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with assessment responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-08(06)-Test [SELECT FROM: Organizational processes for managing the system component inventory; automated mechanisms supporting and/or implementing system component inventory]. CM-08(07) SYSTEM COMPONENT INVENTORY | CENTRALIZED REPOSITORY ASSESSMENT OBJECTIVE: Determine if: CM-08(07) a centralized repository for the system component inventory is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(07)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system design documentation; system security plan; system component inventory; system configuration settings and associated documentation; change control records; system security plan; other relevant documents or records]. CM-08(07)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with security responsibilities; ]. CM-08(07)-Test [SELECT FROM: Organizational processes for managing the system component inventory; automated mechanisms supporting and/or implementing system component inventory]. CM-08(08) SYSTEM COMPONENT INVENTORY | AUTOMATED LOCATION TRACKING ASSESSMENT OBJECTIVE: Determine if: CM-08(08)_ODP automated mechanisms for tracking components are defined; CM-08(08) are used to support the tracking of system components by geographic location. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(08)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system design documentation; system component inventory; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. CM-08(08)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. CM-08(08)-Test [SELECT FROM: Organizational processes for managing the system component inventory; automated mechanisms supporting and/or implementing system component inventory; automated mechanisms supporting and/or implementing tracking of components by geographic locations]. CM-08(09) SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS ASSESSMENT OBJECTIVE: Determine if: CM-08(09)_ODP personnel or roles from which to receive an acknowledgement is/are defined; CM-08(09)(a) system components are assigned to a system; CM-08(09)(b) an acknowledgement of the component assignment is received from . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-08(09)-Examine [SELECT FROM: Configuration management policy; procedures addressing system component inventory; configuration management plan; system security plan; system design documentation; system component inventory; change control records; acknowledgements of system component assignments; system security plan; other relevant documents or records]. CM-08(09)-Interview [SELECT FROM: Organizational personnel with component inventory management responsibilities; system owner; organizational personnel with information security responsibilities; system/network administrators]. CM-08(09)-Test [SELECT FROM: Organizational processes for assigning components to systems; organizational processes for acknowledging assignment of components to systems; automated mechanisms implementing assignment of components to the system; automated mechanisms implementing acknowledgment of assignment of components to the system]. CM-09 CONFIGURATION MANAGEMENT PLAN ASSESSMENT OBJECTIVE: Determine if: CM-09_ODP personnel or roles to review and approve the configuration management plan is/are defined; CM-09[01] a configuration management plan for the system is developed and documented; CM-09[02] a configuration management plan for the system is implemented; CM-09a.[01] the configuration management plan addresses roles; CM-09a.[02] the configuration management plan addresses responsibilities; CM-09a.[03] the configuration management plan addresses configuration management processes and procedures; CM-09b.[01] the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle; CM-09b.[02] the configuration management plan establishes a process for managing the configuration of the configuration items; CM-09c.[01] the configuration management plan defines the configuration items for the system; CM-09c.[02] the configuration management plan places the configuration items under configuration management; CM-09d. the configuration management plan is reviewed and approved by ; CM-09e.[01] the configuration management plan is protected from unauthorized disclosure; CM-09e.[02] the configuration management plan is protected from unauthorized modification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-09-Examine [SELECT FROM: Configuration management policy; procedures addressing configuration management planning; configuration management plan; system design documentation; system security plan; privacy plan; other relevant documents or records]. CM-09-Interview [SELECT FROM: Organizational personnel with responsibilities for developing the configuration management plan; organizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan; organizational personnel with responsibilities for protecting the configuration management plan; organizational personnel with information security and privacy responsibilities; system/network administrators]. CM-09-Test [SELECT FROM: Organizational processes for developing and documenting the configuration management plan; organizational processes for identifying and managing configuration items; organizational processes for protecting the configuration management plan; automated mechanisms implementing the configuration management plan; automated mechanisms for managing configuration items; automated mechanisms for protecting the configuration management plan]. CM-09(01) CONFIGURATION MANAGEMENT PLAN | ASSIGNMENT OF RESPONSIBILITY ASSESSMENT OBJECTIVE: Determine if: CM-09(01) the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-09(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing responsibilities for configuration management process development; configuration management plan; system security plan; system security plan; other relevant documents or records]. CM-09(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for configuration management process development; organizational personnel with information security responsibilities]. CM-10 SOFTWARE USAGE RESTRICTIONS ASSESSMENT OBJECTIVE: Determine if: CM-10a. software and associated documentation are used in accordance with contract agreements and copyright laws; CM-10b. the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution; CM-10c. the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-10-Examine [SELECT FROM: Configuration management policy; software usage restrictions; software contract agreements and copyright laws; site license documentation; list of software usage restrictions; software license tracking reports; configuration management plan; system security plan; system security plan; other relevant documents or records]. CM-10-Interview [SELECT FROM: Organizational personnel operating, using, and/or maintaining the system; organizational personnel with software license management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-10-Test [SELECT FROM: Organizational processes for tracking the use of software protected by quantity licenses; organizational processes for controlling/documenting the use of peer-to-peer file sharing technology; automated mechanisms implementing software license tracking; automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology]. CM-10(01) SOFTWARE USAGE RESTRICTIONS | OPEN-SOURCE SOFTWARE ASSESSMENT OBJECTIVE: Determine if: CM-10(01)_ODP restrictions on the use of open-source software are defined; CM-10(01) are established for the use of open-source software. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-10(01)-Examine [SELECT FROM: Configuration management policy; software usage restrictions; software contract agreements and copyright laws; site license documentation; list of software usage restrictions; software license tracking reports; configuration management plan; system security plan; system security plan; other relevant documents or records]. CM-10(01)-Interview [SELECT FROM: Organizational personnel operating, using, and/or maintaining the system; organizational personnel with software license management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. CM-10(01)-Test [SELECT FROM: Organizational processes for tracking the use of software protected by quantity licenses; organizational processes for controlling/documenting the use of peer-to-peer file sharing technology; automated mechanisms implementing software license tracking; automated mechanisms implementing and controlling the use of peer-to-peer files sharing technology]. CM-11 USER-INSTALLED SOFTWARE ASSESSMENT OBJECTIVE: Determine if: CM-11_ODP[01] policies governing the installation of software by users are defined; CM-11_ODP[02] methods used to enforce software installation policies are defined; CM-11_ODP[03] frequency with which to monitor compliance is defined; CM-11a. governing the installation of software by users are established; CM-11b. software installation policies are enforced through ; CM-11c. compliance with is monitored . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-11-Examine [SELECT FROM: Configuration management policy; procedures addressing user-installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; list of rules governing user installed software; system monitoring records; system audit records; continuous monitoring strategy; system security plan; other relevant documents or records]. CM-11-Interview [SELECT FROM: Organizational personnel with responsibilities for governing user-installed software; organizational personnel operating, using, and/or maintaining the system; organizational personnel monitoring compliance with user-installed software policy; organizational personnel with information security responsibilities; system/network administrators]. CM-11-Test [SELECT FROM: Organizational processes governing user-installed software on the system; automated mechanisms enforcing policies and methods for governing the installation of software by users; automated mechanisms monitoring policy compliance]. CM-11(01) USER-INSTALLED SOFTWARE | ALERTS FOR UNAUTHORIZED INSTALLATIONS [WITHDRAWN: Incorporated into CM-08(03).] CM-11(02) USER-INSTALLED SOFTWARE | SOFTWARE INSTALLATION WITH PRIVILEGED STATUS ASSESSMENT OBJECTIVE: Determine if: CM-11(02) user installation of software is allowed only with explicit privileged status. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-11(02)-Examine [SELECT FROM: Configuration management policy; procedures addressing user-installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; alerts/notifications of unauthorized software installations; system audit records; continuous monitoring strategy; system security plan; other relevant documents or records]. CM-11(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for governing user-installed software; organizational personnel operating, using, and/or maintaining the system; organizational personnel with information security responsibilities; system/network administrators]. CM-11(02)-Test [SELECT FROM: Organizational processes governing user-installed software on the system; automated mechanisms for prohibiting installation of software without privileged status (e.g. access controls)]. CM-11(03) USER-INSTALLED SOFTWARE | AUTOMATED ENFORCEMENT AND MONITORING ASSESSMENT OBJECTIVE: Determine if: CM-11(03)_ODP[01] automated mechanisms used to enforce compliance are defined; CM-11(03)_ODP[02] automated mechanisms used to monitor compliance are defined; CM-11(03)[01] compliance with software installation policies is enforced using ; CM-11(03)[02] compliance with software installation policies is monitored using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-11(03)-Examine [SELECT FROM: Configuration management policy; procedures addressing user-installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; list of rules governing user installed software; system monitoring records; system audit records; continuous monitoring strategy; system security plan; other relevant documents or records]. CM-11(03)-Interview [SELECT FROM: Organizational personnel with responsibilities for governing user-installed software; organizational personnel operating, using, and/or maintaining the system; organizational personnel monitoring compliance with user-installed software policy; organizational personnel with information security responsibilities; system/network administrators]. CM-11(03)-Test [SELECT FROM: Organizational processes governing user-installed software on the system; automated mechanisms enforcing policies on installation of software by users; automated mechanisms monitoring policy compliance]. CM-12 INFORMATION LOCATION ASSESSMENT OBJECTIVE: Determine if: CM-12_ODP information for which the location is to be identified and documented is defined; CM-12a.[01] the location of is identified and documented; CM-12a.[02] the specific system components on which is processed are identified and documented; CM-12a.[03] the specific system components on which is stored are identified and documented; CM-12b.[01] the users who have access to the system and system components where is processed are identified and documented; CM-12b.[02] the users who have access to the system and system components where is stored are identified and documented; CM-12c.[01] changes to the location (i.e., system or system components) where is processed are documented; CM-12c.[02] changes to the location (i.e., system or system components) where is stored are documented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-12-Examine [SELECT FROM: Configuration management policy; procedures addressing identification and documentation of information location; configuration management plan; system design documentation; system architecture documentation; PII inventory documentation; data mapping documentation; audit records; list of users with system and system component access; change control records; system component inventory; system security plan; privacy plan; other relevant documents or records]. CM-12-Interview [SELECT FROM: Organizational personnel with responsibilities for managing information location and user access to information; organizational personnel with responsibilities for operating, using, and/or maintaining the system; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. CM-12-Test [SELECT FROM: Organizational processes governing information location; automated mechanisms enforcing policies and methods for governing information location]. CM-12(01) INFORMATION LOCATION | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION ASSESSMENT OBJECTIVE: Determine if: CM-12(01)_ODP[01] information to be protected is defined by information type; CM-12(01)_ODP[02] system components where the information is located are defined; CM-12(01) automated tools are used to identify on to ensure that controls are in place to protect organizational information and individual privacy. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-12(01)-Examine [SELECT FROM: Configuration management policy; procedures addressing identification and documentation of information location; configuration management plan; system design documentation; PII inventory documentation; data mapping documentation; change control records; system component inventory; system security plan; privacy plan; other relevant documents or records]. CM-12(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for managing information location; organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-12(01)-Test [SELECT FROM: Organizational processes governing information location; automated mechanisms enforcing policies and methods for governing information location; automated tools used to identify information on system components]. CM-13 DATA ACTION MAPPING ASSESSMENT OBJECTIVE: Determine if: CM-13 a map of system data actions is developed and documented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-13-Examine [SELECT FROM: Configuration management policy; procedures for identification and documentation of information location; procedures for mapping data actions; configuration management plan; system security plan; privacy plan; system design documentation; PII inventory documentation; data mapping documentation; change control records; system component inventory; other relevant documents or records]. CM-13-Interview [SELECT FROM: Organizational personnel with responsibilities for managing information location; organizational personnel responsible for data action mapping; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. CM-13-Test [SELECT FROM: Organizational processes governing information location; automated mechanisms supporting or implementing data action mapping]. CM-14 SIGNED COMPONENTS ASSESSMENT OBJECTIVE: Determine if: CM-14_ODP[01] software components requiring verification of a digitally signed certificate before installation are defined; CM-14_ODP[02] firmware components requiring verification of a digitally signed certificate before installation are defined; CM-14[01] the installation of is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization; CM-14[02] the installation of is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CM-14-Examine [SELECT FROM: Configuration management policy; procedures addressing digitally signed certificates for software and firmware components; configuration management plan; system security plan; system design documentation; change control records; system component inventory; system security plan; other relevant documents or records]. CM-14-Interview [SELECT FROM: Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation; organizational personnel with information security responsibilities; system/network administrators; system developers]. CM-14-Test [SELECT FROM: Organizational processes governing information location; automated mechanisms enforcing policies and methods for governing information location; automated tools supporting or implementing digitally signatures for software and firmware components; automated tools supporting or implementing verification of digital signatures for software and firmware component installation]. 4.6 Contingency Planning CP-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: CP-01_ODP[01] personnel or roles to whom the contingency planning policy is to be disseminated is/are defined; CP-01_ODP[02] personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined; CP-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; CP-01_ODP[04] an official to manage the contingency planning policy and procedures is defined; CP-01_ODP[05] the frequency at which the current contingency planning policy is reviewed and updated is defined; CP-01_ODP[06] events that would require the current contingency planning policy to be reviewed and updated are defined; CP-01_ODP[07] the frequency at which the current contingency planning procedures are reviewed and updated is defined; CP-01_ODP[08] events that would require procedures to be reviewed and updated are defined; CP-01a.[01] a contingency planning policy is developed and documented; CP-01a.[02] the contingency planning policy is disseminated to ; CP-01a.[03] contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented; CP-01a.[04] the contingency planning procedures are disseminated to ; CP-01a.01(a)[01] the contingency planning policy addresses purpose; CP-01a.01(a)[02] the contingency planning policy addresses scope; CP-01a.01(a)[03] the contingency planning policy addresses roles; CP-01a.01(a)[04] the contingency planning policy addresses responsibilities; CP-01a.01(a)[05] the contingency planning policy addresses management commitment; CP-01a.01(a)[06] the contingency planning policy addresses coordination among organizational entities; CP-01a.01(a)[07] the contingency planning policy addresses compliance; CP-01a.01(b) the contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; CP-01b. the is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures; CP-01c.01[01] the current contingency planning policy is reviewed and updated ; CP-01c.01[02] the current contingency planning policy is reviewed and updated following ; CP-01c.02[01] the current contingency planning procedures are reviewed and updated ; CP-01c.02[02] the current contingency planning procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-01-Examine [SELECT FROM: Contingency planning policy and procedures; system security plan; privacy plan; other relevant documents or records]. CP-01-Interview [SELECT FROM: Organizational personnel with contingency planning responsibilities; organizational personnel with information security and privacy responsibilities]. CP-02 CONTINGENCY PLAN ASSESSMENT OBJECTIVE: Determine if: CP-02_ODP[01] personnel or roles to review a contingency plan is/are defined; CP-02_ODP[02] personnel or roles to approve a contingency plan is/are defined; CP-02_ODP[03] key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined; CP-02_ODP[04] key contingency organizational elements to which copies of the contingency plan are distributed are defined; CP-02_ODP[05] frequency of contingency plan review is defined; CP-02_ODP[06] key contingency personnel (identified by name and/or by role) to communicate changes to are defined; CP-02_ODP[07] key contingency organizational elements to communicate changes to are defined; CP-02a.01 a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements; CP-02a.02[01] a contingency plan for the system is developed that provides recovery objectives; CP-02a.02[02] a contingency plan for the system is developed that provides restoration priorities; CP-02a.02[03] a contingency plan for the system is developed that provides metrics; CP-02a.03[01] a contingency plan for the system is developed that addresses contingency roles; CP-02a.03[02] a contingency plan for the system is developed that addresses contingency responsibilities; CP-02a.03[03] a contingency plan for the system is developed that addresses assigned individuals with contact information; CP-02a.04 a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; CP-02a.05 a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented; CP-02a.06 a contingency plan for the system is developed that addresses the sharing of contingency information; CP-02a.07[01] a contingency plan for the system is developed that is reviewed by ; CP-02a.07[02] a contingency plan for the system is developed that is approved by ; CP-02b.[01] copies of the contingency plan are distributed to ; CP-02b.[02] copies of the contingency plan are distributed to ; CP-02c. contingency planning activities are coordinated with incident handling activities; CP-02d. the contingency plan for the system is reviewed ; CP-02e.[01] the contingency plan is updated to address changes to the organization, system, or environment of operation; CP-02e.[02] the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing; CP-02f.[01] contingency plan changes are communicated to ; CP-02f.[02] contingency plan changes are communicated to ; CP-02g.[01] lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing; CP-02g.[02] lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training; CP-02h.[01] the contingency plan is protected from unauthorized disclosure; CP-02h.[02] the contingency plan is protected from unauthorized modification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; evidence of contingency plan reviews and updates; system security plan; other relevant documents or records]. CP-02-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with incident handling responsibilities; organizational personnel with knowledge of requirements for mission and business functions; organizational personnel with information security responsibilities]. CP-02-Test [SELECT FROM: Organizational processes for contingency plan development, review, update, and protection; automated mechanisms for developing, reviewing, updating, and/or protecting the contingency plan]. CP-02(01) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS ASSESSMENT OBJECTIVE: Determine if: CP-02(01) contingency plan development is coordinated with organizational elements responsible for related plans. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(01)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; business contingency plans; disaster recovery plans; continuity of operations plans; crisis communications plans; critical infrastructure plans; cyber incident response plan; insider threat implementation plans; occupant emergency plans; system security plan; other relevant documents or records]. CP-02(01)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information security responsibilities; personnel with responsibility for related plans]. CP-02(02) CONTINGENCY PLAN | CAPACITY PLANNING ASSESSMENT OBJECTIVE: Determine if: CP-02(02)[01] capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing; CP-02(02)[02] capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications; CP-02(02)[03] capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; capacity planning documents; system security plan; other relevant documents or records]. CP-02(02)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel responsible for capacity planning; organizational personnel with information security responsibilities]. CP-02(03) CONTINGENCY PLAN | RESUME MISSION AND BUSINESS FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: CP-02(03)_ODP[01] one of the following PARAMETER VALUES is selected: {all; essential}; CP-02(03)_ODP[02] the contingency plan activation time period within which to resume mission and business functions is defined; CP-02(03) the resumption of mission and business functions are planned for within of contingency plan activation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(03)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; business impact assessment; system security plan; privacy plan; other related plans; system security plan; other relevant documents or records]. CP-02(03)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with knowledge of requirements for mission and business functions]. CP-02(03)-Test [SELECT FROM: Organizational processes for resumption of missions and business functions]. CP-02(04) CONTINGENCY PLAN | RESUME ALL MISSION AND BUSINESS FUNCTIONS [WITHDRAWN: Incorporated into CP-02(03).] CP-02(05) CONTINGENCY PLAN | CONTINUE MISSION AND BUSINESS FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: CP-02(05)_ODP one of the following PARAMETER VALUES is selected: {all; essential}; CP-02(05)[01] the continuance of mission and business functions with minimal or no loss of operational continuity is planned for; CP-02(05)[02] continuity is sustained until full system restoration at primary processing and/or storage sites. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(05)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; business impact assessment; primary processing site agreements; primary storage site agreements; alternate processing site agreements; alternate storage site agreements; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-02(05)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with knowledge of requirements for mission and business functions; organizational personnel with information security responsibilities]. CP-02(05)-Test [SELECT FROM: Organizational processes for continuing missions and business functions]. CP-02(06) CONTINGENCY PLAN | ALTERNATE PROCESSING AND STORAGE SITES ASSESSMENT OBJECTIVE: Determine if: CP-02(06)_ODP one of the following PARAMETER VALUES is selected: {all; essential}; CP-02(06)[01] the transfer of mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for; CP-02(06)[02] operational continuity is sustained until full system restoration at primary processing and/or storage sites. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(06)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; business impact assessment; alternate processing site agreements; alternate storage site agreements; contingency plan testing documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-02(06)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with knowledge of requirements for mission and business functions; organizational personnel with information security responsibilities]. CP-02(06)-Test [SELECT FROM: Organizational processes for transfer of essential mission and business functions to alternate processing/storage sites]. CP-02(07) CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS ASSESSMENT OBJECTIVE: Determine if: CP-02(07) the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(07)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; contingency plans of external; service providers; service level agreements; contingency plan requirements; system security plan; other relevant documents or records]. CP-02(07)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; external service providers; organizational personnel with information security responsibilities]. CP-02(08) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS ASSESSMENT OBJECTIVE: Determine if: CP-02(08)_ODP one of the following PARAMETER VALUES is selected: {all; essential}; CP-02(08) critical system assets supporting mission and business functions are identified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-02(08)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency operations for the system; contingency plan; business impact assessment; system security plan; other relevant documents or records]. CP-02(08)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with knowledge of requirements for mission and business functions; organizational personnel with information security responsibilities]. CP-03 CONTINGENCY TRAINING ASSESSMENT OBJECTIVE: Determine if: CP-03_ODP[01] the time period within which to provide contingency training after assuming a contingency role or responsibility is defined; CP-03_ODP[02] frequency at which to provide training to system users with a contingency role or responsibility; CP-03_ODP[03] frequency at which to review and update contingency training content; CP-03_ODP[04] events necessitating review and update of contingency training are defined; CP-03a.01 contingency training is provided to system users consistent with assigned roles and responsibilities within of assuming a contingency role or responsibility; CP-03a.02 contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes; CP-03a.03 contingency training is provided to system users consistent with assigned roles and responsibilities thereafter; CP-03b.[01] the contingency plan training content is reviewed and updated ; CP-03b.[02] the contingency plan training content is reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-03-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency training; contingency plan; contingency training curriculum; contingency training material; contingency training records; system security plan; other relevant documents or records]. CP-03-Interview [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities; organizational personnel with information security responsibilities]. CP-03-Test [SELECT FROM: Organizational processes for contingency training]. CP-03(01) CONTINGENCY TRAINING | SIMULATED EVENTS ASSESSMENT OBJECTIVE: Determine if: CP-03(01) simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-03(01)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency training; contingency plan; contingency training curriculum; contingency training material; system security plan; other relevant documents or records]. CP-03(01)-Interview [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities; organizational personnel with information security responsibilities]. CP-03(01)-Test [SELECT FROM: Organizational processes for contingency training; automated mechanisms for simulating contingency events]. CP-03(02) CONTINGENCY TRAINING | MECHANISMS USED IN TRAINING ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: CP-03(02) mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-03(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency training; contingency plan; contingency training curriculum; contingency training material; system security plan; other relevant documents or records]. CP-03(02)-Interview [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and training responsibilities; organizational personnel with information security responsibilities]. CP-03(02)-Test [SELECT FROM: Organizational processes for contingency training; automated mechanisms for providing contingency training environments]. CP-04 CONTINGENCY PLAN TESTING ASSESSMENT OBJECTIVE: Determine if: CP-04_ODP[01] frequency of testing the contingency plan for the system is defined; CP-04_ODP[02] tests for determining the effectiveness of the contingency plan are defined; CP-04_ODP[03] tests for determining readiness to execute the contingency plan are defined; CP-04a.[01] the contingency plan for the system is tested ; CP-04a.[02] are used to determine the effectiveness of the plan; CP-04a.[03] are used to determine the readiness to execute the plan; CP-04b. the contingency plan test results are reviewed; CP-04c. corrective actions are initiated, if needed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-04-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency plan testing; contingency plan; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-04-Interview [SELECT FROM: Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests; organizational personnel with information security responsibilities]. CP-04-Test [SELECT FROM: Organizational processes for contingency plan testing; automated mechanisms supporting the contingency plan and/or contingency plan testing]. CP-04(01) CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS ASSESSMENT OBJECTIVE: Determine if: CP-04(01) contingency plan testing is coordinated with organizational elements responsible for related plans. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-04(01)-Examine [SELECT FROM: Contingency planning policy; incident response policy; procedures addressing contingency plan testing; contingency plan testing documentation; contingency plan; business continuity plans; disaster recovery plans; continuity of operations plans; crisis communications plans; critical infrastructure plans; cyber incident response plans; occupant emergency plans; system security plan; other relevant documents or records]. CP-04(01)-Interview [SELECT FROM: Organizational personnel with contingency plan testing responsibilities; personnel with responsibilities for related plans; organizational personnel with information security responsibilities]. CP-04(02) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE ASSESSMENT OBJECTIVE: Determine if: CP-04(02)(a) the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources; CP-04(02)(b) the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-04(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency plan testing; contingency plan; contingency plan test documentation; contingency plan test results; alternate processing site agreements; service-level agreements; system security plan; other relevant documents or records]. CP-04(02)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with information security responsibilities]. CP-04(02)-Test [SELECT FROM: Organizational processes for contingency plan testing; automated mechanisms supporting the contingency plan and/or contingency plan testing]. CP-04(03) CONTINGENCY PLAN TESTING | AUTOMATED TESTING ASSESSMENT OBJECTIVE: Determine if: CP-04(03)_ODP automated mechanisms for contingency plan testing are defined; CP-04(03) the contingency plan is tested using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-04(03)-Examine [SELECT FROM: Contingency planning policy; procedures addressing contingency plan testing; contingency plan; automated mechanisms supporting contingency plan testing; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-04(03)-Interview [SELECT FROM: Organizational personnel with contingency plan testing responsibilities; organizational personnel with information security responsibilities]. CP-04(03)-Test [SELECT FROM: Organizational processes for contingency plan testing; automated mechanisms supporting contingency plan testing]. CP-04(04) CONTINGENCY PLAN TESTING | FULL RECOVERY AND RECONSTITUTION ASSESSMENT OBJECTIVE: Determine if: CP-04(04)[01] a full recovery of the system to a known state is included as part of contingency plan testing; CP-04(04)[02] a full reconstitution of the system to a known state is included as part of contingency plan testing. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-04(04)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system recovery and reconstitution; contingency plan; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-04(04)-Interview [SELECT FROM: Organizational personnel with contingency plan testing responsibilities; organizational personnel with system recovery and reconstitution responsibilities; organizational personnel with information security responsibilities]. CP-04(04)-Test [SELECT FROM: Organizational processes for contingency plan testing; automated mechanisms supporting contingency plan testing; automated mechanisms supporting recovery and reconstitution of the system]. CP-04(05) CONTINGENCY PLAN TESTING | SELF-CHALLENGE ASSESSMENT OBJECTIVE: Determine if: CP-04(05)_ODP[01] mechanisms employed to disrupt and adversely affect the system or system component are defined; CP-04(05)_ODP[02] system or system component on which to apply disruption mechanisms are defined; CP-04(05) is/are employed to disrupt and adversely affect the . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-04(05)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system recovery and reconstitution; contingency plan; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-04(05)-Interview [SELECT FROM: Organizational personnel with contingency plan testing responsibilities; organizational personnel with system recovery and reconstitution responsibilities; organizational personnel with information security responsibilities]. CP-04(05)-Test [SELECT FROM: Organizational processes for contingency plan testing; mechanisms supporting contingency plan testing]. CP-05 CONTINGENCY PLAN UPDATE [WITHDRAWN: Incorporated into CP-02.] CP-06 ALTERNATE STORAGE SITE ASSESSMENT OBJECTIVE: Determine if: CP-06a.[01] an alternate storage site is established; CP-06a.[02] establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information; CP-06b. the alternate storage site provides controls equivalent to that of the primary site. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-06-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate storage sites; contingency plan; alternate storage site agreements; primary storage site agreements; system security plan; other relevant documents or records]. CP-06-Interview [SELECT FROM: Organizational personnel with contingency plan alternate storage site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities]. CP-06-Test [SELECT FROM: Organizational processes for storing and retrieving system backup information at the alternate storage site; automated mechanisms supporting and/or implementing storage and retrieval of system backup information at the alternate storage site]. CP-06(01) ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE ASSESSMENT OBJECTIVE: Determine if: CP-06(01) an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-06(01)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate storage sites; contingency plan; alternate storage site; alternate storage site agreements; primary storage site agreements; system security plan; other relevant documents or records]. CP-06(01)-Interview [SELECT FROM: Organizational personnel with contingency plan alternate storage site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities]. CP-06(02) ALTERNATE STORAGE SITE | RECOVERY TIME AND RECOVERY POINT OBJECTIVES ASSESSMENT OBJECTIVE: Determine if: CP-06(02)[01] the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives; CP-06(02)[02] the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-06(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate storage sites; contingency plan; alternate storage site; alternate storage site agreements; alternate storage site configurations; system security plan; other relevant documents or records]. CP-06(02)-Interview [SELECT FROM: Organizational personnel with contingency plan testing responsibilities; organizational personnel with responsibilities for testing related plans; organizational personnel with information security responsibilities]. CP-06(02)-Test [SELECT FROM: Organizational processes for contingency plan testing; automated mechanisms supporting recovery time and point objectives]. CP-06(03) ALTERNATE STORAGE SITE | ACCESSIBILITY ASSESSMENT OBJECTIVE: Determine if: CP-06(03)[01] potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified; CP-06(03)[02] explicit mitigation actions to address identified accessibility problems are outlined. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-06(03)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate storage sites; contingency plan; alternate storage site; list of potential accessibility problems to alternate storage site; mitigation actions for accessibility problems to alternate storage site; organizational risk assessments; system security plan; other relevant documents or records]. CP-06(03)-Interview [SELECT FROM: Organizational personnel with contingency plan alternate storage site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities]. CP-07 ALTERNATE PROCESSING SITE ASSESSMENT OBJECTIVE: Determine if: CP-07_ODP[01] system operations for essential mission and business functions are defined; CP-07_ODP[02] time period consistent with recovery time and recovery point objectives is defined; CP-07a. an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions, is established within when the primary processing capabilities are unavailable; CP-07b.[01] the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for transfer; CP-07b.[02] the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for resumption; CP-07c. controls provided at the alternate processing site are equivalent to those at the primary site. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-07-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate processing sites; contingency plan; alternate processing site agreements; primary processing site agreements; spare equipment and supplies inventory at alternate processing site; equipment and supply contracts; service-level agreements; system security plan; other relevant documents or records]. CP-07-Interview [SELECT FROM: Organizational personnel with responsibilities for contingency planning and/or alternate site arrangements; organizational personnel with information security responsibilities]. CP-07-Test [SELECT FROM: Organizational processes for recovery at the alternate site; automated mechanisms supporting and/or implementing recovery at the alternate processing site]. CP-07(01) ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE ASSESSMENT OBJECTIVE: Determine if: CP-07(01) an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-07(01)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate processing sites; contingency plan; alternate processing site; alternate processing site agreements; primary processing site agreements; system security plan; other relevant documents or records]. CP-07(01)-Interview [SELECT FROM: Organizational personnel with contingency plan alternate processing site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities]. CP-07(02) ALTERNATE PROCESSING SITE | ACCESSIBILITY ASSESSMENT OBJECTIVE: Determine if: CP-07(02)[01] potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified; CP-07(02)[02] explicit mitigation actions to address identified accessibility problems are outlined. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-07(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate processing sites; contingency plan; alternate processing site; alternate processing site agreements; primary processing site agreements; system security plan; other relevant documents or records]. CP-07(02)-Interview [SELECT FROM: Organizational personnel with contingency plan alternate processing site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities]. CP-07(03) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE ASSESSMENT OBJECTIVE: Determine if: CP-07(03) alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-07(03)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate processing sites; contingency plan; alternate processing site agreements; service-level agreements; system security plan; other relevant documents or records]. CP-07(03)-Interview [SELECT FROM: Organizational personnel with contingency plan alternate processing site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements]. CP-07(04) ALTERNATE PROCESSING SITE | PREPARATION FOR USE ASSESSMENT OBJECTIVE: Determine if: CP-07(04) the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-07(04)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate processing sites; contingency plan; alternate processing site; alternate processing site agreements; alternate processing site configurations; system security plan; other relevant documents or records]. CP-07(04)-Interview [SELECT FROM: Organizational personnel with contingency plan alternate processing site responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities]. CP-07(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing recovery at the alternate processing site]. CP-07(05) ALTERNATE PROCESSING SITE | EQUIVALENT INFORMATION SECURITY SAFEGUARDS [WITHDRAWN: Incorporated into CP-07.] CP-07(06) ALTERNATE PROCESSING SITE | INABILITY TO RETURN TO PRIMARY SITE ASSESSMENT OBJECTIVE: Determine if: CP-07(06)[01] circumstances that preclude returning to the primary processing site are planned for; CP-07(06)[02] circumstances that preclude returning to the primary processing site are prepared for. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-07(06)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate processing sites; contingency plan; alternate processing site; alternate processing site agreements; alternate processing site configurations; system security plan; other relevant documents or records]. CP-07(06)-Interview [SELECT FROM: Organizational personnel with system reconstitution responsibilities; organizational personnel with information security responsibilities]. CP-08 TELECOMMUNICATIONS SERVICES ASSESSMENT OBJECTIVE: Determine if: CP-08_ODP[01] system operations to be resumed for essential mission and business functions are defined; CP-08_ODP[02] time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined; CP-08 alternate telecommunications services, including necessary agreements to permit the resumption of , are established for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-08-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate telecommunications services; contingency plan; primary and alternate telecommunications service agreements; system security plan; other relevant documents or records]. CP-08-Interview [SELECT FROM: Organizational personnel with contingency plan telecommunications responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with knowledge of requirements for mission and business functions; organizational personnel with information security responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements]. CP-08-Test [SELECT FROM: Automated mechanisms supporting telecommunications]. CP-08(01) TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS ASSESSMENT OBJECTIVE: Determine if: CP-08(01)(a)[01] primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed; CP-08(01)(a)[02] alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed; CP-08(01)(b) Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-08(01)-Examine [SELECT FROM: Contingency planning policy; procedures addressing primary and alternate telecommunications services; contingency plan; primary and alternate telecommunications service agreements; Telecommunications Service Priority documentation; system security plan; other relevant documents or records]. CP-08(01)-Interview [SELECT FROM: Organizational personnel with contingency plan telecommunications responsibilities; organizational personnel with system recovery responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements]. CP-08(01)-Test [SELECT FROM: Automated mechanisms supporting telecommunications]. CP-08(02) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE ASSESSMENT OBJECTIVE: Determine if: CP-08(02) alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-08(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing primary and alternate telecommunications services; contingency plan; primary and alternate telecommunications service agreements; system security plan; other relevant documents or records]. CP-08(02)-Interview [SELECT FROM: Organizational personnel with contingency plan telecommunications responsibilities; organizational personnel with system recovery responsibilities; primary and alternate telecommunications service providers; organizational personnel with information security responsibilities]. CP-08(03) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY AND ALTERNATE PROVIDERS ASSESSMENT OBJECTIVE: Determine if: CP-08(03) alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-08(03)-Examine [SELECT FROM: Contingency planning policy; procedures addressing primary and alternate telecommunications services; contingency plan; primary and alternate telecommunications service agreements; alternate telecommunications service provider site; primary telecommunications service provider site; other relevant documents or records]. CP-08(03)-Interview [SELECT FROM: Organizational personnel with contingency plan telecommunications responsibilities; organizational personnel with system recovery responsibilities; primary and alternate telecommunications service providers; organizational personnel with information security responsibilities]. CP-08(04) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN ASSESSMENT OBJECTIVE: Determine if: CP-08(04)_ODP[01] frequency at which to obtain evidence of contingency testing by providers is defined; CP-08(04)_ODP[02] frequency at which to obtain evidence of contingency training by providers is defined; CP-08(04)(a)[01] primary telecommunications service providers are required to have contingency plans; CP-08(04)(a)[02] alternate telecommunications service providers are required to have contingency plans; CP-08(04)(b) provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements; CP-08(04)(c)[01] evidence of contingency testing by providers is obtained . CP-08(04)(c)[02] evidence of contingency training by providers is obtained . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-08(04)-Examine [SELECT FROM: Contingency planning policy; procedures addressing primary and alternate telecommunications services; contingency plan; provider contingency plans; evidence of contingency testing/training by providers; primary and alternate telecommunications service agreements; system security plan; other relevant documents or records]. CP-08(04)-Interview [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; primary and alternate telecommunications service providers; organizational personnel with information security responsibilities; organizational personnel with responsibility for acquisitions/contractual agreements]. CP-08(05) TELECOMMUNICATIONS SERVICES | ALTERNATE TELECOMMUNICATION SERVICE TESTING ASSESSMENT OBJECTIVE: Determine if: CP-08(05)_ODP frequency at which alternate telecommunications services are tested is defined; CP-08(05) alternate telecommunications services are tested . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-08(05)-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate telecommunications services; contingency plan; evidence of testing alternate telecommunications services; alternate telecommunications service agreements; system security plan; other relevant documents or records]. CP-08(05)-Interview [SELECT FROM: Organizational personnel with contingency planning, plan implementation, and testing responsibilities; alternate telecommunications service providers; organizational personnel with information security responsibilities]. CP-08(05)-Test [SELECT FROM: Automated mechanisms supporting testing alternate telecommunications services]. CP-09 SYSTEM BACKUP ASSESSMENT OBJECTIVE: Determine if: CP-09_ODP[01] system components for which to conduct backups of user-level information is defined; CP-09_ODP[02] frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined; CP-09_ODP[03] frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined; CP-09_ODP[04] frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined; CP-09a. backups of user-level information contained in are conducted ; CP-09b. backups of system-level information contained in the system are conducted ; CP-09c. backups of system documentation, including security- and privacy-related documentation are conducted ; CP-09d.[01] the confidentiality of backup information is protected; CP-09d.[02] the integrity of backup information is protected; CP-09d.[03] the availability of backup information is protected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; backup storage location(s); system backup logs or records; system security plan; privacy plan; other relevant documents or records]. CP-09-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with information security and privacy responsibilities]. CP-09-Test [SELECT FROM: Organizational processes for conducting system backups; automated mechanisms supporting and/or implementing system backups]. CP-09(01) SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY ASSESSMENT OBJECTIVE: Determine if: CP-09(01)_ODP[01] frequency at which to test backup information for media reliability is defined; CP-09(01)_ODP[02] frequency at which to test backup information for information integrity is defined; CP-09(01)[01] backup information is tested to verify media reliability; CP-09(01)[02] backup information is tested to verify information integrity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(01)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system backup test results; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-09(01)-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with information security responsibilities]. CP-09(01)-Test [SELECT FROM: Organizational processes for conducting system backups; automated mechanisms supporting and/or implementing system backups]. CP-09(02) SYSTEM BACKUP | TEST RESTORATION USING SAMPLING ASSESSMENT OBJECTIVE: Determine if: CP-09(02) a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system backup test results; contingency plan test documentation; contingency plan test results; system security plan; other relevant documents or records]. CP-09(02)-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with contingency planning/contingency plan testing responsibilities; organizational personnel with information security responsibilities]. CP-09(02)-Test [SELECT FROM: Organizational processes for conducting system backups; automated mechanisms supporting and/or implementing system backups]. CP-09(03) SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFORMATION ASSESSMENT OBJECTIVE: Determine if: CP-09(03)_ODP critical system software and other security-related information backups to be stored in a separate facility are defined; CP-09(03) backup copies of are stored in a separate facility or in a fire rated container that is not collocated with the operational system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(03)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; backup storage location(s); system backup configurations and associated documentation; system backup logs or records; system security plan; other relevant documents or records]. CP-09(03)-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with system backup responsibilities; organizational personnel with information security responsibilities]. CP-09(04) SYSTEM BACKUP | PROTECTION FROM UNAUTHORIZED MODIFICATION [WITHDRAWN: Incorporated into CP-09.] CP-09(05) SYSTEM BACKUP | TRANSFER TO ALTERNATE STORAGE SITE ASSESSMENT OBJECTIVE: Determine if: CP-09(05)_ODP[01] time period consistent with recovery time and recovery point objectives is defined; CP-09(05)_ODP[02] transfer rate consistent with recovery time and recovery point objectives is defined; CP-09(05)[01] system backup information is transferred to the alternate storage site for ; CP-09(05)[02] system backup information is transferred to the alternate storage site . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(05)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system backup logs or records; evidence of system backup information transferred to alternate storage site; alternate storage site agreements; system security plan; other relevant documents or records]. CP-09(05)-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with information security responsibilities]. CP-09(05)-Test [SELECT FROM: Organizational processes for transferring system backups to the alternate storage site; automated mechanisms supporting and/or implementing system backups; automated mechanisms supporting and/or implementing information transfer to the alternate storage site]. CP-09(06) SYSTEM BACKUP | REDUNDANT SECONDARY SYSTEM ASSESSMENT OBJECTIVE: Determine if: CP-09(06)[01] system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system; CP-09(06)[02] system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(06)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system backup test results; contingency plan test results; contingency plan test documentation; redundant secondary system for system backups; location(s) of redundant secondary backup system(s); system security plan; other relevant documents or records]. CP-09(06)-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for the redundant secondary system]. CP-09(06)-Test [SELECT FROM: Organizational processes for maintaining redundant secondary systems; automated mechanisms supporting and/or implementing system backups; automated mechanisms supporting and/or implementing information transfer to a redundant secondary system]. CP-09(07) SYSTEM BACKUP | DUAL AUTHORIZATION FOR DELETION OR DESTRUCTION ASSESSMENT OBJECTIVE: Determine if: CP-09(07)_ODP backup information for which to enforce dual authorization in order to delete or destroy is defined; CP-09(07) dual authorization for the deletion or destruction of is enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(07)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system design documentation; system configuration settings and associated documentation; system generated list of dual authorization credentials or rules; logs or records of deletion or destruction of backup information; system security plan; other relevant documents or records]. CP-09(07)-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with information security responsibilities]. CP-09(07)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing dual authorization; automated mechanisms supporting and/or implementing deletion/destruction of backup information]. CP-09(08) SYSTEM BACKUP | CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: CP-09(08)_ODP backup information to protect against unauthorized disclosure and modification is defined; CP-09(08) cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of . POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-09(08)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system design documentation; system configuration settings and associated documentation; system security plan; other relevant documents or records]. CP-09(08)-Interview [SELECT FROM: Organizational personnel with system backup responsibilities; organizational personnel with information security responsibilities]. CP-09(08)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cryptographic protection of backup information]. CP-10 SYSTEM RECOVERY AND RECONSTITUTION ASSESSMENT OBJECTIVE: Determine if: CP-10_ODP[01] time period consistent with recovery time and recovery point objectives for the recovery of the system is determined; CP-10_ODP[02] time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined; CP-10[01] the recovery of the system to a known state is provided within after a disruption, compromise, or failure; CP-10[02] a reconstitution of the system to a known state is provided within after a disruption, compromise, or failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-10-Examine [SELECT FROM: Contingency planning policy; procedures addressing system backup; contingency plan; system backup test results; contingency plan test results; contingency plan test documentation; redundant secondary system for system backups; location(s) of redundant secondary backup system(s); system security plan; other relevant documents or records]. CP-10-Interview [SELECT FROM: Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities; organizational personnel with information security responsibilities]. CP-10-Test [SELECT FROM: Organizational processes implementing system recovery and reconstitution operations; automated mechanisms supporting and/or implementing system recovery and reconstitution operations]. CP-10(01) SYSTEM RECOVERY AND RECONSTITUTION | CONTINGENCY PLAN TESTING [WITHDRAWN: Incorporated into CP-04.] CP-10(02) SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY ASSESSMENT OBJECTIVE: Determine if: CP-10(02) transaction recovery is implemented for systems that are transaction-based. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-10(02)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system recovery and reconstitution; contingency plan; system design documentation; system configuration settings and associated documentation; contingency plan test documentation; contingency plan test results; system transaction recovery records; system audit records; system security plan; other relevant documents or records]. CP-10(02)-Interview [SELECT FROM: Organizational personnel with responsibility for transaction recovery; organizational personnel with information security responsibilities]. CP-10(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing transaction recovery capability]. CP-10(03) SYSTEM RECOVERY AND RECONSTITUTION | COMPENSATING SECURITY CONTROLS [WITHDRAWN. Addressed through tailoring.] CP-10(04) SYSTEM RECOVERY AND RECONSTITUTION | RESTORE WITHIN TIME PERIOD ASSESSMENT OBJECTIVE: Determine if: CP-10(04)_ODP restoration time period within which to restore system components to a known, operational state is defined; CP-10(04) the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-10(04)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system recovery and reconstitution; contingency plan; system design documentation; system configuration settings and associated documentation; contingency plan test documentation; contingency plan test results; evidence of system recovery and reconstitution operations; system security plan; other relevant documents or records]. CP-10(04)-Interview [SELECT FROM: Organizational personnel with system recovery and reconstitution responsibilities; organizational personnel with information security responsibilities]. CP-10(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing recovery/reconstitution of system information]. CP-10(05) SYSTEM RECOVERY AND RECONSTITUTION | FAILOVER CAPABILITY [WITHDRAWN: Incorporated into SI-13.] CP-10(06) SYSTEM RECOVERY AND RECONSTITUTION | COMPONENT PROTECTION ASSESSMENT OBJECTIVE: Determine if: CP-10(06) system components used for recovery and reconstitution are protected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-10(06)-Examine [SELECT FROM: Contingency planning policy; procedures addressing system recovery and reconstitution; contingency plan; system design documentation; system configuration settings and associated documentation; logical access credentials; physical access credentials; logical access authorization records; physical access authorization records; system security plan; other relevant documents or records]. CP-10(06)-Interview [SELECT FROM: Organizational personnel with system recovery and reconstitution responsibilities; organizational personnel with information security responsibilities]. CP-10(06)-Test [SELECT FROM: Organizational processes for protecting backup and restoration of hardware, firmware, and software; automated mechanisms supporting and/or implementing protection of backups and restoration of hardware, firmware, and software]. CP-11 ALTERNATE COMMUNICATIONS PROTOCOLS ASSESSMENT OBJECTIVE: Determine if: CP-11_ODP alternative communications protocols in support of maintaining continuity of operations are defined; CP-11 the capability to employ are provided in support of maintaining continuity of operations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-11-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternative communications protocols; contingency plan; continuity of operations plan; system design documentation; system configuration settings and associated documentation; list of alternative communications protocols supporting continuity of operations; system security plan; other relevant documents or records]. CP-11-Interview [SELECT FROM: Organizational personnel with contingency planning and plan implementation responsibilities; organizational personnel with continuity of operations planning and plan implementation responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. CP-11-Test [SELECT FROM: Automated mechanisms employing alternative communications protocols]. CP-12 SAFE MODE ASSESSMENT OBJECTIVE: Determine if: CP-12_ODP[01] restrictions for safe mode of operation are defined; CP-12_ODP[02] conditions detected to enter a safe mode of operation are defined; CP-12 a safe mode of operation is entered with when are detected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-12-Examine [SELECT FROM: Contingency planning policy; procedures addressing safe mode of operation for the system; contingency plan; system design documentation; system configuration settings and associated documentation; system administration manuals; system operation manuals; system installation manuals; contingency plan test records; incident handling records; system audit records; system security plan; other relevant documents or records]. CP-12-Interview [SELECT FROM: Organizational personnel with system operation responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. CP-12-Test [SELECT FROM: Automated mechanisms implementing safe mode of operation]. CP-13 ALTERNATIVE SECURITY MECHANISMS ASSESSMENT OBJECTIVE: Determine if: CP-13_ODP[01] alternative or supplemental security mechanisms are defined; CP-13_ODP[02] security functions are defined; CP-13 are employed for satisfying when the primary means of implementing the security function is unavailable or compromised. POTENTIAL ASSESSMENT METHODS AND OBJECTS: CP-13-Examine [SELECT FROM: Contingency planning policy; procedures addressing alternate security mechanisms; contingency plan; continuity of operations plan; system design documentation; system configuration settings and associated documentation; contingency plan test records; contingency plan test results; system security plan; other relevant documents or records]. CP-13-Interview [SELECT FROM: Organizational personnel with system operation responsibilities; organizational personnel with information security responsibilities]. CP-13-Test [SELECT FROM: system capability implementing alternative security mechanisms]. 4.7 Identification and Authentication IA-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: IA-01_ODP[01] personnel or roles to whom the identification and authentication policy is to be disseminated are defined; IA-01_ODP[02] personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined; IA-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; IA-01_ODP[04] an official to manage the identification and authentication policy and procedures is defined; IA-01_ODP[05] the frequency at which the current identification and authentication policy is reviewed and updated is defined; IA-01_ODP[06] events that would require the current identification and authentication policy to be reviewed and updated are defined; IA-01_ODP[07] the frequency at which the current identification and authentication procedures are reviewed and updated is defined; IA-01_ODP[08] events that would require identification and authentication procedures to be reviewed and updated are defined; IA-01a.[01] an identification and authentication policy is developed and documented; IA-01a.[02] the identification and authentication policy is disseminated to ; IA-01a.[03] identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented; IA-01a.[04] the identification and authentication procedures are disseminated to ; IA-01a.01(a)[01] the identification and authentication policy addresses purpose; IA-01a.01(a)[02] the identification and authentication policy addresses scope; IA-01a.01(a)[03] the identification and authentication policy addresses roles; IA-01a.01(a)[04] the identification and authentication policy addresses responsibilities; IA-01a.01(a)[05] the identification and authentication policy addresses management commitment; IA-01a.01(a)[06] the identification and authentication policy addresses coordination among organizational entities; IA-01a.01(a)[07] the identification and authentication policy addresses compliance; IA-01a.01(b) the identification and authentication policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; IA-01b. the is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; IA-01c.01[01] the current identification and authentication policy is reviewed and updated ; IA-01c.01[02] the current identification and authentication policy is reviewed and updated following ; IA-01c.02[01] the current identification and authentication procedures are reviewed and updated ; IA-01c.02[02] the current identification and authentication procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-01-Examine [SELECT FROM: Identification and authentication policy and procedures; system security plan; privacy plan; risk management strategy documentation; list of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings); other relevant documents or records]. IA-01-Interview [SELECT FROM: Organizational personnel with identification and authentication responsibilities; organizational personnel with information security and privacy responsibilities]. IA-02 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) ASSESSMENT OBJECTIVE: Determine if: IA-02[01] organizational users are uniquely identified and authenticated; IA-02[02] the unique identification of authenticated organizational users is associated with processes acting on behalf of those users. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02-Examine [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan, system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts; other relevant documents or records]. IA-02-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with account management responsibilities; system developers]. IA-02-Test [SELECT FROM: Organizational processes for uniquely identifying and authenticating users; automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-02(01) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | MULTI-FACTOR AUTHENTICATION TO PRIVILEGED ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: IA-02(01) multi-factor authentication is implemented for access to privileged accounts. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(01)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts; other relevant documents or records]. IA-02(01)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing multi-factor authentication capability]. IA-02(02) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | MULTI-FACTOR AUTHENTICATION TO NON-PRIVILEGED ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: IA-02(02) multi-factor authentication for access to non-privileged accounts is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(02)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts; other relevant documents or records]. IA-02(02)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing multi-factor authentication capability]. IA-02(03) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS [WITHDRAWN: Incorporated into IA-02(01).] IA-02(04) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | LOCAL ACCESS TO NON-PRIVILEGED ACCOUNTS [WITHDRAWN: Incorporated into IA-02(02).] IA-02(05) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | INDIVIDUAL AUTHENTICATION WITH GROUP AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-02(05) users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(05)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts; other relevant documents or records]. IA-02(05)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing authentication capability for group accounts]. IA-02(06) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO ACCOUNTS —SEPARATE DEVICE ASSESSMENT OBJECTIVE: Determine if: IA-02(06)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {local; network; remote}; IA-02(06)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {privileged accounts; non-privileged accounts}; IA-02(06)_ODP[03] the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined; IA-02(06)(a) multi-factor authentication is implemented for access to such that one of the factors is provided by a device separate from the system gaining access; IA-02(06)(b) multi-factor authentication is implemented for access to such that the device meets . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(06)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts; other relevant documents or records]. IA-02(06)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing multi-factor authentication capability]. IA-02(07) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS — SEPARATE DEVICE [WITHDRAWN: Incorporated into IA-02(06).] IA-02(08) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCESS TO ACCOUNTS — REPLAY RESISTANT ASSESSMENT OBJECTIVE: Determine if: IA-02(08)_ODP one or more of the following PARAMETER VALUES is/are selected: {privileged accounts; non-privileged accounts}; IA-02(08) replay-resistant authentication mechanisms for access to are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(08)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of privileged system accounts; other relevant documents or records]. IA-02(08)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(08)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities; automated mechanisms supporting and/or implementing replay-resistant authentication mechanisms]. IA-02(09) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS — REPLAY RESISTANT [WITHDRAWN: Incorporated into IA-02(08).] IA-02(10) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | SINGLE SIGN-ON ASSESSMENT OBJECTIVE: Determine if: IA-02(10)_ODP system accounts and services for which a single sign-on capability must be provided are defined; IA-02(10) a single sign-on capability is provided for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(10)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing single sign-on capability for system accounts and services; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts and services requiring single sign-on capability; other relevant documents or records]. IA-02(10)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(10)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities; automated mechanisms supporting and/or implementing single sign-on capability for system accounts and services]. IA-02(11) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | REMOTE ACCESS — SEPARATE DEVICE [WITHDRAWN: Incorporated into IA-02(06).] IA-02(12) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS ASSESSMENT OBJECTIVE: Determine if: IA-02(12) Personal Identity Verification-compliant credentials are accepted and electronically verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(12)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; PIV verification records; evidence of PIV credentials; PIV credential authorizations; other relevant documents or records]. IA-02(12)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(12)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing acceptance and verification of PIV credentials]. IA-02(13) IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) | OUT-OF-BAND AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-02(13)_ODP[01] out-of-band authentication mechanisms to be implemented are defined; IA-02(13)_ODP[02] conditions under which out-of-band authentication is to be implemented are defined; IA-02(13) mechanisms are implemented under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-02(13)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; system-generated list of out-of-band authentication paths; other relevant documents or records]. IA-02(13)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-02(13)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing out-of-band authentication capability]. IA-03 DEVICE IDENTIFICATION AND AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-03_ODP[01] devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined; IA-03_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {local; remote; network}; IA-03 are uniquely identified and authenticated before establishing a connection. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-03-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing device identification and authentication; system design documentation; list of devices requiring unique identification and authentication; device connection reports; system configuration settings and associated documentation; other relevant documents or records]. IA-03-Interview [SELECT FROM: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-03-Test [SELECT FROM: Automated mechanisms supporting and/or implementing device identification and authentication capabilities]. IA-03(01) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-03(01)_ODP[01] devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined; IA-03(01)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {local; remote; network}; IA-03(01) are authenticated before establishing connection using bidirectional authentication that is cryptographically based. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-03(01)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing device identification and authentication; system design documentation; list of devices requiring unique identification and authentication; device connection reports; system configuration settings and associated documentation; other relevant documents or records]. IA-03(01)-Interview [SELECT FROM: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-03(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing device authentication capability; cryptographically based bidirectional authentication mechanisms]. IA-03(02) DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL NETWORK AUTHENTICATION [WITHDRAWN: Incorporated into IA-03(01).] IA-03(03) DEVICE IDENTIFICATION AND AUTHENTICATION | DYNAMIC ADDRESS ALLOCATION ASSESSMENT OBJECTIVE: Determine if: IA-03(03)_ODP lease information and lease duration to be employed to standardize dynamic address allocation for devices are defined; IA-03(03)(a) dynamic address allocation lease information and lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with ; IA-03(03)(b) lease information is audited when assigned to a device. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-03(03)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing device identification and authentication; system design documentation; system configuration settings and associated documentation; evidence of lease information and lease duration assigned to devices; device connection reports; system audit records; other relevant documents or records]. IA-03(03)-Interview [SELECT FROM: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-03(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing device identification and authentication capabilities; automated mechanisms supporting and/or implementing dynamic address allocation; automated mechanisms supporting and/or implanting auditing of lease information]. IA-03(04) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE ATTESTATION ASSESSMENT OBJECTIVE: Determine if: IA-03(04)_ODP configuration management process to be employed to handle device identification and authentication based on attestation is defined; IA-03(04) device identification and authentication are handled based on attestation by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-03(04)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing device identification and authentication; procedures addressing device configuration management; system design documentation; system configuration settings and associated documentation; configuration management records; change control records; system audit records; other relevant documents or records]. IA-03(04)-Interview [SELECT FROM: Organizational personnel with operational responsibilities for device identification and authentication; organizational personnel with information security responsibilities; system/network administrators]. IA-03(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing device identification and authentication capabilities; automated mechanisms supporting and/or implementing configuration management; cryptographic mechanisms supporting device attestation]. IA-04 IDENTIFIER MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: IA-04_ODP[01] personnel or roles from whom authorization must be received to assign an identifier are defined; IA-04_ODP[02] a time period for preventing reuse of identifiers is defined; IA-04a. system identifiers are managed by receiving authorization from to assign to an individual, group, role, or device identifier; IA-04b. system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device; IA-04c. system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device; IA-04d. system identifiers are managed by preventing reuse of identifiers for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records]. IA-04-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-04-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identifier management]. IA-04(01) IDENTIFIER MANAGEMENT | PROHIBIT ACCOUNT IDENTIFIERS AS PUBLIC IDENTIFIERS ASSESSMENT OBJECTIVE: Determine if: IA-04(01) the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04(01)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing identifier management; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-04(01)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-04(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identifier management]. IA-04(02) IDENTIFIER MANAGEMENT | SUPERVISOR AUTHORIZATION [WITHDRAWN: Incorporated into IA-12(01).] IA-04(03) IDENTIFIER MANAGEMENT | MULTIPLE FORMS OF CERTIFICATION [WITHDRAWN: Incorporated into IA-12(02).] IA-04(04) IDENTIFIER MANAGEMENT | IDENTIFY USER STATUS ASSESSMENT OBJECTIVE: Determine if: IA-04(04)_ODP characteristics used to identify individual status is defined; IA-04(04) individual identifiers are managed by uniquely identifying each individual as . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04(04)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing identifier management; procedures addressing account management; list of characteristics identifying individual status; other relevant documents or records]. IA-04(04)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-04(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identifier management]. IA-04(05) IDENTIFIER MANAGEMENT | DYNAMIC MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: IA-04(05)_ODP a dynamic identifier policy for managing individual identifiers is defined; IA-04(05) individual identifiers are dynamically managed in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04(05)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing identifier management; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-04(05)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-04(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing dynamic identifier management]. IA-04(06) IDENTIFIER MANAGEMENT | CROSS-ORGANIZATION MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: IA-04(06)_ODP external organizations with whom to coordinate the cross-organization management of identifiers are defined; IA-04(06) cross-organization management of identifiers is coordinated with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04(06)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; system security plan; other relevant documents or records]. IA-04(06)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities]. IA-04(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identifier management]. IA-04(07) IDENTIFIER MANAGEMENT | IN-PERSON REGISTRATION [WITHDRAWN: Incorporated into IA-12(04).] IA-04(08) IDENTIFIER MANAGEMENT | PAIRWISE PSEUDONYMOUS IDENTIFIERS ASSESSMENT OBJECTIVE: Determine if: IA-04(08) pairwise pseudonymous identifiers are generated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04(08)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing identifier management; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-04(08)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities]. IA-04(08)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identifier management]. IA-04(09) IDENTIFIER MANAGEMENT | ATTRIBUTE MAINTENANCE AND PROTECTION ASSESSMENT OBJECTIVE: Determine if: IA-04(09)_ODP protected central storage used to maintain the attributes for each uniquely identified individual, device, or service is defined; IA-04(09) the attributes for each uniquely identified individual, device, or service are maintained in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-04(09)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing identifier management; procedures addressing account management; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-04(09)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities]. IA-04(09)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identifier management]. IA-05 AUTHENTICATOR MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: IA-05_ODP[01] a time period for changing or refreshing authenticators by authenticator type is defined; IA-05_ODP[02] events that trigger the change or refreshment of authenticators are defined; IA-05a. system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution; IA-05b. system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization; IA-05c. system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use; IA-05d. system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators; IA-05e. system authenticators are managed through the change of default authenticators prior to first use; IA-05f. system authenticators are managed through the change or refreshment of authenticators or when occur; IA-05g. system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification; IA-05h.[01] system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators; IA-05h.[02] system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators; IA-05i. system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05-Examine [SELECT FROM: Identification and authentication policy; system security plan; addressing authenticator management; system design documentation; system configuration settings and associated documentation; list of system authenticator types; change control records associated with managing system authenticators; system audit records; other relevant documents or records]. IA-05-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05-Test [SELECT FROM: Automated mechanisms supporting and/or implementing authenticator management capability]. IA-05(01) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-05(01)_ODP[01] the frequency at which to update the list of commonly used, expected, or compromised passwords is defined; IA-05(01)_ODP[02] authenticator composition and complexity rules are defined; IA-05(01)(a) for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated and when organizational passwords are suspected to have been compromised directly or indirectly; IA-05(01)(b) for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a); IA-05(01)(c) for password-based authentication, passwords are only transmitted over cryptographically protected channels; IA-05(01)(d) for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash; IA-05(01)(e) for password-based authentication, immediate selection of a new password is required upon account recovery; IA-05(01)(f) for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters; IA-05(01)(g) for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators; IA-05(01)(h) for password-based authentication, are enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(01)-Examine [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records]. IA-05(01)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-05(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing password-based authenticator management capability]. IA-05(02) AUTHENTICATOR MANAGEMENT | PUBLIC KEY-BASED AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-05(02)(a)(01) authorized access to the corresponding private key is enforced for public key-based authentication; IA-05(02)(a)(02) the authenticated identity is mapped to the account of the individual or group for public key-based authentication; IA-05(02)(b)(01) when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; IA-05(02)(b)(02) when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(02)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; PKI certification validation records; PKI certification revocation lists; other relevant documents or records]. IA-05(02)-Interview [SELECT FROM: Organizational personnel with PKI-based, authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-05(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing PKI-based, authenticator management capability]. IA-05(03) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED EXTERNAL PARTY REGISTRATION [WITHDRAWN: Incorporated into IA-12(04).] IA-05(04) AUTHENTICATOR MANAGEMENT | AUTOMATED SUPPORT FOR PASSWORD STRENGTH DETERMINATION [WITHDRAWN: Incorporated into IA-05(01).] IA-05(05) AUTHENTICATOR MANAGEMENT | CHANGE AUTHENTICATORS PRIOR TO DELIVERY ASSESSMENT OBJECTIVE: Determine if: IA-05(05) developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(05)-Examine [SELECT FROM: Identification and authentication policy; system security plan; system and services acquisition policy; procedures addressing authenticator management; procedures addressing the integration of security requirements into the acquisition process; acquisition documentation; acquisition contracts for system procurements or services; other relevant documents or records]. IA-05(05)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security, acquisition, and contracting responsibilities; system developers]. IA-05(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing authenticator management capability]. IA-05(06) AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS ASSESSMENT OBJECTIVE: Determine if: IA-05(06) authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(06)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; security categorization documentation for the system; security assessments of authenticator protections; risk assessment results; system security plan; other relevant documents or records]. IA-05(06)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel implementing and/or maintaining authenticator protections; organizational personnel with information security responsibilities; system/network administrators]. IA-05(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing authenticator management capability; automated mechanisms protecting authenticators]. IA-05(07) AUTHENTICATOR MANAGEMENT | NO EMBEDDED UNENCRYPTED STATIC AUTHENTICATORS ASSESSMENT OBJECTIVE: Determine if: IA-05(07) unencrypted static authenticators are not embedded in applications or other forms of static storage. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(07)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing authenticator management; system design documentation; system configuration settings and associated documentation; logical access scripts; application code reviews for detecting unencrypted static authenticators; other relevant documents or records]. IA-05(07)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-05(07)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing authenticator management capability; automated mechanisms implementing authentication in applications]. IA-05(08) AUTHENTICATOR MANAGEMENT | MULTIPLE SYSTEM ACCOUNTS ASSESSMENT OBJECTIVE: Determine if: IA-05(08)_ODP security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined; IA-05(08) are implemented to manage the risk of compromise due to individuals having accounts on multiple systems. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(08)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; system security plan; list of individuals having accounts on multiple systems; list of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems; other relevant documents or records]. IA-05(08)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(08)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing safeguards for authenticator management]. IA-05(09) AUTHENTICATOR MANAGEMENT | FEDERATED CREDENTIAL MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: IA-05(09)_ODP external organizations to be used for federating credentials are defined; IA-05(09) are used to federate credentials. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(09)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; procedures addressing account management; system security plan; security agreements; other relevant documents or records]. IA-05(09)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(09)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing safeguards for authenticator management]. IA-05(10) AUTHENTICATOR MANAGEMENT | DYNAMIC CREDENTIAL BINDING ASSESSMENT OBJECTIVE: Determine if: IA-05(10)_ODP rules for dynamically binding identities and authenticators are defined; IA-05(10) identities and authenticators are dynamically bound using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(10)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; system security plan; system design documentation; automated mechanisms providing dynamic binding of identifiers and authenticators; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(10)-Interview [SELECT FROM: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(10)-Test [SELECT FROM: Automated mechanisms implementing identifier management capability; automated mechanisms implementing dynamic binding of identities and authenticators]. IA-05(11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICATION [WITHDRAWN: Incorporated into IA-02(01), IA-02(02).] IA-05(12) AUTHENTICATOR MANAGEMENT | BIOMETRIC AUTHENTICATION PERFORMANCE ASSESSMENT OBJECTIVE: Determine if: IA-05(12)_ODP biometric quality requirements for biometric-based authentication are defined; IA-05(12) mechanisms that satisfy are employed for biometric-based authentication. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(12)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; system security plan; system design documentation; automated mechanisms employing biometric-based authentication for the system; list of biometric quality requirements; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(12)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-05(12)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing biometric-based authenticator management capability]. IA-05(13) AUTHENTICATOR MANAGEMENT | EXPIRATION OF CACHED AUTHENTICATORS ASSESSMENT OBJECTIVE: Determine if: IA-05(13)_ODP the time period after which the use of cached authenticators is prohibited is defined; IA-05(13) the use of cached authenticators is prohibited after . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(13)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(13)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-05(13)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing authenticator management capability]. IA-05(14) AUTHENTICATOR MANAGEMENT | MANAGING CONTENT OF PKI TRUST STORES ASSESSMENT OBJECTIVE: Determine if: IA-05(14) an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(14)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing authenticator management; system security plan; organizational methodology for managing content of PKI trust stores across installed all platforms; system design documentation; system configuration settings and associated documentation; enterprise security architecture documentation; enterprise architecture documentation; other relevant documents or records]. IA-05(14)-Interview [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-05(14)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing PKI-based authenticator management capability; automated mechanisms supporting and/or implementing the PKI trust store capability]. IA-05(15) AUTHENTICATOR MANAGEMENT | GSA-APPROVED PRODUCTS AND SERVICES ASSESSMENT OBJECTIVE: Determine if: IA-05(15) only General Services Administration-approved products and services are used for identity, credential, and access management. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(15)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; system security plan; system design documentation; automated mechanisms providing dynamic binding of identifiers and authenticators; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(15)-Interview [SELECT FROM: Organizational personnel with identification and authentication management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(15)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing account management capability; automated mechanisms supporting and/or implementing identification and authentication management capabilities for the system]. IA-05(16) AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED EXTERNAL PARTY AUTHENTICATOR ISSUANCE ASSESSMENT OBJECTIVE: Determine if: IA-05(16)_ODP[01] types of and/or specific authenticators to be issued are defined; IA-05(16)_ODP[02] one of the following PARAMETER VALUES is selected: {in person; by a trusted external party}; IA-05(16)_ODP[03] the registration authority that issues authenticators is defined; IA-05(16)_ODP[04] the personnel or roles who authorize the issuance of authenticators are defined; IA-05(16) the issuance of is required to be conducted before with authorization by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(16)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; system security plan; system design documentation; automated mechanisms providing dynamic binding of identifiers and authenticators; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(16)-Interview [SELECT FROM: Organizational personnel with identification and authentication management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(16)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing account management capability; automated mechanisms supporting and/or implementing identification and authentication management capabilities for the system]. IA-05(17) AUTHENTICATOR MANAGEMENT | PRESENTATION ATTACK DETECTION FOR BIOMETRIC AUTHENTICATORS ASSESSMENT OBJECTIVE: Determine if: IA-05(17) presentation attack detection mechanisms are employed for biometric-based authentication. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(17)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; system security plan; system design documentation; automated mechanisms providing dynamic binding of identifiers and authenticators; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(17)-Interview [SELECT FROM: Organizational personnel with identification and authentication management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(17)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing account management capability; automated mechanisms supporting and/or implementing identification and authentication management capabilities for the system]. IA-05(18) AUTHENTICATOR MANAGEMENT | PASSWORD MANAGERS ASSESSMENT OBJECTIVE: Determine if: IA-05(18)_ODP[01] password managers employed for generating and managing passwords are defined; IA-05(18)_ODP[02] controls for protecting passwords are defined; IA-05(18)(a) are employed to generate and manage passwords; IA-05(18)(b) the passwords are protected using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-05(18)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; system security plan; system design documentation; automated mechanisms providing dynamic binding of identifiers and authenticators; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-05(18)-Interview [SELECT FROM: Organizational personnel with identification and authentication management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. IA-05(18)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing account management capability; automated mechanisms supporting and/or implementing identification and authentication management capabilities for the system]. IA-06 AUTHENTICATION FEEDBACK ASSESSMENT OBJECTIVE: Determine if: IA-06 the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-06-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing authenticator feedback; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-06-Interview [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-06-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication]. IA-07 CRYPTOGRAPHIC MODULE AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-07 mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines for such authentication. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-07-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing cryptographic module authentication; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-07-Interview [SELECT FROM: Organizational personnel with responsibility for cryptographic module authentication; organizational personnel with information security responsibilities; system/network administrators; system developers]. IA-07-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cryptographic module authentication]. IA-08 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) ASSESSMENT OBJECTIVE: Determine if: IA-08 non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-08-Examine [SELECT FROM: Identification and authentication policy; system security plan; privacy plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of system accounts; other relevant documents or records]. IA-08-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; organizational personnel with account management responsibilities]. IA-08-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-08(01) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES ASSESSMENT OBJECTIVE: Determine if: IA-08(01)[01] Personal Identity Verification-compliant credentials from other federal agencies are accepted; IA-08(01)[02] Personal Identity Verification-compliant credentials from other federal agencies are electronically verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-08(01)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; PIV verification records; evidence of PIV credentials; PIV credential authorizations; other relevant documents or records]. IA-08(01)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with account management responsibilities]. IA-08(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities; automated mechanisms that accept and verify PIV credentials]. IA-08(02) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF EXTERNAL AUTHENTICATORS ASSESSMENT OBJECTIVE: Determine if: IA-08(02)(a) only external authenticators that are NIST-compliant are accepted; IA-08(02)(b)[01] a list of accepted external authenticators is documented; IA-08(02)(b)[02] a list of accepted external authenticators is maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-08(02)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; list of third-party credentialing products, components, or services procured and implemented by organization; third-party credential verification records; evidence of third-party credentials; third-party credential authorizations; other relevant documents or records]. IA-08(02)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with account management responsibilities]. IA-08(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities; automated mechanisms that accept external credentials]. IA-08(03) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS [WITHDRAWN: Incorporated into IA-08(02).] IA-08(04) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF DEFINED PROFILES ASSESSMENT OBJECTIVE: Determine if: IA-08(04)_ODP identity management profiles are defined; IA-08(04) there is conformance with for identity management. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-08(04)-Examine [SELECT FROM: Identification and authentication policy; system security plan; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-08(04)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with account management responsibilities]. IA-08(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities; automated mechanisms supporting and/or implementing conformance with profiles]. IA-08(05) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF PIV-I CREDENTIALS ASSESSMENT OBJECTIVE: Determine if: IA-08(05)_ODP a policy for using federated or PKI credentials is defined; IA-08(05)[01] federated or PKI credentials that meet are accepted; IA-08(05)[02] federated or PKI credentials that meet are verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-08(05)-Examine [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; PIV-I verification records; evidence of PIV-I credentials; PIV-I credential authorizations; other relevant documents or records]. IA-08(05)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with account management responsibilities]. IA-08(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities; automated mechanisms that accept and verify PIV-I credentials]. IA-08(06) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | DISASSOCIABILITY ASSESSMENT OBJECTIVE: Determine if: IA-08(06)_ODP disassociability measures are defined; IA-08(06) to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-08(06)-Examine [SELECT FROM: Identification and authentication policy; system security plan; privacy plan; procedures addressing user identification and authentication; system design documentation; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-08(06)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers; organizational personnel with account management responsibilities]. IA-08(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-09 SERVICE IDENTIFICATION AND AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-09_ODP system services and applications to be uniquely identified and authenticated are defined; IA-09 are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-09-Examine [SELECT FROM: Identification and authentication policy; procedures addressing service identification and authentication; system security plan; system design documentation; security safeguards used to identify and authenticate system services; system configuration settings and associated documentation; system audit records; other relevant documents or records]. IA-09-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-09-Test [SELECT FROM: Security safeguards implementing service identification and authentication capabilities]. IA-09(01) SERVICE IDENTIFICATION AND AUTHENTICATION | INFORMATION EXCHANGE [WITHDRAWN: Incorporated into IA-09.] IA-09(02) SERVICE IDENTIFICATION AND AUTHENTICATION | TRANSMISSION OF DECISIONS [WITHDRAWN: Incorporated into IA-09.] IA-10 ADAPTIVE AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-10_ODP[01] supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined; IA-10_ODP[02] circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined; IA-10 individuals accessing the system are required to employ under specific . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-10-Examine [SELECT FROM: Identification and authentication policy; procedures addressing adaptive/supplemental identification and authentication techniques or mechanisms; system security plan; system design documentation; system configuration settings and associated documentation; supplemental identification and authentication techniques or mechanisms; system audit records; other relevant documents or records]. IA-10-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-10-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-11 RE-AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: IA-11_ODP circumstances or situations requiring re-authentication are defined; IA-11 users are required to re-authenticate when . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-11-Examine [SELECT FROM: Identification and authentication policy; procedures addressing user and device re-authentication; system security plan; system design documentation; system configuration settings and associated documentation; list of circumstances or situations requiring re-authentication; system audit records; other relevant documents or records]. IA-11-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-11-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12 IDENTITY PROOFING ASSESSMENT OBJECTIVE: Determine if: IA-12a. users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed; IA-12b. user identities are resolved to a unique individual; IA-12c.[01] identity evidence is collected; IA-12c.[02] identity evidence is validated; IA-12c.[03] identity evidence is verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; privacy plan; other relevant documents or records]. IA-12-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security and privacy responsibilities; legal counsel; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12(01) IDENTITY PROOFING | SUPERVISOR AUTHORIZATION ASSESSMENT OBJECTIVE: Determine if: IA-12(01) the registration process to receive an account for logical access includes supervisor or sponsor authorization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12(01)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; other relevant documents or records]. IA-12(01)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12(02) IDENTITY PROOFING | IDENTITY EVIDENCE ASSESSMENT OBJECTIVE: Determine if: IA-12(02) evidence of individual identification is presented to the registration authority. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12(02)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; other relevant documents or records]. IA-12(02)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12(03) IDENTITY PROOFING | IDENTITY EVIDENCE VALIDATION AND VERIFICATION ASSESSMENT OBJECTIVE: Determine if: IA-12(03)_ODP methods of validation and verification of identity evidence are defined; IA-12(03) the presented identity evidence is validated and verified through . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12(03)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; other relevant documents or records]. IA-12(03)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12(04) IDENTITY PROOFING | IN-PERSON VALIDATION AND VERIFICATION ASSESSMENT OBJECTIVE: Determine if: IA-12(04) the validation and verification of identity evidence is conducted in person before a designated registration authority. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12(04)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; other relevant documents or records]. IA-12(04)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12(05) IDENTITY PROOFING | ADDRESS CONFIRMATION ASSESSMENT OBJECTIVE: Determine if: IA-12(05)_ODP one of the following PARAMETER VALUES is selected: {registration code; notice of proofing}; IA-12(05) a is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12(05)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; other relevant documents or records]. IA-12(05)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. IA-12(06) IDENTITY PROOFING | ACCEPT EXTERNALLY-PROOFED IDENTITIES ASSESSMENT OBJECTIVE: Determine if: IA-12(06)_ODP an identity assurance level for accepting externally proofed identities is defined; IA-12(06) externally proofed identities are accepted . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IA-12(06)-Examine [SELECT FROM: Identification and authentication policy; procedures addressing identity proofing; system security plan; other relevant documents or records]. IA-12(06)-Interview [SELECT FROM: Organizational personnel with system operations responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers; organizational personnel with identification and authentication responsibilities]. IA-12(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing identification and authentication capabilities]. 4.8 Incident Response IR-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: IR-01_ODP[01] personnel or roles to whom the incident response policy is to be disseminated is/are defined; IR-01_ODP[02] personnel or roles to whom the incident response procedures are to be disseminated is/are defined; IR-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; IR-01_ODP[04] an official to manage the incident response policy and procedures is defined; IR-01_ODP[05] the frequency at which the current incident response policy is reviewed and updated is defined; IR-01_ODP[06] events that would require the current incident response policy to be reviewed and updated are defined; IR-01_ODP[07] the frequency at which the current incident response procedures are reviewed and updated is defined; IR-01_ODP[08] events that would require the incident response procedures to be reviewed and updated are defined; IR-01a.[01] an incident response policy is developed and documented; IR-01a.[02] the incident response policy is disseminated to ; IR-01a.[03] incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented; IR-01a.[04] the incident response procedures are disseminated to ; IR-01a.01(a)[01] the incident response policy addresses purpose; IR-01a.01(a)[02] the incident response policy addresses scope; IR-01a.01(a)[03] the incident response policy addresses roles; IR-01a.01(a)[04] the incident response policy addresses responsibilities; IR-01a.01(a)[05] the incident response policy addresses management commitment; IR-01a.01(a)[06] the incident response policy addresses coordination among organizational entities; IR-01a.01(a)[07] the incident response policy addresses compliance; IR-01a.01(b) the incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; IR-01b. the is designated to manage the development, documentation, and dissemination of the incident response policy and procedures; IR-01c.01[01] the current incident response policy is reviewed and updated ; IR-01c.01[02] the current incident response policy is reviewed and updated following ; IR-01c.02[01] the current incident response procedures are reviewed and updated ; IR-01c.02[02] the current incident response procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-01-Examine [SELECT FROM: Incident response policy and procedures; system security plan; privacy plan; other relevant documents or records]. IR-01-Interview [SELECT FROM: Organizational personnel with incident response responsibilities; organizational personnel with information security and privacy responsibilities]. IR-02 INCIDENT RESPONSE TRAINING ASSESSMENT OBJECTIVE: Determine if: IR-02_ODP[01] a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined; IR-02_ODP[02] frequency at which to provide incident response training to users is defined; IR-02_ODP[03] frequency at which to review and update incident response training content is defined; IR-02_ODP[04] events that initiate a review of the incident response training content are defined; IR-02a.01 incident response training is provided to system users consistent with assigned roles and responsibilities within of assuming an incident response role or responsibility or acquiring system access; IR-02a.02 incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes; IR-02a.03 incident response training is provided to system users consistent with assigned roles and responsibilities thereafter; IR-02b.[01] incident response training content is reviewed and updated ; IR-02b.[02] incident response training content is reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-02-Examine [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training curriculum; incident response training materials; privacy plan; incident response plan; incident response training records; system security plan; privacy plan; other relevant documents or records]. IR-02-Interview [SELECT FROM: Organizational personnel with incident response training and operational responsibilities; organizational personnel with information security and privacy responsibilities]. IR-02(01) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS ASSESSMENT OBJECTIVE: Determine if: IR-02(01) simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-02(01)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training curriculum; incident response training materials; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-02(01)-Interview [SELECT FROM: Organizational personnel with incident response training and operational responsibilities; organizational personnel with information security and privacy responsibilities]. IR-02(01)-Test [SELECT FROM: Automated mechanisms that support and/or implement simulated events for incident response training]. IR-02(02) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: IR-02(02)_ODP automated mechanisms used in an incident response training environment are defined; IR-02(02) an incident response training environment is provided using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-02(02)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response training; incident response training curriculum; incident response training materials; automated mechanisms supporting incident response training; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-02(02)-Interview [SELECT FROM: Organizational personnel with incident response training and operational responsibilities; organizational personnel with information security and privacy responsibilities]. IR-02(02)-Test [SELECT FROM: Automated mechanisms that provide a thorough and realistic incident response training environment]. IR-02(03) INCIDENT RESPONSE TRAINING | BREACH ASSESSMENT OBJECTIVE: Determine if: IR-02(03)[01] incident response training on how to identify and respond to a breach is provided; IR-02(03)[02] incident response training on the organization’s process for reporting a breach is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-02(03)-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; privacy plan; other relevant documents or records]. IR-02(03)-Interview [SELECT FROM: Organizational personnel with incident response training responsibilities; organizational personnel with information security and privacy responsibilities]. IR-03 INCIDENT RESPONSE TESTING ASSESSMENT OBJECTIVE: Determine if: IR-03_ODP[01] frequency at which to test the effectiveness of the incident response capability for the system is defined; IR-03_ODP[02] tests used to test the effectiveness of the incident response capability for the system are defined; IR-03 the effectiveness of the incident response capability for the system is tested using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-03-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; privacy plan; other relevant documents or records]. IR-03-Interview [SELECT FROM: Organizational personnel with incident response testing responsibilities; organizational personnel with information security and privacy responsibilities]. IR-03(01) INCIDENT RESPONSE TESTING | AUTOMATED TESTING ASSESSMENT OBJECTIVE: Determine if: IR-03(01)_ODP automated mechanisms used to test the incident response capability are defined; IR-03(01) the incident response capability is tested using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-03(01)-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing documentation; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; automated mechanisms supporting incident response tests; other relevant documents or records]. IR-03(01)-Interview [SELECT FROM: Organizational personnel with incident response testing responsibilities; organizational personnel with information security responsibilities]. IR-03(01)-Test [SELECT FROM: Automated mechanisms that more thoroughly and effectively test the incident response capability]. IR-03(02) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS ASSESSMENT OBJECTIVE: Determine if: IR-03(02) incident response testing is coordinated with organizational elements responsible for related plans. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-03(02)-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; incident response testing documentation; incident response plan; business continuity plans; contingency plans; disaster recovery plans; continuity of operations plans; crisis communications plans; critical infrastructure plans; occupant emergency plans; system security plan; privacy plan; other relevant documents or records]. IR-03(02)-Interview [SELECT FROM: Organizational personnel with incident response testing responsibilities; organizational personnel with responsibilities for testing organizational plans related to incident response testing; organizational personnel with information security and privacy responsibilities]. IR-03(03) INCIDENT RESPONSE TESTING | CONTINUOUS IMPROVEMENT ASSESSMENT OBJECTIVE: Determine if: IR-03(03)(a)[01] qualitative data from testing are used to determine the effectiveness of incident response processes; IR-03(03)(a)[02] quantitative data from testing are used to determine the effectiveness of incident response processes; IR-03(03)(b)[01] qualitative and quantitative data from testing are used to continuously improve incident response processes; IR-03(03)(b)[02] quantitative data from testing are used to continuously improve incident response processes; IR-03(03)(c)[01] qualitative data from testing are used to provide incident response measures and metrics that are accurate; IR-03(03)(c)[02] quantitative data from testing are used to provide incident response measures and metrics that are accurate; IR-03(03)(c)[03] qualitative data from testing are used to provide incident response measures and metrics that are consistent; IR-03(03)(c)[04] quantitative data from testing are used to provide incident response measures and metrics that are consistent; IR-03(03)(c)[05] qualitative data from testing are used to provide incident response measures and metrics in a reproducible format; IR-03(03)(c)[06] quantitative data from testing are used to provide incident response measures and metrics in a reproducible format. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-03(03)-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; incident response testing documentation; incident response plan; business continuity plans; contingency plans; disaster recovery plans; continuity of operations plans; crisis communications plans; critical infrastructure plans; occupant emergency plans; system security plan; privacy plan; other relevant documents or records]. IR-03(03)-Interview [SELECT FROM: Organizational personnel with incident response testing responsibilities; organizational personnel with responsibilities for testing organizational plans related to incident response testing; organizational personnel with information security and privacy responsibilities]. IR-04 INCIDENT HANDLING ASSESSMENT OBJECTIVE: Determine if: IR-04(a)[01] an incident handling capability for incidents is implemented that is consistent with the incident response plan; IR-04(a)[02] an incident handling capability for incidents includes preparation; IR-04(a)[03] an incident handling capability for incidents includes detection and analysis; IR-04(a)[04] an incident handling capability for incidents includes containment; IR-04(a)[05] an incident handling capability for incidents includes eradication; IR-04(a)[06] an incident handling capability for incidents includes recovery; IR-04(b) incident handling activities are coordinated with contingency planning activities; IR-04(c)[01] lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing; IR-04(c)[02] the changes resulting from the incorporated lessons learned are implemented accordingly; IR-04(d)[01] the rigor of incident handling activities is comparable and predictable across the organization; IR-04(d)[02] the intensity of incident handling activities is comparable and predictable across the organization; IR-04(d)[03] the scope of incident handling activities is comparable and predictable across the organization; IR-04(d)[04] the results of incident handling activities are comparable and predictable across the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident handling; incident response plan; contingency plan; system security plan; privacy plan; other relevant documents or records]. IR-04-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities; organizational personnel with information security and privacy responsibilities]. IR-04-Test [SELECT FROM: Incident handling capability for the organization]. IR-04(01) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES ASSESSMENT OBJECTIVE: Determine if: IR-04(01)_ODP automated mechanisms used to support the incident handling process are defined; IR-04(01) the incident handling process is supported using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(01)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; system design documentation; system configuration settings and associated documentation; system audit records; incident response plan; system security plan; other relevant documents or records]. IR-04(01)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities]. IR-04(01)-Test [SELECT FROM: Automated mechanisms that support and/or implement the incident handling process]. IR-04(02) INCIDENT HANDLING | DYNAMIC RECONFIGURATION ASSESSMENT OBJECTIVE: Determine if: IR-04(02)_ODP[01] types of dynamic reconfiguration for system components are defined; IR-04(02)_ODP[02] system components that require dynamic reconfiguration are defined; IR-04(02) for are included as part of the incident response capability. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(02)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; list of system components to be dynamically reconfigured as part of incident response capability; system design documentation; system configuration settings and associated documentation; system audit records; incident response plan; system security plan; other relevant documents or records]. IR-04(02)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities]. IR-04(02)-Test [SELECT FROM: Automated mechanisms that support and/or implement dynamic reconfiguration of components as part of incident response]. IR-04(03) INCIDENT HANDLING | CONTINUITY OF OPERATIONS ASSESSMENT OBJECTIVE: Determine if: IR-04(03)_ODP[01] classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined; IR-04(03)_ODP[02] actions to be taken in response to organization-defined classes of incidents are defined; IR-04(03)[01] are identified; IR-04(03)[02] are taken in response to those incidents to ensure the continuation of organizational mission and business functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(03)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; privacy plan; list of classes of incidents; list of appropriate incident response actions; system security plan; other relevant documents or records]. IR-04(03)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities]. IR-04(03)-Test [SELECT FROM: Automated mechanisms that support and/or implement continuity of operations]. IR-04(04) INCIDENT HANDLING | INFORMATION CORRELATION ASSESSMENT OBJECTIVE: Determine if: IR-04(04) incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(04)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; privacy plan; automated mechanisms supporting incident and event correlation; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; incident management correlation logs; event management correlation logs; security information and event management logs; incident management correlation reports; event management correlation reports; security information and event management reports; audit records; other relevant documents or records]. IR-04(04)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with whom incident information and individual incident responses are to be correlated]. IR-04(04)-Test [SELECT FROM: Organizational processes for correlating incident information and individual incident responses; automated mechanisms that support and or implement the correlation of incident response information with individual incident responses]. IR-04(05) INCIDENT HANDLING | AUTOMATIC DISABLING OF SYSTEM ASSESSMENT OBJECTIVE: Determine if: IR-04(05)_ODP security violations that automatically disable a system are defined; IR-04(05) a configurable capability is implemented to automatically disable the system if are detected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(05)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; system design documentation; system configuration settings and associated documentation; system security plan; incident response plan; privacy plan; other relevant documents or records]. IR-04(05)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities; system developers]. IR-04(05)-Test [SELECT FROM: Incident handling capability for the organization; automated mechanisms supporting and/or implementing automatic disabling of the system]. IR-04(06) INCIDENT HANDLING | INSIDER THREATS ASSESSMENT OBJECTIVE: Determine if: IR-04(06) an incident handling capability is implemented for incidents involving insider threats. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(06)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting incident handling; system design documentation; system configuration settings and associated documentation; incident response plan; system security plan; audit records; other relevant documents or records]. IR-04(06)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities]. IR-04(06)-Test [SELECT FROM: Incident handling capability for the organization]. IR-04(07) INCIDENT HANDLING | INSIDER THREATS — INTRA-ORGANIZATION COORDINATION ASSESSMENT OBJECTIVE: Determine if: IR-04(07)_ODP entities that require coordination for an incident handling capability for insider threats are defined; IR-04(07)[01] an incident handling capability is coordinated for insider threats; IR-04(07)[02] the coordinated incident handling capability includes . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(07)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; incident response plan; insider threat program plan; insider threat CONOPS; system security plan; privacy plan; other relevant documents or records]. IR-04(07)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel/elements with whom the incident handling capability is to be coordinated]. IR-04(07)-Test [SELECT FROM: Organizational processes for coordinating incident handling]. IR-04(08) INCIDENT HANDLING | CORRELATION WITH EXTERNAL ORGANIZATIONS ASSESSMENT OBJECTIVE: Determine if: IR-04(08)_ODP[01] external organizations with whom organizational incident information is to be coordinated and shared are defined; IR-04(08)_ODP[02] incident information to be correlated and shared with organization-defined external organizations are defined; IR-04(08) there is coordination with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(08)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; list of external organizations; records of incident handling coordination with external organizations; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-04(08)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security and privacy responsibilities; personnel from external organizations with whom incident response information is to be coordinated, shared, and correlated]. IR-04(08)-Test [SELECT FROM: Organizational processes for coordinating incident handling information with external organizations]. IR-04(09) INCIDENT HANDLING | DYNAMIC RESPONSE CAPABILITY ASSESSMENT OBJECTIVE: Determine if: IR-04(09)_ODP dynamic response capabilities to be employed to respond to incidents are defined; IR-04(09) are employed to respond to incidents. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(09)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; automated mechanisms supporting dynamic response capabilities; system design documentation; system configuration settings and associated documentation; incident response plan; system security plan; audit records; other relevant documents or records]. IR-04(09)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities]. IR-04(09)-Test [SELECT FROM: Organizational processes for dynamic response capability; automated mechanisms supporting and/or implementing the dynamic response capability for the organization]. IR-04(10) INCIDENT HANDLING | SUPPLY CHAIN COORDINATION ASSESSMENT OBJECTIVE: Determine if: IR-04(10) incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(10)-Examine [SELECT FROM: Incident response policy; procedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council; acquisition contracts; service-level agreements; incident response plan; supply chain risk management plan; system security plan; incident response plans of other organization involved in supply chain activities; other relevant documents or records]. IR-04(10)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with mission and business responsibilities; organizational personnel with legal responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with acquisition responsibilities]. IR-04(11) INCIDENT HANDLING | INTEGRATED INCIDENT RESPONSE TEAM ASSESSMENT OBJECTIVE: Determine if: IR-04(11)_ODP the time period within which an integrated incident response team can be deployed is defined; IR-04(11)[01] an integrated incident response team is established and maintained; IR-04(11)[02] the integrated incident response team can be deployed to any location identified by the organization in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(11)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-04(11)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security and privacy responsibilities; members of the integrated incident response team]. IR-04(12) INCIDENT HANDLING | MALICIOUS CODE AND FORENSIC ANALYSIS ASSESSMENT OBJECTIVE: Determine if: IR-04(12)[01] malicious code remaining in the system is analyzed after the incident; IR-04(12)[02] other residual artifacts remaining in the system (if any) are analyzed after the incident. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(12)-Examine [SELECT FROM: Incident response policy; procedures addressing incident handling; procedures addressing code and forensic analysis; procedures addressing incident response; incident response plan; system design documentation; malicious code protection mechanisms, tools, and techniques; results from malicious code analyses; system security plan; system audit records; other relevant documents or records]. IR-04(12)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel with responsibility for malicious code protection; organizational personnel responsible for incident response/management]. IR-04(12)-Test [SELECT FROM: Organizational process for incident response; organizational processes for conducting forensic analysis; tools and techniques for analysis of malicious code characteristics and behavior]. IR-04(13) INCIDENT HANDLING | BEHAVIOR ANALYSIS ASSESSMENT OBJECTIVE: Determine if: IR-04(13)_ODP environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined; IR-04(13) anomalous or suspected adversarial behavior in or related to are analyzed. IR-04(13)-Examine[SELECT FROM: Incident response policy; procedures addressing system monitoring tools and techniques; incident response plan; system monitoring logs or records; system monitoring tools and techniques documentation; system configuration settings and associated documentation; security plan; system component inventory; network diagram; system protocols documentation; list of acceptable thresholds for false positives and false negatives; system security plan; other relevant documents or records]. IR-04(13)-Interview[SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators]. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(13)-Test [SELECT FROM: Organizational processes for detecting anomalous behavior]. IR-04(14) INCIDENT HANDLING | SECURITY OPERATIONS CENTER ASSESSMENT OBJECTIVE: Determine if: IR-04(14)[01] a security operations center is established; IR-04(14)[02] a security operations center is maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(14)-Examine [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident handling; procedures addressing the security operations center operations; automated mechanisms supporting dynamic response capabilities; incident response plan; contingency plan; system security plan; other relevant documents or records]. IR-04(14)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with contingency planning responsibilities; security operations center personnel; organizational personnel with information security responsibilities]. IR-04(14)-Test [SELECT FROM: Automated mechanisms that support and/or implement the security operations center capability; automated mechanisms that support and/or implement the incident handling process]. IR-04(15) INCIDENT HANDLING | PUBLIC RELATIONS AND REPUTATION REPAIR ASSESSMENT OBJECTIVE: Determine if: IR-04(15)(a) public relations associated with an incident are managed; IR-04(15)(b) measures are employed to repair the reputation of the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-04(15)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response; procedures addressing incident handling; incident response plan; system security plan; other relevant documents or records]. IR-04(15)-Interview [SELECT FROM: Organizational personnel with incident handling responsibilities; organizational personnel with information security responsibilities; organizational personnel with communications or public relations responsibilities]. IR-05 INCIDENT MONITORING ASSESSMENT OBJECTIVE: Determine if: IR-05[01] incidents are tracked; IR-05[02] incidents are documented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-05-Examine [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-05-Interview [SELECT FROM: Organizational personnel with incident monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. IR-05-Test [SELECT FROM: Incident monitoring capability for the organization; automated mechanisms supporting and/or implementing tracking and documenting of system security incidents]. IR-05(01) INCIDENT MONITORING | AUTOMATED TRACKING, DATA COLLECTION, AND ANALYSIS ASSESSMENT OBJECTIVE: Determine if: IR-05(01)_ODP[01] automated mechanisms used to track incidents are defined; IR-05(01)_ODP[02] automated mechanisms used to collect incident information are defined; IR-05(01)_ODP[03] automated mechanisms used to analyze incident information are defined; IR-05(01)[01] incidents are tracked using ; IR-05(01)[02] incident information is collected using ; IR-05(01)[03] incident information is analyzed using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-05(01)-Examine [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; system security plan; incident response plan; other relevant documents or records]. IR-05(01)-Interview [SELECT FROM: Organizational personnel with incident monitoring responsibilities; organizational personnel with information security responsibilities]. IR-05(01)-Test [SELECT FROM: Incident monitoring capability for the organization; automated mechanisms supporting and/or implementing tracking and documenting of system security incidents]. IR-06 INCIDENT REPORTING ASSESSMENT OBJECTIVE: Determine if: IR-06_ODP[01] time period for personnel to report suspected incidents to the organizational incident response capability is defined; IR-06_ODP[02] authorities to whom incident information is to be reported are defined; IR-06(a) personnel is/are required to report suspected incidents to the organizational incident response capability within ; IR-06(b) incident information is reported to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-06-Examine [SELECT FROM: Incident response policy; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-06-Interview [SELECT FROM: Organizational personnel with incident reporting responsibilities; organizational personnel with information security and privacy responsibilities; personnel who have/should have reported incidents; personnel (authorities) to whom incident information is to be reported; system users]. IR-06-Test [SELECT FROM: Organizational processes for incident reporting; automated mechanisms supporting and/or implementing incident reporting]. IR-06(01) INCIDENT REPORTING | AUTOMATED REPORTING ASSESSMENT OBJECTIVE: Determine if: IR-06(01)_ODP automated mechanisms used for reporting incidents are defined; IR-06(01) incidents are reported using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-06(01)-Examine [SELECT FROM: Incident response policy; procedures addressing incident reporting; automated mechanisms supporting incident reporting; system design documentation; system configuration settings and associated documentation; incident response plan; system security plan; other relevant documents or records]. IR-06(01)-Interview [SELECT FROM: Organizational personnel with incident reporting responsibilities; organizational personnel with information security responsibilities]. IR-06(01)-Test [SELECT FROM: Organizational processes for incident reporting; automated mechanisms supporting and/or implementing reporting of security incidents]. IR-06(02) INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS ASSESSMENT OBJECTIVE: Determine if: IR-06(02)_ODP personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined; IR-06(02) system vulnerabilities associated with reported incidents are reported to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-06(02)-Examine [SELECT FROM: Incident response policy; procedures addressing incident reporting; incident response plan; system security plan; privacy plan; security incident reports and associated system vulnerabilities; other relevant documents or records]. IR-06(02)-Interview [SELECT FROM: Organizational personnel with incident reporting responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; personnel to whom vulnerabilities associated with security incidents are to be reported]. IR-06(02)-Test [SELECT FROM: Organizational processes for incident reporting; automated mechanisms supporting and/or implementing the reporting of vulnerabilities associated with security incidents]. IR-06(03) INCIDENT REPORTING | SUPPLY CHAIN COORDINATION ASSESSMENT OBJECTIVE: Determine if: IR-06(03) incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-06(03)-Examine [SELECT FROM: Incident response policy; procedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council; acquisition policy; acquisition contracts; service-level agreements; incident response plan; supply chain risk management plan; system security plan; plans of other organizations involved in supply chain activities; other relevant documents or records]. IR-06(03)-Interview [SELECT FROM: Organizational personnel with incident reporting responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organization personnel with acquisition responsibilities]. IR-06(03)-Test [SELECT FROM: Organizational processes for incident reporting; organizational processes for supply chain risk information sharing; automated mechanisms supporting and/or implementing reporting of incident information involved in the supply chain]. IR-07 INCIDENT RESPONSE ASSISTANCE ASSESSMENT OBJECTIVE: Determine if: IR-07[01] an incident response support resource, integral to the organizational incident response capability, is provided; IR-07[02] the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-07-Examine [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-07-Interview [SELECT FROM: Organizational personnel with incident response assistance and support responsibilities; organizational personnel with access to incident response support and assistance capability; organizational personnel with information security and privacy responsibilities]. IR-07-Test [SELECT FROM: Organizational processes for incident response assistance; automated mechanisms supporting and/or implementing incident response assistance]. IR-07(01) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION AND SUPPORT ASSESSMENT OBJECTIVE: Determine if: IR-07(01)_ODP automated mechanisms used to increase the availability of incident response information and support are defined; IR-07(01) the availability of incident response information and support is increased using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-07(01)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response assistance; automated mechanisms supporting incident response support and assistance; system design documentation; system configuration settings and associated documentation; incident response plan; system security plan; other relevant documents or records]. IR-07(01)-Interview [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; organizational personnel with access to incident response support and assistance capability; organizational personnel with information security responsibilities]. IR-07(01)-Test [SELECT FROM: Organizational processes for incident response assistance; automated mechanisms supporting and/or implementing an increase in the availability of incident response information and support]. IR-07(02) INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS ASSESSMENT OBJECTIVE: Determine if: IR-07(02)(a) a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability; IR-07(02)(b) organizational incident response team members are identified to the external providers. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-07(02)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response assistance; incident response plan; system security plan; privacy plan; other relevant documents or records]. IR-07(02)-Interview [SELECT FROM: Organizational personnel with incident response support and assistance responsibilities; external providers of system protection capability; organizational personnel with information security and privacy responsibilities]. IR-08 INCIDENT RESPONSE PLAN ASSESSMENT OBJECTIVE: Determine if: IR-08_ODP[01] personnel or roles that review and approve the incident response plan is/are identified; IR-08_ODP[02] the frequency at which to review and approve the incident response plan is defined; IR-08_ODP[03] entities, personnel, or roles with designated responsibility for incident response are defined; IR-08_ODP[04] incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined; IR-08_ODP[05] organizational elements to which copies of the incident response plan are to be distributed are defined; IR-08_ODP[06] incident response personnel (identified by name and/or by role) to whom changes to the incident response plan are communicated are defined; IR-08_ODP[07] organizational elements to which changes to the incident response plan are communicated are defined; IR-08a.01 an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability; IR-08a.02 an incident response plan is developed that describes the structure and organization of the incident response capability; IR-08a.03 an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization; IR-08a.04 an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions; IR-08a.05 an incident response plan is developed that defines reportable incidents; IR-08a.06 an incident response plan is developed that provides metrics for measuring the incident response capability within the organization; IR-08a.07 an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability; IR-08a.08 an incident response plan is developed that addresses the sharing of incident information; IR-08a.09 an incident response plan is developed that is reviewed and approved by ; IR-08a.10 an incident response plan is developed that explicitly designates responsibility for incident response to . IR-08b.[01] copies of the incident response plan are distributed to ; IR-08b.[02] copies of the incident response plan are distributed to ; IR-08c. the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing; IR-08d.[01] incident response plan changes are communicated to ; IR-08d.[02] incident response plan changes are communicated to ; IR-08e.[01] the incident response plan is protected from unauthorized disclosure; IR-08e.[02] the incident response plan is protected from unauthorized modification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-08-Examine [SELECT FROM: Incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]. IR-08-Interview [SELECT FROM: Organizational personnel with incident response planning responsibilities; organizational personnel with information security and privacy responsibilities]. IR-08-Test [SELECT FROM: Organizational incident response plan and related organizational processes]. IR-08(01) INCIDENT RESPONSE PLAN | BREACHES ASSESSMENT OBJECTIVE: Determine if: IR-08(01)(a) the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed; IR-08(01)(b) the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; IR-08(01)(c) the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-08(01)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]. IR-08(01)-Interview [SELECT FROM: Organizational personnel with incident response planning responsibilities; organizational personnel with information security and privacy responsibilities]. IR-08(01)-Test [SELECT FROM: Organizational incident response plan and related organizational processes]. IR-09 INFORMATION SPILLAGE RESPONSE ASSESSMENT OBJECTIVE: Determine if: IR-09_ODP[01] personnel or roles assigned the responsibility for responding to information spills is/are defined; IR-09_ODP[02] personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined; IR-09_ODP[03] actions to be performed are defined; IR-09(a) is/are assigned the responsibility to respond to information spills; IR-09(b) the specific information involved in the system contamination is identified in response to information spills; IR-09(c) is/are alerted of the information spill using a method of communication not associated with the spill; IR-09(d) the contaminated system or system component is isolated in response to information spills; IR-09(e) the information is eradicated from the contaminated system or component in response to information spills; IR-09(f) other systems or system components that may have been subsequently contaminated are identified in response to information spills; IR-09(g) are performed in response to information spills. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-09-Examine [SELECT FROM: Incident response policy; procedures addressing information spillage; incident response plan; system security plan; records of information spillage alerts/notifications; list of personnel who should receive alerts of information spillage; list of actions to be performed regarding information spillage; other relevant documents or records]. IR-09-Interview [SELECT FROM: Organizational personnel with incident response responsibilities; organizational personnel with information security responsibilities]. IR-09-Test [SELECT FROM: Organizational processes for information spillage response; automated mechanisms supporting and/or implementing information spillage response actions and related communications]. IR-09(01) INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL [WITHDRAWN: Incorporated into IR-09.] IR-09(02) INFORMATION SPILLAGE RESPONSE | TRAINING ASSESSMENT OBJECTIVE: Determine if: IR-09(02)_ODP frequency at which to provide information spillage response training is defined; IR-09(02) information spillage response training is provided . POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-09(02)-Examine [SELECT FROM: Incident response policy; procedures addressing information spillage response training; information spillage response training curriculum; information spillage response training materials; incident response plan; system security plan; information spillage response training records; other relevant documents or records]. IR-09(02)-Interview [SELECT FROM: Organizational personnel with incident response training responsibilities; organizational personnel with information security responsibilities]. IR-09(03) INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS ASSESSMENT OBJECTIVE: Determine if: IR-09(03)_ODP procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined; IR-09(03) are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-09(03)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response; procedures addressing information spillage; incident response plan; system security plan; other relevant documents or records]. IR-09(03)-Interview [SELECT FROM: Organizational personnel with incident response responsibilities; organizational personnel with information security responsibilities]. IR-09(03)-Test [SELECT FROM: Organizational processes for post-spill operations]. IR-09(04) INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL ASSESSMENT OBJECTIVE: Determine if: IR-09(04)_ODP controls employed for personnel exposed to information not within assigned access authorizations are defined; IR-09(04) are employed for personnel exposed to information not within assigned access authorizations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: IR-09(04)-Examine [SELECT FROM: Incident response policy; procedures addressing incident response; procedures addressing information spillage; incident response plan; system security plan; security safeguards regarding information spillage/exposure to unauthorized personnel; other relevant documents or records]. IR-09(04)-Interview [SELECT FROM: Organizational personnel with incident response responsibilities; organizational personnel with information security responsibilities]. IR-09(04)-Test [SELECT FROM: Organizational processes for dealing with information exposed to unauthorized personnel; automated mechanisms supporting and/or implementing safeguards for personnel exposed to information not within assigned access authorizations]. IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM [WITHDRAWN: Moved to IR-04(11).] 4.9 Maintenance MA-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: MA-01_ODP[01] personnel or roles to whom the maintenance policy is to be disseminated is/are defined; MA-01_ODP[02] personnel or roles to whom the maintenance procedures are to be disseminated is/are defined; MA-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; MA-01_ODP[04] an official to manage the maintenance policy and procedures is defined; MA-01_ODP[05] the frequency with which the current maintenance policy is reviewed and updated is defined; MA-01_ODP[06] events that would require the current maintenance policy to be reviewed and updated are defined; MA-01_ODP[07] the frequency with which the current maintenance procedures are reviewed and updated is defined; MA-01_ODP[08] events that would require the maintenance procedures to be reviewed and updated are defined; MA-01a.[01] a maintenance policy is developed and documented; MA-01a.[02] the maintenance policy is disseminated to ; MA-01a.[03] maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented; MA-01a.[04] the maintenance procedures are disseminated to ; MA-01a.01(a)[01] the maintenance policy addresses purpose; MA-01a.01(a)[02] the maintenance policy addresses scope; MA-01a.01(a)[03] the maintenance policy addresses roles; MA-01a.01(a)[04] the maintenance policy addresses responsibilities; MA-01a.01(a)[05] the maintenance policy addresses management commitment; MA-01a.01(a)[06] the maintenance policy addresses coordination among organizational entities; MA-01a.01(a)[07] the maintenance policy addresses compliance; MA-01a.01(b) the maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; MA-01b. the is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures; MA-01c.01[01] the current maintenance policy is reviewed and updated ; MA-01c.01[02] the current maintenance policy is reviewed and updated following ; MA-01c.02[01] the current maintenance procedures are reviewed and updated ; MA-01c.02[02] the current maintenance procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-01-Examine [SELECT FROM: Maintenance policy and procedures; system security plan; privacy plan; organizational risk management strategy; other relevant documents or records]. MA-01-Interview [SELECT FROM: Organizational personnel with maintenance responsibilities; organizational personnel with information security and privacy responsibilities]. MA-02 CONTROLLED MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-02_ODP[01] personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined; MA-02_ODP[02] information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined; MA-02_ODP[03] information to be included in organizational maintenance records is defined; MA-02a.[01] maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-02a.[02] maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-02a.[03] records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements; MA-02b.[01] all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved; MA-02b.[02] all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored; MA-02c. is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement; MA-02d. equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement; MA-02e. all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; MA-02f. is included in organizational maintenance records. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-02-Examine [SELECT FROM: Maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer/vendor maintenance specifications; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records]. MA-02-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators]. MA-02-Test [SELECT FROM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system; organizational processes for sanitizing system components; automated mechanisms supporting and/or implementing controlled maintenance; automated mechanisms implementing sanitization of system components]. MA-02(01) CONTROLLED MAINTENANCE | RECORD CONTENT [WITHDRAWN: Incorporated into MA-02.] MA-02(02) CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES ASSESSMENT OBJECTIVE: Determine if: MA-02(02)_ODP[01] automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined; MA-02(02)_ODP[02] automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined; MA-02(02)_ODP[03] automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined; MA-02(02)(a)[01] are used to schedule maintenance, repair, and replacement actions for the system; MA-02(02)(a)[02] are used to conduct maintenance, repair, and replacement actions for the system; MA-02(02)(a)[03] are used to document maintenance, repair, and replacement actions for the system; MA-02(02)(b)[01] up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced. MA-02(02)(b)[02] up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced. MA-02(02)(b)[03] up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-02(02)-Examine [SELECT FROM: Maintenance policy; procedures addressing controlled system maintenance; automated mechanisms supporting system maintenance activities; system configuration settings and associated documentation; maintenance records; system security plan; other relevant documents or records]. MA-02(02)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-02(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing controlled maintenance; automated mechanisms supporting and/or implementing production of records of maintenance and repair actions]. MA-03 MAINTENANCE TOOLS ASSESSMENT OBJECTIVE: Determine if: MA-03_ODP frequency at which to review previously approved system maintenance tools is defined; MA-03(a)[01] the use of system maintenance tools is approved; MA-03(a)[02] the use of system maintenance tools is controlled; MA-03(a)[03] the use of system maintenance tools is monitored; MA-03(b) previously approved system maintenance tools are reviewed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records]. MA-03-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-03-Test [SELECT FROM: Organizational processes for approving, controlling, and monitoring maintenance tools; automated mechanisms supporting and/or implementing approval, control, and/or monitoring of maintenance tools]. MA-03(01) MAINTENANCE TOOLS | INSPECT TOOLS ASSESSMENT OBJECTIVE: Determine if: MA-03(01) maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03(01)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance tool inspection records; maintenance records; system security plan; other relevant documents or records]. MA-03(01)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-03(01)-Test [SELECT FROM: Organizational processes for inspecting maintenance tools; automated mechanisms supporting and/or implementing inspection of maintenance tools]. MA-03(02) MAINTENANCE TOOLS | INSPECT MEDIA ASSESSMENT OBJECTIVE: Determine if: MA-03(02) media containing diagnostic and test programs are checked for malicious code before the media are used in the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03(02)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records]. MA-03(02)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-03(02)-Test [SELECT FROM: Organizational process for inspecting media for malicious code; automated mechanisms supporting and/or implementing inspection of media used for maintenance]. MA-03(03) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL ASSESSMENT OBJECTIVE: Determine if: MA-03(03)_ODP personnel or roles who can authorize removal of equipment from the facility is/are defined; MA-03(03)(a) the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or MA-03(03)(b) the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or MA-03(03)(c) the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or MA-03(03)(d) the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from explicitly authorizing removal of the equipment from the facility. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03(03)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; equipment sanitization records; media sanitization records; exemptions for equipment removal; system security plan; other relevant documents or records]. MA-03(03)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization]. MA-03(03)-Test [SELECT FROM: Organizational process for preventing unauthorized removal of information; automated mechanisms supporting media sanitization or destruction of equipment; automated mechanisms supporting verification of media sanitization]. MA-03(04) MAINTENANCE TOOLS | RESTRICTED TOOL USE ASSESSMENT OBJECTIVE: Determine if: MA-03(04) the use of maintenance tools is restricted to authorized personnel only. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03(04)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; list of personnel authorized to use maintenance tools; maintenance tool usage records; maintenance records; system security plan; other relevant documents or records]. MA-03(04)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-03(04)-Test [SELECT FROM: Organizational processes for restricting the use of maintenance tools; automated mechanisms supporting and/or implementing restricted use of maintenance tools]. MA-03(05) MAINTENANCE TOOLS | EXECUTION WITH PRIVILEGE ASSESSMENT OBJECTIVE: Determine if: MA-03(05) the use of maintenance tools that execute with increased privilege is monitored. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03(05)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; list of personnel authorized to use maintenance tools; maintenance tool usage records; maintenance records; system security plan; other relevant documents or records]. MA-03(05)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-03(05)-Test [SELECT FROM: Organizational processes for restricting the use of maintenance tools; organizational process for monitoring maintenance tools and maintenance tool usage; automated mechanisms monitoring the use of maintenance tools]. MA-03(06) MAINTENANCE TOOLS | SOFTWARE UPDATES AND PATCHES ASSESSMENT OBJECTIVE: Determine if: MA-03(06) maintenance tools are inspected to ensure that the latest software updates and patches are installed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-03(06)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; list of personnel authorized to use maintenance tools; maintenance tool usage records; maintenance records; system security plan; other relevant documents or records]. MA-03(06)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-03(06)-Test [SELECT FROM: Organizational processes for inspecting maintenance tools; organizational processes for maintenance tools updates; automated mechanisms supporting and/or implementing inspection of maintenance tools; automated mechanisms supporting and/or implementing maintenance tool updates.]. MA-04 NONLOCAL MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-04a.[01] nonlocal maintenance and diagnostic activities are approved; MA-04a.[02] nonlocal maintenance and diagnostic activities are monitored; MA-04b.[01] the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy; MA-04b.[02] the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system; MA-04c. strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions; MA-04d. records for nonlocal maintenance and diagnostic activities are maintained; MA-04e.[01] session connections are terminated when nonlocal maintenance is completed; MA-04e.[02] network connections are terminated when nonlocal maintenance is completed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; remote access policy; remote access procedures; system design documentation; system configuration settings and associated documentation; maintenance records; records of remote access; diagnostic records; system security plan; other relevant documents or records]. MA-04-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-04-Test [SELECT FROM: Organizational processes for managing nonlocal maintenance; automated mechanisms implementing, supporting, and/or managing nonlocal maintenance; automated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; automated mechanisms for terminating nonlocal maintenance sessions and network connections]. MA-04(01) NONLOCAL MAINTENANCE | LOGGING AND REVIEW ASSESSMENT OBJECTIVE: Determine if: MA-04(01)_ODP[01] audit events to be logged for nonlocal maintenance are defined; MA-04(01)_ODP[02] audit events to be logged for diagnostic sessions are defined; MA-04(01)(a)[01] are logged for nonlocal maintenance sessions; MA-04(01)(a)[02] are logged for nonlocal diagnostic sessions; MA-04(01)(b)[01] the audit records of the maintenance sessions are reviewed to detect anomalous behavior; MA-04(01)(b)[02] the audit records of the diagnostic sessions are reviewed to detect anomalous behavior. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04(01)-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; list of audit events; system configuration settings and associated documentation; maintenance records; diagnostic records; audit records; reviews of maintenance and diagnostic session records; system security plan; other relevant documents or records]. MA-04(01)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; organizational personnel with audit and review responsibilities; system/network administrators]. MA-04(01)-Test [SELECT FROM: Organizational processes for audit and review of nonlocal maintenance; automated mechanisms supporting and/or implementing audit and review of nonlocal maintenance]. MA-04(02) NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE [WITHDRAWN: Incorporated into MA-01, MA-04.] MA-04(03) NONLOCAL MAINTENANCE | COMPARABLE SECURITY AND SANITIZATION ASSESSMENT OBJECTIVE: Determine if: MA-04(03)(a)[01] nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; MA-04(03)(a)[02] nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or MA-04(03)(b)[01] the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services; MA-04(03)(b)[02] the component to be serviced is sanitized (for organizational information); MA-04(03)(b)[03] the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04(03)-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; service provider contracts and/or service-level agreements; maintenance records; inspection records; audit records; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records]. MA-04(03)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; system maintenance provider; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators]. MA-04(03)-Test [SELECT FROM: Organizational processes for comparable security and sanitization for nonlocal maintenance; organizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance; automated mechanisms supporting and/or implementing component sanitization and inspection]. MA-04(04) NONLOCAL MAINTENANCE | AUTHENTICATION AND SEPARATION OF MAINTENANCE SESSIONS ASSESSMENT OBJECTIVE: Determine if: MA-04(04)_ODP authenticators that are replay resistant are defined; MA-04(04)(a) nonlocal maintenance sessions are protected by employing ; MA-04(04)(b)(01) nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or MA-04(04)(b)(02) nonlocal maintenance sessions are protected by logically separated communication paths. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04(04)-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; system design documentation; system configuration settings and associated documentation; maintenance records; audit records; system security plan; other relevant documents or records]. MA-04(04)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; network engineers; organizational personnel with information security responsibilities; system/network administrators]. MA-04(04)-Test [SELECT FROM: Organizational processes for protecting nonlocal maintenance sessions; automated mechanisms implementing replay-resistant authenticators; automated mechanisms implementing logically separated/encrypted communication paths]. MA-04(05) NONLOCAL MAINTENANCE | APPROVALS AND NOTIFICATIONS ASSESSMENT OBJECTIVE: Determine if: MA-04(05)_ODP[01] personnel or roles required to approve each nonlocal maintenance session is/are defined; MA-04(05)_ODP[02] personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined; MA-04(05)(a) the approval of each nonlocal maintenance session is required by ; MA-04(05)(b) is/are notified of the date and time of planned nonlocal maintenance. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04(05)-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; notifications supporting nonlocal maintenance sessions; maintenance records; audit records; system security plan; other relevant documents or records]. MA-04(05)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with notification responsibilities; organizational personnel with approval responsibilities; organizational personnel with information security responsibilities]. MA-04(05)-Test [SELECT FROM: Organizational processes for approving and notifying personnel regarding nonlocal maintenance; automated mechanisms supporting notification and approval of nonlocal maintenance]. MA-04(06) NONLOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: MA-04(06)_ODP cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined; MA-04(06)[01] are implemented to protect the integrity of nonlocal maintenance and diagnostic communications; MA-04(06)[02] are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04(06)-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms protecting nonlocal maintenance activities; maintenance records; diagnostic records; audit records; system security plan; other relevant documents or records]. MA-04(06)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; network engineers; organizational personnel with information security responsibilities; system/network administrators]. MA-04(06)-Test [SELECT FROM: Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications]. MA-04(07) NONLOCAL MAINTENANCE | DISCONNECT VERIFICATION ASSESSMENT OBJECTIVE: Determine if: MA-04(07)[01] session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions; MA-04(07)[02] network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-04(07)-Examine [SELECT FROM: Maintenance policy; procedures addressing nonlocal system maintenance; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms protecting nonlocal maintenance activities; maintenance records; diagnostic records; audit records; system security plan; other relevant documents or records]. MA-04(07)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; network engineers; organizational personnel with information security responsibilities; system/network administrators]. MA-04(07)-Test [SELECT FROM: Automated mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions]. MA-05 MAINTENANCE PERSONNEL ASSESSMENT OBJECTIVE: Determine if: MA-05(a)[01] a process for maintenance personnel authorization is established; MA-05(a)[02] a list of authorized maintenance organizations or personnel is maintained; MA-05(b) non-escorted personnel performing maintenance on the system possess the required access authorizations; MA-05(c) organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-05-Examine [SELECT FROM: Maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; system security plan; other relevant documents or records]. MA-05-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities]. MA-05-Test [SELECT FROM: Organizational processes for authorizing and managing maintenance personnel; automated mechanisms supporting and/or implementing authorization of maintenance personnel]. MA-05(01) MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESS ASSESSMENT OBJECTIVE: Determine if: MA-05(01)_ODP alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined; MA-05(01)(a)(01) procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities; MA-05(01)(a)(02) procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities; MA-05(01)(b) are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-05(01)-Examine [SELECT FROM: Maintenance policy; procedures addressing maintenance personnel; system media protection policy; physical and environmental protection policy; list of maintenance personnel requiring escort/supervision; maintenance records; access control records; system security plan; other relevant documents or records]. MA-05(01)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for media sanitization; system/network administrators]. MA-05(01)-Test [SELECT FROM: Organizational processes for managing maintenance personnel without appropriate access; automated mechanisms supporting and/or implementing alternative security safeguards; automated mechanisms supporting and/or implementing information storage component sanitization]. MA-05(02) MAINTENANCE PERSONNEL | SECURITY CLEARANCES FOR CLASSIFIED SYSTEMS ASSESSMENT OBJECTIVE: Determine if: MA-05(02)[01] personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system; MA-05(02)[02] personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-05(02)-Examine [SELECT FROM: Maintenance policy; procedures addressing maintenance personnel; personnel records; maintenance records; access control records; access credentials; access authorizations; system security plan; other relevant documents or records]. MA-05(02)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. MA-05(02)-Test [SELECT FROM: Organizational processes for managing security clearances for maintenance personnel]. MA-05(03) MAINTENANCE PERSONNEL | CITIZENSHIP REQUIREMENTS FOR CLASSIFIED SYSTEMS ASSESSMENT OBJECTIVE: Determine if: MA-05(03) personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-05(03)-Examine [SELECT FROM: Maintenance policy; procedures addressing maintenance personnel; personnel records; maintenance records; access control records; access credentials; access authorizations; system security plan; other relevant documents or records]. MA-05(03)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. MA-05(04) MAINTENANCE PERSONNEL | FOREIGN NATIONALS ASSESSMENT OBJECTIVE: Determine if: MA-05(04)(a) foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments; MA-05(04)(b)[01] approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within memoranda of agreements; MA-05(04)(b)[02] consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within memoranda of agreements; MA-05(04)(b)[03] detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within memoranda of agreements. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-05(04)-Examine [SELECT FROM: Maintenance policy; procedures addressing maintenance personnel; system media protection policy; access control policy and procedures; physical and environmental protection policy and procedures; memorandum of agreement; maintenance records; access control records; access credentials; access authorizations; system security plan; other relevant documents or records]. MA-05(04)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities, organizational personnel with personnel security responsibilities; organizational personnel managing memoranda of agreements; organizational personnel with information security responsibilities]. MA-05(04)-Test [SELECT FROM: Organizational processes for managing foreign national maintenance personnel]. MA-05(05) MAINTENANCE PERSONNEL | NON-SYSTEM MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-05(05) non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-05(05)-Examine [SELECT FROM: Maintenance policy; procedures addressing maintenance personnel; system media protection policy; access control policy and procedures; physical and environmental protection policy and procedures; maintenance records; access control records; access authorizations; system security plan; other relevant documents or records]. MA-05(05)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with personnel security responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. MA-06 TIMELY MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-06_ODP[01] system components for which maintenance support and/or spare parts are obtained are defined; MA-06_ODP[02] time period within which maintenance support and/or spare parts are to be obtained after a failure are defined; MA-06 maintenance support and/or spare parts are obtained for within of failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-06-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance; service provider contracts; service-level agreements; inventory and availability of spare parts; system security plan; other relevant documents or records]. MA-06-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-06-Test [SELECT FROM: Organizational processes for ensuring timely maintenance]. MA-06(01) TIMELY MAINTENANCE | PREVENTIVE MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-06(01)_ODP[01] system components on which preventive maintenance is to be performed are defined; MA-06(01)_ODP[02] time intervals within which preventive maintenance is to be performed on system components are defined; MA-06(01) preventive maintenance is performed on at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-06(01)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance; service provider contracts; service-level agreements; maintenance records; list of system components requiring preventive maintenance; system security plan; other relevant documents or records]. MA-06(01)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-06(01)-Test [SELECT FROM: Organizational processes for preventive maintenance; automated mechanisms supporting and/or implementing preventive maintenance]. MA-06(02) TIMELY MAINTENANCE | PREDICTIVE MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-06(02)_ODP[01] system components on which predictive maintenance is to be performed are defined; MA-06(02)_ODP[02] time intervals within which predictive maintenance is to be performed are defined; MA-06(02) predictive maintenance is performed on at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-06(02)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance; service provider contracts; service-level agreements; maintenance records; list of system components requiring predictive maintenance; system security plan; other relevant documents or records]. MA-06(02)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-06(02)-Test [SELECT FROM: Organizational processes for predictive maintenance; automated mechanisms supporting and/or implementing predictive maintenance]. MA-06(03) TIMELY MAINTENANCE | AUTOMATED SUPPORT FOR PREDICTIVE MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-06(03)_ODP automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined; MA-06(03) predictive maintenance data is transferred to a maintenance management system using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-06(03)-Examine [SELECT FROM: Maintenance policy; procedures addressing system maintenance; service provider contracts; service-level agreements; maintenance records; list of system components requiring predictive maintenance; system security plan; other relevant documents or records]. MA-06(03)-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-06(03)-Test [SELECT FROM: Automated mechanisms implementing the transfer of predictive maintenance data to a computerized maintenance management system; operations of the computer maintenance management system]. MA-07 FIELD MAINTENANCE ASSESSMENT OBJECTIVE: Determine if: MA-07_ODP[01] systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined; MA-07_ODP[02] trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined; MA-07 field maintenance on are restricted or prohibited to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MA-07-Examine [SELECT FROM: Maintenance policy; procedures addressing field maintenance; system design documentation; system configuration settings and associated documentation; maintenance records; diagnostic records; system security plan; other relevant documents or records.]. MA-07-Interview [SELECT FROM: Organizational personnel with system maintenance responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MA-07-Test [SELECT FROM: Organizational processes for managing field maintenance; automated mechanisms implementing, supporting, and/or managing field maintenance; automated mechanisms for strong authentication of field maintenance diagnostic sessions; automated mechanisms for terminating field maintenance sessions and network connections]. 4.10 Media Protection MP-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: MP-01_ODP[01] personnel or roles to whom the media protection policy is to be disseminated is/are defined; MP-01_ODP[02] personnel or roles to whom the media protection procedures are to be disseminated is/are defined; MP-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; MP-01_ODP[04] an official to manage the media protection policy and procedures is defined; MP-01_ODP[05] the frequency with which the current media protection policy is reviewed and updated is defined; MP-01_ODP[06] events that would require the current media protection policy to be reviewed and updated are defined; MP-01_ODP[07] the frequency with which the current media protection procedures are reviewed and updated is defined; MP-01_ODP[08] events that would require media protection procedures to be reviewed and updated are defined; MP-01a.[01] a media protection policy is developed and documented; MP-01a.[02] the media protection policy is disseminated to ; MP-01a.[03] media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented; MP-01a.[04] the media protection procedures are disseminated to ; MP-01a.01(a)[01] the media protection policy addresses purpose; MP-01a.01(a)[02] the media protection policy addresses scope; MP-01a.01(a)[03] the media protection policy addresses roles; MP-01a.01(a)[04] the media protection policy addresses responsibilities; MP-01a.01(a)[05] the media protection policy addresses management commitment; MP-01a.01(a)[06] the media protection policy addresses coordination among organizational entities; MP-01a.01(a)[07] the media protection policy compliance; MP-01a.01(b) the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; MP-01b. the is designated to manage the development, documentation, and dissemination of the media protection policy and procedures. MP-01c.01[01] the current media protection policy is reviewed and updated ; MP-01c.01[02] the current media protection policy is reviewed and updated following ; MP-01c.02[01] the current media protection procedures are reviewed and updated ; MP-01c.02[02] the current media protection procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-01-Examine [SELECT FROM: Media protection policy and procedures; organizational risk management strategy; system security plan; privacy plan; other relevant documents or records]. MP-01-Interview [SELECT FROM: Organizational personnel with media protection responsibilities; organizational personnel with information security and privacy responsibilities]. MP-02 MEDIA ACCESS ASSESSMENT OBJECTIVE: Determine if: MP-02_ODP[01] types of digital media to which access is restricted are defined; MP-02_ODP[02] personnel or roles authorized to access digital media is/are defined; MP-02_ODP[03] types of non-digital media to which access is restricted are defined; MP-02_ODP[04] personnel or roles authorized to access non-digital media is/are defined; MP-02[01] access to is restricted to ; MP-02[02] access to is restricted to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-02-Examine [SELECT FROM: System media protection policy; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; media storage facilities; access control records; system security plan; other relevant documents or records]. MP-02-Interview [SELECT FROM: Organizational personnel with system media protection responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-02-Test [SELECT FROM: Organizational processes for restricting information media; automated mechanisms supporting and/or implementing media access restrictions]. MP-02(01) MEDIA ACCESS | AUTOMATED RESTRICTED ACCESS [WITHDRAWN: Incorporated into MP-04(02).] MP-02(02) MEDIA ACCESS | CRYPTOGRAPHIC PROTECTION [WITHDRAWN: Incorporated into SC-28(01).] MP-03 MEDIA MARKING ASSESSMENT OBJECTIVE: Determine if: MP-03_ODP[01] types of system media exempt from marking when remaining in controlled areas are defined; MP-03_ODP[02] controlled areas where media is exempt from marking are defined; MP-03a. system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information; MP-03b. remain within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-03-Examine [SELECT FROM: System media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; list of system media marking security attributes; designated controlled areas; system security plan; other relevant documents or records]. MP-03-Interview [SELECT FROM: Organizational personnel with system media protection and marking responsibilities; organizational personnel with information security responsibilities]. MP-03-Test [SELECT FROM: Organizational processes for marking information media; automated mechanisms supporting and/or implementing media marking]. MP-04 MEDIA STORAGE ASSESSMENT OBJECTIVE: Determine if: MP-04_ODP[01] types of digital media to be physically controlled are defined; MP-04_ODP[02] types of non-digital media to be physically controlled are defined; MP-04_ODP[03] types of digital media to be securely stored are defined; MP-04_ODP[04] types of non-digital media to be securely stored are defined; MP-04_ODP[05] controlled areas within which to securely store digital media are defined; MP-04_ODP[06] controlled areas within which to securely store non-digital media are defined; MP-04[01] are physically controlled; MP-04[02] are physically controlled; MP-04[03] are securely stored within ; MP-04[04] are securely stored within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-04-Examine [SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system media; designated controlled areas; system security plan; other relevant documents or records]. MP-04-Interview [SELECT FROM: Organizational personnel with system media protection and storage responsibilities; organizational personnel with information security responsibilities]. MP-04-Test [SELECT FROM: Organizational processes for storing information media; automated mechanisms supporting and/or implementing secure media storage/media protection]. MP-04(01) MEDIA STORAGE | CRYPTOGRAPHIC PROTECTION [WITHDRAWN: Incorporated into SC-28(01).] MP-04(02) MEDIA STORAGE | AUTOMATED RESTRICTED ACCESS ASSESSMENT OBJECTIVE: Determine if: MP-04(02)_ODP[01] automated mechanisms to restrict access to media storage areas are defined; MP-04(02)_ODP[02] automated mechanisms to log access attempts and access granted to media storage areas are defined; MP-04(02)[01] access to media storage areas is restricted using ; MP-04(02)[02] access attempts to media storage areas are logged using ; MP-04(02)[03] access granted to media storage areas is logged using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-04(02)-Examine [SELECT FROM: System media protection policy; procedures addressing media storage; access control policy and procedures; physical and environmental protection policy and procedures; system design documentation; system configuration settings and associated documentation; media storage facilities; access control devices; access control records; audit records; system security plan; other relevant documents or records]. MP-04(02)-Interview [SELECT FROM: Organizational personnel with system media protection and storage responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-04(02)-Test [SELECT FROM: Automated mechanisms restricting access to media storage areas; automated mechanisms auditing access attempts and access granted to media storage areas]. MP-05 MEDIA TRANSPORT ASSESSMENT OBJECTIVE: Determine if: MP-05_ODP[01] types of system media to protect and control during transport outside of controlled areas are defined; MP-05_ODP[02] controls used to protect system media outside of controlled areas are defined; MP-05_ODP[03] controls used to control system media outside of controlled areas are defined; MP-05a.[01] are protected during transport outside of controlled areas using ; MP-05a.[02] are controlled during transport outside of controlled areas using ; MP-05b. accountability for system media is maintained during transport outside of controlled areas; MP-05c. activities associated with the transport of system media are documented; MP-05d.[01] personnel authorized to conduct media transport activities is/are identified; MP-05d.[02] activities associated with the transport of system media are restricted to identified authorized personnel. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-05-Examine [SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; authorized personnel list; system media; designated controlled areas; system security plan; other relevant documents or records]. MP-05-Interview [SELECT FROM: Organizational personnel with system media protection and storage responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-05-Test [SELECT FROM: Organizational processes for storing information media; automated mechanisms supporting and/or implementing media storage/media protection]. MP-05(01) MEDIA TRANSPORT | PROTECTION OUTSIDE OF CONTROLLED AREAS [WITHDRAWN: Incorporated into MP-05.] MP-05(02) MEDIA TRANSPORT | DOCUMENTATION OF ACTIVITIES [WITHDRAWN: Incorporated into MP-05.] MP-05(03) MEDIA TRANSPORT | CUSTODIANS ASSESSMENT OBJECTIVE: Determine if: MP-05(03)[01] a custodian to transport system media outside of controlled areas is identified; MP-05(03)[02] the identified custodian is employed during the transport of system media outside of controlled areas. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-05(03)-Examine [SELECT FROM: System media protection policy; procedures addressing media transport; physical and environmental protection policy and procedures; system media transport records; audit records; system security plan; other relevant documents or records]. MP-05(03)-Interview [SELECT FROM: Organizational personnel with system media transport responsibilities; organizational personnel with information security responsibilities]. MP-05(03)-Test [SELECT FROM: Organizational processes for identifying and employing a custodian to transport media outside of controlled areas]. MP-05(04) MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION [WITHDRAWN: Incorporated into SC-28(01).] MP-06 MEDIA SANITIZATION ASSESSMENT OBJECTIVE: Determine if: MP-06_ODP[01] system media to be sanitized prior to disposal is defined; MP-06_ODP[02] system media to be sanitized prior to release from organizational control is defined; MP-06_ODP[03] system media to be sanitized prior to release for reuse is defined; MP-06_ODP[04] sanitization techniques and procedures to be used for sanitization prior to disposal are defined; MP-06_ODP[05] sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined; MP-06_ODP[06] sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined; MP-06a.[01] is sanitized using prior to disposal; MP-06a.[02] is sanitized using prior to release from organizational control; MP-06a.[03] is sanitized using prior to release for reuse; MP-06b. sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-06-Examine [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; applicable federal standards and policies addressing media sanitization policy; media sanitization records; system audit records; system design documentation; records retention and disposition policy; records retention and disposition procedures; system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records]. MP-06-Interview [SELECT FROM: Organizational personnel with media sanitization responsibilities; organizational personnel with records retention and disposition responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. MP-06-Test [SELECT FROM: Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization]. MP-06(01) MEDIA SANITIZATION | REVIEW, APPROVE, TRACK, DOCUMENT, AND VERIFY ASSESSMENT OBJECTIVE: Determine if: MP-06(01)[01] media sanitization and disposal actions are reviewed; MP-06(01)[02] media sanitization and disposal actions are approved; MP-06(01)[03] media sanitization and disposal actions are tracked; MP-06(01)[04] media sanitization and disposal actions are documented; MP-06(01)[05] media sanitization and disposal actions are verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-06(01)-Examine [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; records retention and disposition policy; records retention and disposition procedures; media sanitization and disposal records; review records for media sanitization and disposal actions; approvals for media sanitization and disposal actions; tracking records; verification records; system audit records; system security plan; privacy plan; other relevant documents or records]. MP-06(01)-Interview [SELECT FROM: Organizational personnel with system media sanitization and disposal responsibilities; organizational personnel with records retention and disposition responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. MP-06(01)-Test [SELECT FROM: Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization; automated mechanisms supporting and/or implementing verification of media sanitization]. MP-06(02) MEDIA SANITIZATION | EQUIPMENT TESTING ASSESSMENT OBJECTIVE: Determine if: MP-06(02)_ODP[01] frequency with which to test sanitization equipment is defined; MP-06(02)_ODP[02] frequency with which to test sanitization procedures is defined; MP-06(02)[01] sanitization equipment is tested to ensure that the intended sanitization is being achieved; MP-06(02)[02] sanitization procedures are tested to ensure that the intended sanitization is being achieved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-06(02)-Examine [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; procedures addressing testing of media sanitization equipment; results of media sanitization equipment and procedures testing; system audit records; records retention and disposition policy; records retention and disposition procedures; system security plan; privacy plan; other relevant documents or records]. MP-06(02)-Interview [SELECT FROM: Organizational personnel with system media sanitization responsibilities; organizational personnel with records retention and disposition responsibilities; organizational personnel with information security and privacy responsibilities]. MP-06(02)-Test [SELECT FROM: Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization; automated mechanisms supporting and/or implementing media sanitization procedures; sanitization equipment]. MP-06(03) MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES ASSESSMENT OBJECTIVE: Determine if: MP-06(03)_ODP circumstances requiring sanitization of portable storage devices are defined; MP-06(03) non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-06(03)-Examine [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; information on portable storage devices for the system; list of circumstances requiring sanitization of portable storage devices; media sanitization records; audit records; system security plan; other relevant documents or records]. MP-06(03)-Interview [SELECT FROM: Organizational personnel with system media sanitization responsibilities; organizational personnel with information security responsibilities]. MP-06(03)-Test [SELECT FROM: Organizational processes for media sanitization of portable storage devices; automated mechanisms supporting and/or implementing media sanitization]. MP-06(04) MEDIA SANITIZATION | CONTROLLED UNCLASSIFIED INFORMATION [WITHDRAWN: Incorporated into MP-06.] MP-06(05) MEDIA SANITIZATION | CLASSIFIED INFORMATION [WITHDRAWN: Incorporated into MP-06.] MP-06(06) MEDIA SANITIZATION | MEDIA DESTRUCTION [WITHDRAWN: Incorporated into MP-06.] MP-06(07) MEDIA SANITIZATION | DUAL AUTHORIZATION ASSESSMENT OBJECTIVE: Determine if: MP-06(07)_ODP system media to be sanitized using dual authorization is defined; MP-06(07) dual authorization for sanitization of is enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-06(07)-Examine [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; dual authorization policy and procedures; list of system media requiring dual authorization for sanitization; authorization records; media sanitization records; audit records; system security plan; other relevant documents or records]. MP-06(07)-Interview [SELECT FROM: Organizational personnel with system media sanitization responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-06(07)-Test [SELECT FROM: Organizational processes requiring dual authorization for media sanitization; automated mechanisms supporting and/or implementing media sanitization; automated mechanisms supporting and/or implementing dual authorization]. MP-06(08) MEDIA SANITIZATION | REMOTE PURGING OR WIPING OF INFORMATION ASSESSMENT OBJECTIVE: Determine if: MP-06(08)_ODP[01] systems or system components to purge or wipe information either remotely or under specific conditions are defined; MP-06(08)_ODP[02] one of the following PARAMETER VALUES is selected: {remotely; under}; MP-06(08)_ODP[03] conditions under which information is to be purged or wiped are defined (if selected); MP-06(08) the capability to purge or wipe information from is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-06(08)-Examine [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; system design documentation; system configuration settings and associated documentation; authorization records; media sanitization records; audit records; system security plan; other relevant documents or records]. MP-06(08)-Interview [SELECT FROM: Organizational personnel with system media sanitization responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-06(08)-Test [SELECT FROM: Organizational processes for purging/wiping media; automated mechanisms supporting and/or implementing purge/wipe capabilities]. MP-07 MEDIA USE ASSESSMENT OBJECTIVE: Determine if: MP-07_ODP[01] types of system media to be restricted or prohibited from use on systems or system components are defined; MP-07_ODP[02] one of the following PARAMETER VALUES is selected: {restrict; prohibit}; MP-07_ODP[03] systems or system components on which the use of specific types of system media to be restricted or prohibited are defined; MP-07_ODP[04] controls to restrict or prohibit the use of specific types of system media on systems or system components are defined; MP-07a. the use of is on using ; MP-07b. the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-07-Examine [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; rules of behavior; system design documentation; system configuration settings and associated documentation; audit records; system security plan; other relevant documents or records]. MP-07-Interview [SELECT FROM: Organizational personnel with system media use responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-07-Test [SELECT FROM: Organizational processes for media use; automated mechanisms restricting or prohibiting use of system media on systems or system components]. MP-07(01) MEDIA USE | PROHIBIT USE WITHOUT OWNER [WITHDRAWN: Incorporated into MP-07.] MP-07(02) MEDIA USE | PROHIBIT USE OF SANITIZATION-RESISTANT MEDIA ASSESSMENT OBJECTIVE: Determine if: MP-07(02)[01] sanitization-resistant media is identified; MP-07(02)[02] the use of sanitization-resistant media in organizational systems is prohibited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-07(02)-Examine [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; rules of behavior; system configuration settings and associated documentation; system security plan; other relevant documents or records]. MP-07(02)-Interview [SELECT FROM: Organizational personnel with system media use responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-07(02)-Test [SELECT FROM: Organizational processes for media use; automated mechanisms prohibiting use of media on systems or system components]. MP-08 MEDIA DOWNGRADING ASSESSMENT OBJECTIVE: Determine if: MP-08_ODP[01] a system media downgrading process is defined; MP-08_ODP[02] system media requiring downgrading is defined; MP-08a.[01] a is established; MP-08a.[02] the includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; MP-08b.[01] there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed; MP-08b.[02] there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information; MP-08c. is identified; MP-08d. the identified system media is downgraded using the . POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-08-Examine [SELECT FROM: System media protection policy; procedures addressing media downgrading; system categorization documentation; list of media requiring downgrading; records of media downgrading; audit records; system security plan; other relevant documents or records]. MP-08-Interview [SELECT FROM: Organizational personnel with system media downgrading responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-08-Test [SELECT FROM: Organizational processes for media downgrading; automated mechanisms supporting and/or implementing media downgrading]. MP-08(01) MEDIA DOWNGRADING | DOCUMENTATION OF PROCESS ASSESSMENT OBJECTIVE: Determine if: MP-08(01) system media downgrading actions are documented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-08(01)-Examine [SELECT FROM: System media protection policy; procedures addressing media downgrading; system categorization documentation; list of media requiring downgrading; records of media downgrading; audit records; system security plan; other relevant documents or records]. MP-08(01)-Interview [SELECT FROM: Organizational personnel with system media downgrading responsibilities; organizational personnel with information security responsibilities; system/network administrators]. MP-08(01)-Test [SELECT FROM: Organizational processes for media downgrading; automated mechanisms supporting and/or implementing media downgrading]. MP-08(02) MEDIA DOWNGRADING | EQUIPMENT TESTING ASSESSMENT OBJECTIVE: Determine if: MP-08(02)_ODP[01] the frequency with which to test downgrading equipment is defined; MP-08(02)_ODP[02] the frequency with which to test downgrading procedures is defined; MP-08(02)[01] downgrading equipment is tested to ensure that downgrading actions are being achieved; MP-08(02)[02] downgrading procedures are tested to ensure that downgrading actions are being achieved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-08(02)-Examine [SELECT FROM: System media protection policy; procedures addressing media downgrading; procedures addressing testing of media downgrading equipment; results of downgrading equipment and procedures testing; records of media downgrading; audit records; system security plan; other relevant documents or records]. MP-08(02)-Interview [SELECT FROM: Organizational personnel with system media downgrading responsibilities; organizational personnel with information security responsibilities]. MP-08(02)-Test [SELECT FROM: Organizational processes for media downgrading; automated mechanisms supporting and/or implementing media downgrading]. MP-08(03) MEDIA DOWNGRADING | CONTROLLED UNCLASSIFIED INFORMATION ASSESSMENT OBJECTIVE: Determine if: MP-08(03)[01] system media containing controlled unclassified information is identified; MP-08(03)[02] system media containing controlled unclassified information is downgraded prior to public release. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-08(03)-Examine [SELECT FROM: System media protection policy; access authorization policy; procedures addressing downgrading of media containing CUI; applicable federal and organizational standards and policies regarding protection of CUI; media downgrading records; system security plan; other relevant documents or records]. MP-08(03)-Interview [SELECT FROM: Organizational personnel with system media downgrading responsibilities; organizational personnel with information security responsibilities]. MP-08(03)-Test [SELECT FROM: Organizational processes for media downgrading; automated mechanisms supporting and/or implementing media downgrading]. MP-08(04) MEDIA DOWNGRADING | CLASSIFIED INFORMATION ASSESSMENT OBJECTIVE: Determine if: MP-08(04)[01] system media containing classified information is identified; MP-08(04)[02] system media containing classified information is downgraded prior to release to individuals without required access authorizations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: MP-08(04)-Examine [SELECT FROM: System media protection policy; access authorization policy; procedures addressing downgrading of media containing classified information; procedures addressing handling of classified information; NSA standards and policies regarding protection of classified information; media downgrading records; system security plan; other relevant documents or records]. MP-08(04)-Interview [SELECT FROM: Organizational personnel with system media downgrading responsibilities; organizational personnel with information security responsibilities]. MP-08(04)-Test [SELECT FROM: Organizational processes for media downgrading; automated mechanisms supporting and/or implementing media downgrading]. 4.11 Physical and Environmental Protection PE-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: PE-01_ODP[01] personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined; PE-01_ODP[02] personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined; PE-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; PE-01_ODP[04] an official to manage the physical and environmental protection policy and procedures is defined; PE-01_ODP[05] the frequency at which the current physical and environmental protection policy is reviewed and updated is defined; PE-01_ODP[06] events that would require the current physical and environmental protection policy to be reviewed and updated are defined; PE-01_ODP[07] the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined; PE-01_ODP[08] events that would require the physical and environmental protection procedures to be reviewed and updated are defined; PE-01a.[01] a physical and environmental protection policy is developed and documented; PE-01a.[02] the physical and environmental protection policy is disseminated to ; PE-01a.[03] physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented; PE-01a.[04] the physical and environmental protection procedures are disseminated to ; PE-01a.01(a)[01] the physical and environmental protection policy addresses purpose; PE-01a.01(a)[02] the physical and environmental protection policy addresses scope; PE-01a.01(a)[03] the physical and environmental protection policy addresses roles; PE-01a.01(a)[04] the physical and environmental protection policy addresses responsibilities; PE-01a.01(a)[05] the physical and environmental protection policy addresses management commitment; PE-01a.01(a)[06] the physical and environmental protection policy addresses coordination among organizational entities; PE-01a.01(a)[07] the physical and environmental protection policy addresses compliance; PE-01a.01(b) the physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; PE-01b. the is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; PE-01c.01[01] the current physical and environmental protection policy is reviewed and updated ; PE-01c.01[02] the current physical and environmental protection policy is reviewed and updated following ; PE-01c.02[01] the current physical and environmental protection procedures are reviewed and updated ; PE-01c.02[02] the current physical and environmental protection procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-01-Examine [SELECT FROM: Physical and environmental protection policy and procedures; system security plan; privacy plan; organizational risk management strategy; other relevant documents or records]. PE-01-Interview [SELECT FROM: Organizational personnel with physical and environmental protection responsibilities; organizational personnel with information security and privacy responsibilities]. PE-02 PHYSICAL ACCESS AUTHORIZATIONS ASSESSMENT OBJECTIVE: Determine if: PE-02_ODP frequency at which to review the access list detailing authorized facility access by individuals is defined; PE-02a.[01] a list of individuals with authorized access to the facility where the system resides has been developed; PE-02a.[02] the list of individuals with authorized access to the facility where the system resides has been approved; PE-02a.[03] the list of individuals with authorized access to the facility where the system resides has been maintained; PE-02b. authorization credentials are issued for facility access; PE-02c. the access list detailing authorized facility access by individuals is reviewed ; PE-02d. individuals are removed from the facility access list when access is no longer required. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-02-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; system security plan; other relevant documents or records]. PE-02-Interview [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to system facility; organizational personnel with information security responsibilities]. PE-02-Test [SELECT FROM: Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations]. PE-02(01) PHYSICAL ACCESS AUTHORIZATIONS | ACCESS BY POSITION OR ROLE ASSESSMENT OBJECTIVE: Determine if: PE-02(01) physical access to the facility where the system resides is authorized based on position or role. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-02(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; physical access control logs or records; list of positions/roles and corresponding physical access authorizations; system entry and exit points; system security plan; other relevant documents or records]. PE-02(01)-Interview [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to system facility; organizational personnel with information security responsibilities]. PE-02(01)-Test [SELECT FROM: Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations]. PE-02(02) PHYSICAL ACCESS AUTHORIZATIONS | TWO FORMS OF IDENTIFICATION ASSESSMENT OBJECTIVE: Determine if: PE-02(02)_ODP a list of acceptable forms of identification for visitor access to the facility where the system resides is defined; PE-02(02) two forms of identification are required from for visitor access to the facility where the system resides. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-02(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; list of acceptable forms of identification for visitor access to the facility where the system resides; access authorization forms; access credentials; physical access control logs or records; system security plan; other relevant documents or records]. PE-02(02)-Interview [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to the system facility; organizational personnel with information security responsibilities]. PE-02(02)-Test [SELECT FROM: Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations]. PE-02(03) PHYSICAL ACCESS AUTHORIZATIONS | RESTRICT UNESCORTED ACCESS ASSESSMENT OBJECTIVE: Determine if: PE-02(03)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; }; PE-02(03)_ODP[02] physical access authorizations for unescorted access to the facility where the system resides are defined (if selected); PE-02(03) unescorted access to the facility where the system resides is restricted to personnel with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-02(03)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; authorized personnel access list; security clearances; access authorizations; access credentials; physical access control logs or records; system security plan; other relevant documents or records]. PE-02(03)-Interview [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with physical access to the system facility; organizational personnel with information security responsibilities]. PE-02(03)-Test [SELECT FROM: Organizational processes for physical access authorizations; automated mechanisms supporting and/or implementing physical access authorizations]. PE-03 PHYSICAL ACCESS CONTROL ASSESSMENT OBJECTIVE: Determine if: PE-03_ODP[01] entry and exit points to the facility in which the system resides are defined; PE-03_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {; guards}; PE-03_ODP[03] physical access control systems or devices used to control ingress and egress to the facility are defined (if selected); PE-03_ODP[04] entry or exit points for which physical access logs are maintained are defined; PE-03_ODP[05] physical access controls to control access to areas within the facility designated as publicly accessible are defined; PE-03_ODP[06] circumstances requiring visitor escorts and control of visitor activity are defined; PE-03_ODP[07] physical access devices to be inventoried are defined; PE-03_ODP[08] frequency at which to inventory physical access devices is defined; PE-03_ODP[09] frequency at which to change combinations is defined; PE-03_ODP[10] frequency at which to change keys is defined; PE-03a.01 physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility; PE-03a.02 physical access authorizations are enforced at by controlling ingress and egress to the facility using ; PE-03b. physical access audit logs are maintained for ; PE-03c. access to areas within the facility designated as publicly accessible are maintained by implementing ; PE-03d.[01] visitors are escorted; PE-03d.[02] visitor activity is controlled ; PE-03e.[01] keys are secured; PE-03e.[02] combinations are secured; PE-03e.[03] other physical access devices are secured; PE-03f. are inventoried ; PE-03g.[01] combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated; PE-03g.[02] keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; system security plan; other relevant documents or records]. PE-03-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03-Test [SELECT FROM: Organizational processes for physical access control; automated mechanisms supporting and/or implementing physical access control; physical access control devices]. PE-03(01) PHYSICAL ACCESS CONTROL | SYSTEM ACCESS ASSESSMENT OBJECTIVE: Determine if: PE-03(01)_ODP physical spaces containing one or more components of the system are defined; PE-03(01)[01] physical access authorizations to the system are enforced; PE-03(01)02] physical access controls are enforced for the facility at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; physical access control devices; access authorizations; access credentials; system entry and exit points; list of areas within the facility containing concentrations of system components or system components requiring additional physical protection; system security plan; other relevant documents or records]. PE-03(01)-Interview [SELECT FROM: Organizational personnel with physical access authorization responsibilities; organizational personnel with information security responsibilities]. PE-03(01)-Test [SELECT FROM: Organizational processes for physical access control to the information system/components; automated mechanisms supporting and/or implementing physical access control for facility areas containing system components]. PE-03(02) PHYSICAL ACCESS CONTROL | FACILITY AND SYSTEMS ASSESSMENT OBJECTIVE: Determine if: PE-03(02)_ODP the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined; PE-03(02) security checks are performed at the physical perimeter of the facility or system for exfiltration of information or removal of system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; records of security checks; security audit reports; security inspection reports; facility layout documentation; system entry and exit points; system security plan; other relevant documents or records]. PE-03(02)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03(02)-Test [SELECT FROM: Organizational processes for physical access control to the facility and/or system; automated mechanisms supporting and/or implementing physical access control for the facility or system; automated mechanisms supporting and/or implementing security checks for unauthorized exfiltration of information]. PE-03(03) PHYSICAL ACCESS CONTROL | CONTINUOUS GUARDS ASSESSMENT OBJECTIVE: Determine if: PE-03(03)_ODP physical access points to the facility where the system resides are defined; PE-03(03) guards are employed to control to the facility where the system resides 24 hours per day, 7 days per week. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(03)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; physical access control logs or records; physical access control devices; facility surveillance records; facility layout documentation; system entry and exit points; system security plan; other relevant documents or records]. PE-03(03)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03(03)-Test [SELECT FROM: Organizational processes for physical access control to the facility where the system resides; automated mechanisms supporting and/or implementing physical access control for the facility where the system resides]. PE-03(04) PHYSICAL ACCESS CONTROL | LOCKABLE CASINGS ASSESSMENT OBJECTIVE: Determine if: PE-03(04)_ODP system components to be protected from unauthorized physical access are defined; PE-03(04) lockable physical casings are used to protect from unauthorized access. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(04)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; list of system components requiring protection through lockable physical casings; lockable physical casings; system security plan; other relevant documents or records]. PE-03(04)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03(04)-Test [SELECT FROM: Lockable physical casings]. PE-03(05) PHYSICAL ACCESS CONTROL | TAMPER PROTECTION ASSESSMENT OBJECTIVE: Determine if: PE-03(05)_ODP[01] anti-tamper technologies to be employed are defined; PE-03(05)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {detect; prevent}; PE-03(05)_ODP[03] hardware components to be protected from physical tampering or alteration are defined; PE-03(05) are employed to physical tampering or alteration of within the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(05)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; list of security safeguards to detect/prevent physical tampering or alteration of system hardware components; system security plan; other relevant documents or records]. PE-03(05)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03(05)-Test [SELECT FROM: Organizational processes to detect/prevent physical tampering or alteration of system hardware components; automated mechanisms/security safeguards supporting and/or implementing detection/prevention of physical tampering/alternation of system hardware components]. PE-03(06) PHYSICAL ACCESS CONTROL | FACILITY PENETRATION TESTING [WITHDRAWN: Incorporated into CA-08.] PE-03(07) PHYSICAL ACCESS CONTROL | PHYSICAL BARRIERS ASSESSMENT OBJECTIVE: Determine if: PE-03(07) physical barriers are used to limit access. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(07)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; list of physical barriers to limit access to the system; system security plan; other relevant documents or records]. PE-03(07)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03(08) PHYSICAL ACCESS CONTROL | ACCESS CONTROL VESTIBULES ASSESSMENT OBJECTIVE: Determine if: PE-03(08)_ODP locations within the facility where access control vestibules are to be employed are defined; PE-03(08) access control vestibules are employed at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-03(08)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; list of access control vestibules and locations; system security plan; other relevant documents or records]. PE-03(08)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-03(08)-Test [SELECT FROM: Organizational processes for vestibules to prevent unauthorized access.]. PE-04 ACCESS CONTROL FOR TRANSMISSION ASSESSMENT OBJECTIVE: Determine if: PE-04_ODP[01] system distribution and transmission lines requiring physical access controls are defined; PE-04_ODP[02] security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined; PE-04 physical access to within organizational facilities is controlled using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-04-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for transmission mediums; system design documentation; facility communications and wiring diagrams; list of physical security safeguards applied to system distribution and transmission lines; system security plan; other relevant documents or records]. PE-04-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-04-Test [SELECT FROM: Organizational processes for access control to distribution and transmission lines; automated mechanisms/security safeguards supporting and/or implementing access control to distribution and transmission lines]. PE-05 ACCESS CONTROL FOR OUTPUT DEVICES ASSESSMENT OBJECTIVE: Determine if: PE-05_ODP output devices that require physical access control to output are defined; PE-05 physical access to output from is controlled to prevent unauthorized individuals from obtaining the output. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-05-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing access control for display medium; facility layout of system components; actual displays from system components; list of output devices and associated outputs requiring physical access controls; physical access control logs or records for areas containing output devices and related outputs; system security plan; other relevant documents or records]. PE-05-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities]. PE-05-Test [SELECT FROM: Organizational processes for access control to output devices; automated mechanisms supporting and/or implementing access control to output devices]. PE-05(01) ACCESS CONTROL FOR OUTPUT DEVICES | ACCESS TO OUTPUT BY AUTHORIZED INDIVIDUALS [WITHDRAWN: Incorporated into PE-05.] PE-05(02) ACCESS CONTROL FOR OUTPUT DEVICES | LINK TO INDIVIDUAL IDENTITY ASSESSMENT OBJECTIVE: Determine if: PE-05(02) individual identity is linked to the receipt of output from output devices. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-05(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; system design documentation; system configuration settings and associated documentation; list of output devices and associated outputs requiring physical access controls; physical access control logs or records for areas containing output devices and related outputs; system audit records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. PE-05(02)-Interview [SELECT FROM: Organizational personnel with physical access control responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. PE-05(02)-Test [SELECT FROM: Organizational processes for access control to output devices; automated mechanisms supporting and/or implementing access control to output devices]. PE-05(03) ACCESS CONTROL FOR OUTPUT DEVICES | MARKING OUTPUT DEVICES [WITHDRAWN: Incorporated into PE-22.] PE-06 MONITORING PHYSICAL ACCESS ASSESSMENT OBJECTIVE: Determine if: PE-06_ODP[01] the frequency at which to review physical access logs is defined; PE-06_ODP[02] events or potential indication of events requiring physical access logs to be reviewed are defined; PE-06a. physical access to the facility where the system resides is monitored to detect and respond to physical security incidents; PE-06b.[01] physical access logs are reviewed ; PE-06b.[02] physical access logs are reviewed upon occurrence of ; PE-06c.[01] results of reviews are coordinated with organizational incident response capabilities; PE-06c.[02] results of investigations are coordinated with organizational incident response capabilities. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-06-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical access logs or records; physical access monitoring records; physical access log reviews; system security plan; other relevant documents or records]. PE-06-Interview [SELECT FROM: Organizational personnel with physical access monitoring responsibilities; organizational personnel with incident response responsibilities; organizational personnel with information security responsibilities]. PE-06-Test [SELECT FROM: Organizational processes for monitoring physical access; automated mechanisms supporting and/or implementing physical access monitoring; automated mechanisms supporting and/or implementing the review of physical access logs]. PE-06(01) MONITORING PHYSICAL ACCESS | INTRUSION ALARMS AND SURVEILLANCE EQUIPMENT ASSESSMENT OBJECTIVE: Determine if: PE-06(01)[01] physical access to the facility where the system resides is monitored using physical intrusion alarms; PE-06(01)[02] physical access to the facility where the system resides is monitored using physical surveillance equipment. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-06(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical access logs or records; physical access monitoring records; physical access log reviews; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. PE-06(01)-Interview [SELECT FROM: Organizational personnel with physical access monitoring responsibilities; organizational personnel with incident response responsibilities; organizational personnel with information security and privacy responsibilities]. PE-06(01)-Test [SELECT FROM: Organizational processes for monitoring physical intrusion alarms and surveillance equipment; automated mechanisms supporting and/or implementing physical access monitoring; automated mechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment]. PE-06(02) MONITORING PHYSICAL ACCESS | AUTOMATED INTRUSION RECOGNITION AND RESPONSES ASSESSMENT OBJECTIVE: Determine if: PE-06(02)_ODP[01] classes or types of intrusions to be recognized by automated mechanisms are defined; PE-06(02)_ODP[02] response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined; PE-06(02)_ODP[03] automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in PE-06(02)_ODP) are defined; PE-06(02)[01] are recognized; PE-06(02)[02] are initiated using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-06(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; system design documentation; system configuration settings and associated documentation; system audit records; list of response actions to be initiated when specific classes/types of intrusions are recognized; system security plan; privacy plan; other relevant documents or records]. PE-06(02)-Interview [SELECT FROM: Organizational personnel with physical access monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. PE-06(02)-Test [SELECT FROM: Organizational processes for monitoring physical access; automated mechanisms supporting and/or implementing physical access monitoring; automated mechanisms supporting and/or implementing recognition of classes/types of intrusions and initiation of a response]. PE-06(03) MONITORING PHYSICAL ACCESS | VIDEO SURVEILLANCE ASSESSMENT OBJECTIVE: Determine if: PE-06(03)_ODP[01] operational areas where video surveillance is to be employed are defined; PE-06(03)_ODP[02] frequency at which to review video recordings is defined; PE-06(03)_ODP[03] time period for which to retain video recordings is defined; PE-06(03)(a) video surveillance of is employed; PE-06(03)(b) video recording are reviewed ; PE-06(03)(c) video recordings are retained for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-06(03)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; video surveillance equipment used to monitor operational areas; video recordings of operational areas where video surveillance is employed; video surveillance equipment logs or records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. PE-06(03)-Interview [SELECT FROM: Organizational personnel with physical access monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. PE-06(03)-Test [SELECT FROM: Organizational processes for monitoring physical access; automated mechanisms supporting and/or implementing physical access monitoring; automated mechanisms supporting and/or implementing video surveillance]. PE-06(04) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO SYSTEMS ASSESSMENT OBJECTIVE: Determine if: PE-06(04)_ODP physical spaces containing one or more components of the system are defined; PE-06(04) physical access to the system is monitored in addition to the physical access monitoring of the facility at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-06(04)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; physical access control logs or records; physical access control devices; access authorizations; access credentials; list of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. PE-06(04)-Interview [SELECT FROM: Organizational personnel with physical access monitoring responsibilities; organizational personnel with information security and privacy responsibilities]. PE-06(04)-Test [SELECT FROM: Organizational processes for monitoring physical access to the system; automated mechanisms supporting and/or implementing physical access monitoring for facility areas containing system components]. PE-07 VISITOR CONTROL [WITHDRAWN: Incorporated into PE-02, PE-03.] PE-08 VISITOR ACCESS RECORDS ASSESSMENT OBJECTIVE: Determine if: PE-08_ODP[01] time period for which to maintain visitor access records for the facility where the system resides is defined; PE-08_ODP[02] the frequency at which to review visitor access records is defined; PE-08_ODP[03] personnel to whom visitor access records anomalies are reported to is/are defined; PE-08a. visitor access records for the facility where the system resides are maintained for ; PE-08b. visitor access records are reviewed ; PE-08c. visitor access records anomalies are reported to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-08-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access records; visitor access control logs or records; visitor access record or log reviews; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. PE-08-Interview [SELECT FROM: Organizational personnel with visitor access record responsibilities; organizational personnel with information security and privacy responsibilities]. PE-08-Test [SELECT FROM: Organizational processes for maintaining and reviewing visitor access records; automated mechanisms supporting and/or implementing maintenance and review of visitor access records]. PE-08(01) VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE AND REVIEW ASSESSMENT OBJECTIVE: Determine if: PE-08(01)_ODP[01] automated mechanisms used to maintain visitor access records are defined; PE-08(01)_ODP[02] automated mechanisms used to review visitor access records are defined; PE-08(01)[01] visitor access records are maintained using ; PE-08(01)[02] visitor access records are reviewed using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-08(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing visitor access records; automated mechanisms supporting management of visitor access records; visitor access control logs or records; system security plan; privacy plan; other relevant documents or records]. PE-08(01)-Interview [SELECT FROM: Organizational personnel with visitor access record responsibilities; organizational personnel with information security and privacy responsibilities]. PE-08(01)-Test [SELECT FROM: Organizational processes for maintaining and reviewing visitor access records; automated mechanisms supporting and/or implementing maintenance and review of visitor access records]. PE-08(02) VISITOR ACCESS RECORDS | PHYSICAL ACCESS RECORDS [WITHDRAWN: Incorporated into PE-02.] PE-08(03) VISITOR ACCESS RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS ASSESSMENT OBJECTIVE: Determine if: PE-08(03)_ODP elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined; PE-08(03) personally identifiable information contained in visitor access records is limited to identified in the privacy risk assessment. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-08(03)-Examine [SELECT FROM: Physical and environmental protection policy; personally identifiable information processing policy; privacy risk assessment documentation; privacy impact assessment; visitor access records; personally identifiable information inventory; system security plan; privacy plan; other relevant documents or records]. PE-08(03)-Interview [SELECT FROM: Organizational personnel with visitor access records responsibilities; organizational personnel with information security and privacy responsibilities]. PE-08(03)-Test [SELECT FROM: Organizational processes for maintaining and reviewing visitor access records]. PE-09 POWER EQUIPMENT AND CABLING ASSESSMENT OBJECTIVE: Determine if: PE-09[01] power equipment for the system is protected from damage and destruction; PE-09[02] power cabling for the system is protected from damage and destruction. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-09-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment/cabling protection; facilities housing power equipment/cabling; system security plan; other relevant documents or records]. PE-09-Interview [SELECT FROM: Organizational personnel with the responsibility to protect power equipment/cabling; organizational personnel with information security responsibilities]. PE-09-Test [SELECT FROM: Automated mechanisms supporting and/or implementing protection of power equipment/cabling]. PE-09(01) POWER EQUIPMENT AND CABLING | REDUNDANT CABLING ASSESSMENT OBJECTIVE: Determine if: PE-09(01)_ODP distance by which redundant power cabling paths are to be physically separated is defined; PE-09(01) redundant power cabling paths that are physically separated by are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-09(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing power equipment/cabling protection; facilities housing power equipment/cabling; system security plan; other relevant documents or records]. PE-09(01)-Interview [SELECT FROM: Organizational personnel with the responsibility to protect power equipment/cabling; organizational personnel with information security responsibilities]. PE-09(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing protection of power equipment/cabling]. PE-09(02) POWER EQUIPMENT AND CABLING | AUTOMATIC VOLTAGE CONTROLS ASSESSMENT OBJECTIVE: Determine if: PE-09(02)_ODP the critical system components that require automatic voltage controls are defined; PE-09(02) automatic voltage controls for are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-09(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing voltage control; security plan; list of critical system components requiring automatic voltage controls; automatic voltage control mechanisms and associated configurations; system security plan; other relevant documents or records]. PE-09(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for environmental protection of system components; organizational personnel with information security responsibilities]. PE-09(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing automatic voltage controls]. PE-10 EMERGENCY SHUTOFF ASSESSMENT OBJECTIVE: Determine if: PE-10_ODP[01] system or individual system components that require the capability to shut off power in emergency situations is/are defined; PE-10_ODP[02] location of emergency shutoff switches or devices by system or system component are defined; PE-10(a) the capability to shut off power to in emergency situations is provided; PE-10(b) emergency shutoff switches or devices are placed in to facilitate access for authorized personnel; PE-10(c) the emergency power shutoff capability is protected from unauthorized activation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-10-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing power source emergency shutoff; emergency shutoff controls or switches; locations housing emergency shutoff switches and devices; security safeguards protecting the emergency power shutoff capability from unauthorized activation; system security plan; other relevant documents or records]. PE-10-Interview [SELECT FROM: Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability); organizational personnel with information security responsibilities]. PE-10-Test [SELECT FROM: Automated mechanisms supporting and/or implementing emergency power shutoff]. PE-10(01) EMERGENCY SHUTOFF | ACCIDENTAL AND UNAUTHORIZED ACTIVATION [WITHDRAWN: Incorporated into PE-10.] PE-11 EMERGENCY POWER ASSESSMENT OBJECTIVE: Determine if: PE-11_ODP one of the following PARAMETER VALUES is selected: {an orderly shutdown of the system; transition of the system to long-term alternate power}; PE-11 an uninterruptible power supply is provided to facilitate in the event of a primary power source loss. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-11-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; uninterruptible power supply; uninterruptible power supply documentation; uninterruptible power supply test records; system security plan; other relevant documents or records]. PE-11-Interview [SELECT FROM: Organizational personnel with the responsibility for emergency power and/or planning; organizational personnel with information security responsibilities]. PE-11-Test [SELECT FROM: Automated mechanisms supporting and/or implementing uninterruptible power supply; the uninterruptable power supply]. PE-11(01) EMERGENCY POWER | ALTERNATE POWER SUPPLY — MINIMAL OPERATIONAL CAPABILITY ASSESSMENT OBJECTIVE: Determine if: PE-11(01)_ODP one of the following PARAMETER VALUES is selected: {manually; automatically}; PE-11(01)[01] an alternate power supply provided for the system is activated ; PE-11(01)[02] the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-11(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply; alternate power supply documentation; alternate power supply test records; system security plan; other relevant documents or records]. PE-11(01)-Interview [SELECT FROM: Organizational personnel with the responsibility for emergency power and/or planning; organizational personnel with information security responsibilities]. PE-11(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing alternate power supply; the alternate power supply]. PE-11(02) EMERGENCY POWER | ALTERNATE POWER SUPPLY — SELF-CONTAINED ASSESSMENT OBJECTIVE: Determine if: PE-11(02)_ODP[01] one of the following PARAMETER VALUES is selected: {manually; automatically}; PE-11(02)_ODP[02] one of the following PARAMETER VALUES is selected: {minimally required operational capability; full operational capability}; PE-11(02) an alternate power supply provided for the system is activated ; PE-11(02)(a) the alternate power supply provided for the system is self-contained; PE-11(02)(b) the alternate power supply provided for the system is not reliant on external power generation; PE-11(02)(c) the alternate power supply provided for the system is capable of maintaining in the event of an extended loss of the primary power source. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-11(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency power; alternate power supply; alternate power supply documentation; alternate power supply test records; system security plan; other relevant documents or records]. PE-11(02)-Interview [SELECT FROM: Organizational personnel with the responsibility for emergency power and/or planning; organizational personnel with information security responsibilities]. PE-11(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing alternate power supply; the alternate power supply]. PE-12 EMERGENCY LIGHTING ASSESSMENT OBJECTIVE: Determine if: PE-12[01] automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system; PE-12[02] automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system; PE-12[03] automatic emergency lighting for the system covers emergency exits within the facility; PE-12[04] automatic emergency lighting for the system covers evacuation routes within the facility. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-12-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; system security plan; other relevant documents or records]. PE-12-Interview [SELECT FROM: Organizational personnel with the responsibility for emergency lighting and/or planning; organizational personnel with information security responsibilities]. PE-12-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the emergency lighting capability]. PE-12(01) EMERGENCY LIGHTING | ESSENTIAL MISSION AND BUSINESS FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: PE-12(01) emergency lighting is provided for all areas within the facility supporting essential mission and business functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-12(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing emergency lighting; emergency lighting documentation; emergency lighting test records; emergency exits and evacuation routes; areas/locations within facility supporting essential missions and business functions; system security plan; other relevant documents or records]. PE-12(01)-Interview [SELECT FROM: Organizational personnel with the responsibility for emergency lighting and/or planning; organizational personnel with information security responsibilities]. PE-12(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the emergency lighting capability]. PE-13 FIRE PROTECTION ASSESSMENT OBJECTIVE: Determine if: PE-13[01] fire detection systems are employed by an independent energy source; PE-13[02] fire detection systems are maintained by an independent energy source; PE-13[03] fire suppression systems are employed by an independent energy source; PE-13[04] fire suppression systems are maintained by an independent energy source. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-13-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; test records of fire suppression and detection devices/systems; system security plan; other relevant documents or records]. PE-13-Interview [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems; organizational personnel with information security responsibilities]. PE-13-Test [SELECT FROM: Automated mechanisms supporting and/or implementing fire suppression/detection devices/systems]. PE-13(01) FIRE PROTECTION | DETECTION SYSTEMS — AUTOMATIC ACTIVATION AND NOTIFICATION ASSESSMENT OBJECTIVE: Determine if: PE-13(01)_ODP[01] personnel or roles to be notified in the event of a fire is/are defined; PE-13(01)_ODP[02] emergency responders to be notified in the event of a fire are defined; PE-13(01)[01] fire detection systems that activate automatically are employed in the event of a fire; PE-13(01)[02] fire detection systems that notify automatically are employed in the event of a fire; PE-13(01)[03] fire detection systems that notify automatically are employed in the event of a fire. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-13(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the information system; alarm service-level agreements; test records of fire suppression and detection devices/systems; fire suppression and detection devices/systems documentation; alerts/notifications of fire events; system security plan; other relevant documents or records]. PE-13(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems; organizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires; organizational personnel with information security responsibilities]. PE-13(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing fire detection devices/systems; activation of fire detection devices/systems (simulated); automated notifications]. PE-13(02) FIRE PROTECTION | SUPPRESSION SYSTEMS — AUTOMATIC ACTIVATION AND NOTIFICATION ASSESSMENT OBJECTIVE: Determine if: PE-13(02)_ODP[01] personnel or roles to be notified in the event of a fire is/are defined; PE-13(02)_ODP[02] emergency responders to be notified in the event of a fire are defined; PE-13(02)(a)[01] fire suppression systems that activate automatically are employed; PE-13(02)(a)[02] fire suppression systems that notify automatically are employed; PE-13(02)(a)[03] fire suppression systems that notify automatically are employed; PE-13(02)(b) an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-13(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; fire suppression and detection devices/systems documentation; facility housing the system; alarm service-level agreements; test records of fire suppression and detection devices/systems; system security plan; other relevant documents or records]. PE-13(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for fire detection and suppression devices/systems; organizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices/systems to appropriate personnel, roles, and emergency responders; organizational personnel with information security responsibilities]. PE-13(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing fire suppression devices/systems; activation of fire suppression devices/systems (simulated); automated notifications]. PE-13(03) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION [WITHDRAWN: Incorporated into PE-13(02).] PE-13(04) FIRE PROTECTION | INSPECTIONS ASSESSMENT OBJECTIVE: Determine if: PE-13(04)_ODP[01] the frequency for conducting fire protection inspections on the facility is defined; PE-13(04)_ODP[02] a time period for resolving deficiencies identified by fire protection inspections is defined; PE-13(04)[01] the facility undergoes fire protection inspections by authorized and qualified inspectors; PE-13(04)[02] the identified deficiencies from fire protection inspections are resolved within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-13(04)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing fire protection; facility housing the system; inspection plans; inspection results; inspect reports; test records of fire suppression and detection devices/systems; system security plan; other relevant documents or records]. PE-13(04)-Interview [SELECT FROM: Organizational personnel with responsibilities for planning, approving, and executing fire inspections; organizational personnel with information security responsibilities]. PE-14 ENVIRONMENTAL CONTROLS ASSESSMENT OBJECTIVE: Determine if: PE-14_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {temperature; humidity; pressure; radiation; }; PE-14_ODP[02] environmental control levels to be maintained in the facility where the system resides are defined (if selected); PE-14_ODP[03] acceptable levels for environmental controls are defined; PE-14_ODP[04] frequency at which to monitor environmental control levels is defined; PE-14a. levels are maintained at within the facility where the system resides; PE-14b. environmental control levels are monitored . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-14-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity control; temperature and humidity controls; facility housing the system; temperature and humidity controls documentation; temperature and humidity records; system security plan; other relevant documents or records]. PE-14-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-14-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels]. PE-14(01) ENVIRONMENTAL CONTROLS | AUTOMATIC CONTROLS ASSESSMENT OBJECTIVE: Determine if: PE-14(01)_ODP automatic environmental controls to prevent fluctuations that are potentially harmful to the system are defined; PE-14(01) are employed in the facility to prevent fluctuations that are potentially harmful to the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-14(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity controls; facility housing the system; automated mechanisms for temperature and humidity; temperature and humidity controls; temperature and humidity documentation; system security plan; other relevant documents or records]. PE-14(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-14(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing temperature and humidity levels]. PE-14(02) ENVIRONMENTAL CONTROLS | MONITORING WITH ALARMS AND NOTIFICATIONS ASSESSMENT OBJECTIVE: Determine if: PE-14(02)_ODP personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined; PE-14(02)[01] environmental control monitoring is employed; PE-14(02)[02] the environmental control monitoring capability provides an alarm or notification to when changes are potentially harmful to personnel or equipment. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-14(02)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing temperature and humidity monitoring; facility housing the system; logs or records of temperature and humidity monitoring; records of changes to temperature and humidity levels that generate alarms or notifications; system security plan; other relevant documents or records]. PE-14(02)-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-14(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing temperature and humidity monitoring]. PE-15 WATER DAMAGE PROTECTION ASSESSMENT OBJECTIVE: Determine if: PE-15[01] the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves; PE-15[02] the master shutoff or isolation valves are accessible; PE-15[03] the master shutoff or isolation valves are working properly; PE-15[04] the master shutoff or isolation valves are known to key personnel. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-15-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the system; master shutoff valves; list of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system; master shutoff valve documentation; system security plan; other relevant documents or records]. PE-15-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-15-Test [SELECT FROM: Master water-shutoff valves; organizational process for activating master water shutoff]. PE-15(01) WATER DAMAGE PROTECTION | AUTOMATION SUPPORT ASSESSMENT OBJECTIVE: Determine if: PE-15(01)_ODP[01] personnel or roles to be alerted when the presence of water is detected near the system is/are defined; PE-15(01)_ODP[02] automated mechanisms used to detect the presence of water near the system are defined; PE-15(01)[01] the presence of water near the system can be detected automatically; PE-15(01)[02] is/are alerted using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-15(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing water damage protection; facility housing the system; automated mechanisms for water shutoff valves; automated mechanisms for detecting the presence of water in the vicinity of the system; alerts/notifications of water detection in system facility; system security plan; other relevant documents or records]. PE-15(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-15(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing water detection capabilities and alerts for the system]. PE-16 DELIVERY AND REMOVAL ASSESSMENT OBJECTIVE: Determine if: PE-16_ODP[01] types of system components to be authorized and controlled when entering the facility are defined; PE-16_ODP[02] types of system components to be authorized and controlled when exiting the facility are defined; PE-16a.[01] are authorized when entering the facility; PE-16a.[02] are controlled when entering the facility; PE-16a.[03] are authorized when exiting the facility; PE-16a.[04] are controlled when exiting the facility; PE-16b. records of the system components are maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-16-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing the delivery and removal of system components from the facility; facility housing the system; records of items entering and exiting the facility; system security plan; other relevant documents or records]. PE-16-Interview [SELECT FROM: Organizational personnel with responsibilities for controlling system components entering and exiting the facility; organizational personnel with information security responsibilities]. PE-16-Test [SELECT FROM: Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility; automated mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility]. PE-17 ALTERNATE WORK SITE ASSESSMENT OBJECTIVE: Determine if: PE-17_ODP[01] alternate work sites allowed for use by employees are defined; PE-17_ODP[02] controls to be employed at alternate work sites are defined; PE-17a. are determined and documented; PE-17b. are employed at alternate work sites; PE-17c. the effectiveness of controls at alternate work sites is assessed; PE-17d. a means for employees to communicate with information security and privacy personnel in case of incidents is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-17-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for organizational personnel; list of security controls required for alternate work sites; assessments of security controls at alternate work sites; system security plan; privacy plan; other relevant documents or records]. PE-17-Interview [SELECT FROM: Organizational personnel approving the use of alternate work sites; organizational personnel using alternate work sites; organizational personnel assessing controls at alternate work sites; organizational personnel with information security and privacy responsibilities]. PE-17-Test [SELECT FROM: Organizational processes for security and privacy at alternate work sites; automated mechanisms supporting alternate work sites; security and privacy controls employed at alternate work sites; means of communication between personnel at alternate work sites and security and privacy personnel]. PE-18 LOCATION OF SYSTEM COMPONENTS ASSESSMENT OBJECTIVE: Determine if: PE-18_ODP physical and environmental hazards that could result in potential damage to system components within the facility are defined; PE-18 system components are positioned within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-18-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing the positioning of system components; documentation providing the location and position of system components within the facility; locations housing system components within the facility; list of physical and environmental hazards with the potential to damage system components within the facility; system security plan; other relevant documents or records]. PE-18-Interview [SELECT FROM: Organizational personnel with responsibilities for positioning system components; organizational personnel with information security responsibilities]. PE-18-Test [SELECT FROM: Organizational processes for positioning system components]. PE-18(01) LOCATION OF SYSTEM COMPONENTS | FACILITY SITE [WITHDRAWN: Moved to PE-23.] PE-19 INFORMATION LEAKAGE ASSESSMENT OBJECTIVE: Determine if: PE-19 the system is protected from information leakage due to electromagnetic signal emanations. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-19-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage due to electromagnetic signal emanations; mechanisms protecting the system against electronic signal emanations; facility housing the system; records from electromagnetic signal emanation tests; system security plan; other relevant documents or records]. PE-19-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-19-Test [SELECT FROM: Automated mechanisms supporting and/or implementing protection from information leakage due to electromagnetic signal emanations]. PE-19(01) INFORMATION LEAKAGE | NATIONAL EMISSIONS POLICIES AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: PE-19(01)[01] system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information; PE-19(01)[02] associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information; PE-19(01)[03] networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-19(01)-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures; system component design documentation; system configuration settings and associated documentation system security plan; other relevant documents or records]. PE-19(01)-Interview [SELECT FROM: Organizational personnel with responsibilities for system environmental controls; organizational personnel with information security responsibilities]. PE-19(01)-Test [SELECT FROM: Information system components for compliance with national emissions and TEMPEST policies and procedures]. PE-20 ASSET MONITORING AND TRACKING ASSESSMENT OBJECTIVE: Determine if: PE-20_ODP[01] asset location technologies to be employed to track and monitor the location and movement of assets is defined; PE-20_ODP[02] assets whose location and movement are to be tracked and monitored are defined; PE-20_ODP[03] controlled areas within which asset location and movement are to be tracked and monitored are defined; PE-20 are employed to track and monitor the location and movement of within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-20-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing asset monitoring and tracking; documentation showing the use of asset location technologies; system configuration documentation; list of organizational assets requiring tracking and monitoring; asset monitoring and tracking records; system security plan; privacy plan; other relevant documents or records]. PE-20-Interview [SELECT FROM: Organizational personnel with asset monitoring and tracking responsibilities; legal counsel; organizational personnel with information security and privacy responsibilities]. PE-20-Test [SELECT FROM: Organizational processes for tracking and monitoring assets; automated mechanisms supporting and/or implementing the tracking and monitoring of assets]. PE-21 ELECTROMAGNETIC PULSE PROTECTION ASSESSMENT OBJECTIVE: Determine if: PE-21_ODP[01] protective measures to be employed against electromagnetic pulse damage are defined; PE-21_ODP[02] system and system components requiring protection against electromagnetic pulse damage are defined; PE-21 are employed against electromagnetic pulse damage for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-21-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing protective measures to mitigate EMP risk to systems and components; documentation detailing protective measures to mitigate EMP risk; list of locations where protective measures to mitigate EMP risk are implemented; system security plan; other relevant documents or records]. PE-21-Interview [SELECT FROM: Organizational personnel with responsibilities for physical and environmental protection; system developers/integrators; organizational personnel with information security responsibilities]. PE-21-Test [SELECT FROM: Mechanisms for mitigating EMP risk]. PE-22 COMPONENT MARKING ASSESSMENT OBJECTIVE: Determine if: PE-22_ODP system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined; PE-22 are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-22-Examine [SELECT FROM: Physical and environmental protection policy; procedures addressing component marking; list of component marking security attributes; component inventory; information types and their impact/classification level; system security plan; other relevant documents or records]. PE-22-Interview [SELECT FROM: Organizational personnel with component marking responsibilities; organizational personnel with component inventory responsibilities; organizational personnel with information categorization/classification responsibilities; organizational personnel with information security responsibilities]. PE-22-Test [SELECT FROM: Organizational processes for component marking; automated mechanisms supporting and/or implementing component marking]. PE-23 FACILITY LOCATION ASSESSMENT OBJECTIVE: Determine if: PE-23a. the location or site of the facility where the system resides is planned considering physical and environmental hazards; PE-23b. for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PE-23-Examine [SELECT FROM: Physical and environmental protection policy; physical site planning documents; organizational assessment of risk; contingency plan; risk mitigation strategy documentation; system security plan; other relevant documents or records]. PE-23-Interview [SELECT FROM: Organizational personnel with site selection responsibilities for the facility housing the system; organizational personnel with risk mitigation responsibilities; organizational personnel with information security responsibilities]. PE-23-Test [SELECT FROM: Organizational processes for site planning]. 4.12 Planning PL-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: PL-01_ODP[01] personnel or roles to whom the planning policy is to be disseminated is/are defined; PL-01_ODP[02] personnel or roles to whom the planning procedures are to be disseminated is/are defined; PL-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; PL-01_ODP[04] an official to manage the planning policy and procedures is defined; PL-01_ODP[05] the frequency with which the current planning policy is reviewed and updated is defined; PL-01_ODP[06] events that would require the current planning policy to be reviewed and updated are defined; PL-01_ODP[07] the frequency with which the current planning procedures are reviewed and updated is defined; PL-01_ODP[08] events that would require procedures to be reviewed and updated are defined; PL-01a.[01] a planning policy is developed and documented. PL-01a.[02] the planning policy is disseminated to ; PL-01a.[03] planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented; PL-01a.[04] the planning procedures are disseminated to ; PL-01a.01(a)[01] the planning policy addresses purpose; PL-01a.01(a)[02] the planning policy addresses scope; PL-01a.01(a)[03] the planning policy addresses roles; PL-01a.01(a)[04] the planning policy addresses responsibilities; PL-01a.01(a)[05] the planning policy addresses management commitment; PL-01a.01(a)[06] the planning policy addresses coordination among organizational entities; PL-01a.01(a)[07] the planning policy addresses compliance; PL-01a.01(b) the planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; PL-01b. the is designated to manage the development, documentation, and dissemination of the planning policy and procedures; PL-01c.01[01] the current planning policy is reviewed and updated ; PL-01c.01[02] the current planning policy is reviewed and updated following ; PL-01c.02[01] the current planning procedures are reviewed and updated ; PL-01c.02[02] the current planning procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-01-Examine [SELECT FROM: Planning policy and procedures; system security plan; privacy plan; other relevant documents or records]. PL-01-Interview [SELECT FROM: Organizational personnel with planning responsibilities; organizational personnel with information security and privacy responsibilities]. PL-02 SYSTEM SECURITY AND PRIVACY PLANS ASSESSMENT OBJECTIVE: Determine if: PL-02_ODP[01] individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned; PL-02_ODP[02] personnel or roles for distributed copies of the system security and privacy plans is/are assigned; PL-02_ODP[03] frequency to review system security and privacy plans is defined; PL-02a.01[01] a security plan for the system is developed that is consistent with the organization’s enterprise architecture; PL-02a.01[02] a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture; PL-02a.02[01] a security plan for the system is developed that explicitly defines the constituent system components; PL-02a.02[02] a privacy plan for the system is developed that explicitly defines the constituent system components; PL-02a.03[01] a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes; PL-02a.03[02] a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes; PL-02a.04[01] a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities; PL-02a.04[02] a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities; PL-02a.05[01] a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system; PL-02a.05[02] a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system; PL-02a.06[01] a security plan for the system is developed that provides the security categorization of the system, including supporting rationale; PL-02a.06[02] a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale; PL-02a.07[01] a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization; PL-02a.07[02] a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization; PL-02a.08[01] a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information; PL-02a.08[02] a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information; PL-02a.09[01] a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components; PL-02a.09[02] a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components; PL-02a.10[01] a security plan for the system is developed that provides an overview of the security requirements for the system; PL-02a.10[02] a privacy plan for the system is developed that provides an overview of the privacy requirements for the system; PL-02a.11[01] a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable; PL-02a.11[02] a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable; PL-02a.12[01] a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions; PL-02a.12[02] a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions; PL-02a.13[01] a security plan for the system is developed that includes risk determinations for security architecture and design decisions; PL-02a.13[02] a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions; PL-02a.14[01] a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ; PL-02a.14[02] a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ; PL-02a.15[01] a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation; PL-02a.15[02] a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. PL-02b.[01] copies of the plans were distributed to ; PL-02b.[02] subsequent changes to the plans are communicated to ; PL-02c. plans are reviewed ; PL-02d.[01] plans are updated to address changes to the system and environment of operations; PL-02d.[02] plans are updated to address problems identified during the plan implementation; PL-02d.[03] plans are updated to address problems identified during control assessments; PL-02e. plans are protected from unauthorized disclosure and modification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-02-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing system security and privacy plan development and implementation; procedures addressing security and privacy plan reviews and updates; enterprise architecture documentation; system security plan; privacy plan; records of system security and privacy plan reviews and updates; security and privacy architecture and design documentation; risk assessments; risk assessment results; control assessment documentation; other relevant documents or records]. PL-02-Interview [SELECT FROM: Organizational personnel with system security and privacy planning and plan implementation responsibilities; system developers; organizational personnel with information security and privacy responsibilities]. PL-02-Test [SELECT FROM: Organizational processes for system security and privacy plan development, review, update, and approval; automated mechanisms supporting the system security and privacy plan]. PL-02(01) SYSTEM SECURITY AND PRIVACY PLANS | CONCEPT OF OPERATIONS [WITHDRAWN: Incorporated into PL-07.] PL-02(02) SYSTEM SECURITY AND PRIVACY PLANS | FUNCTIONAL ARCHITECTURE [WITHDRAWN: Incorporated into PL-08.] PL-02(03) SYSTEM SECURITY AND PRIVACY PLANS | PLAN AND COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES [WITHDRAWN: Incorporated into PL-02.] PL-03 SYSTEM SECURITY PLAN UPDATE [WITHDRAWN: Incorporated into PL-02.] PL-04 RULES OF BEHAVIOR ASSESSMENT OBJECTIVE: Determine if: PL-04_ODP[01] frequency for reviewing and updating the rules of behavior is defined; PL-04_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {; when the rules are revised or updated}; PL-04_ODP[03] frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected); PL-04a.[01] rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system; PL-04a.[02] rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system; PL-04b. before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received; PL-04c. rules of behavior are reviewed and updated ; PL-04d. individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-04-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing rules of behavior for system users; rules of behavior; signed acknowledgements; records for rules of behavior reviews and updates; other relevant documents or records]. PL-04-Interview [SELECT FROM: Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior; organizational personnel with responsibility for literacy training and awareness and role-based training; organizational personnel who are authorized users of the system and have signed and resigned rules of behavior; organizational personnel with information security and privacy responsibilities]. PL-04-Test [SELECT FROM: Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior; automated mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior]. PL-04(01) RULES OF BEHAVIOR | SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION USAGE RESTRICTIONS ASSESSMENT OBJECTIVE: Determine if: PL-04(01)(a) the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications; PL-04(01)(b) the rules of behavior include restrictions on posting organizational information on public websites; PL-04(01)(c) the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-04(01)-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing rules of behavior for system users; rules of behavior; training policy; other relevant documents or records]. PL-04(01)-Interview [SELECT FROM: Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior; organizational personnel with responsibility for literacy training and awareness and role-based training; organizational personnel who are authorized users of the system and have signed rules of behavior; organizational personnel with information security and privacy responsibilities]. PL-04(01)-Test [SELECT FROM: Organizational processes for establishing rules of behavior; automated mechanisms supporting and/or implementing the establishment of rules of behavior]. PL-05 PRIVACY IMPACT ASSESSMENT [WITHDRAWN: Incorporated into RA-08.] PL-06 SECURITY-RELATED ACTIVITY PLANNING [WITHDRAWN: Incorporated into PL-02.] PL-07 CONCEPT OF OPERATIONS ASSESSMENT OBJECTIVE: Determine if: PL-07_ODP frequency for review and update of the Concept of Operations (CONOPS) is defined; PL-07a. a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed; PL-07b. a CONOPS is reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-07-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing security and privacy CONOPS development; procedures addressing security and privacy CONOPS reviews and updates; security and privacy CONOPS for the system; system security plan; privacy plan; records of security and privacy CONOPS reviews and updates; other relevant documents or records]. PL-07-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy responsibilities]. PL-07-Test [SELECT FROM: Organizational processes for developing, reviewing, and updating the security CONOPS; automated mechanisms supporting and/or implementing the development, review, and update of the security CONOPS]. PL-08 SECURITY AND PRIVACY ARCHITECTURES ASSESSMENT OBJECTIVE: Determine if: PL-08_ODP frequency for review and update to reflect changes in the enterprise architecture; PL-08a.01 a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; PL-08a.02 a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; PL-08a.03[01] a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture; PL-08a.03[02] a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture; PL-08a.04[01] a security architecture for the system describes any assumptions about and dependencies on external systems and services; PL-08a.04[02] a privacy architecture for the system describes any assumptions about and dependencies on external systems and services; PL-08b. changes in the enterprise architecture are reviewed and updated ; PL-08c.[01] planned architecture changes in the security plan are reflected; PL-08c.[02] planned architecture changes in the privacy plan are reflected; PL-08c.[03] planned architecture changes in the Concept of Operations (CONOPS) are reflected; PL-08c.[04] planned architecture changes in criticality analysis are reflected; PL-08c.[05] planned architecture changes in organizational procedures are reflected; PL-08c.[06] planned architecture changes in procurements and acquisitions are reflected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-08-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing information security and privacy architecture development; procedures addressing information security and privacy architecture reviews and updates; enterprise architecture documentation; information security and privacy architecture documentation; system security plan; privacy plan; security and privacy CONOPS for the system; records of information security and privacy architecture reviews and updates; other relevant documents or records]. PL-08-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with information security and privacy responsibilities]. PL-08-Test [SELECT FROM: Organizational processes for developing, reviewing, and updating the information security and privacy architecture; automated mechanisms supporting and/or implementing the development, review, and update of the information security and privacy architecture]. PL-08(01) SECURITY AND PRIVACY ARCHITECTURES | DEFENSE IN DEPTH ASSESSMENT OBJECTIVE: Determine if: PL-08(01)_ODP[01] controls to be allocated are defined; PL-08(01)_ODP[02] locations and architectural layers are defined; PL-08(01)(a)[01] the security architecture for the system is designed using a defense-in-depth approach that allocates to ; PL-08(01)(a)[02] the privacy architecture for the system is designed using a defense-in-depth approach that allocates to ; PL-08(01)(b)[01] the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner; PL-08(01)(b)[02] the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-08-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing information security and privacy architecture development; enterprise architecture documentation; information security and privacy architecture documentation; system security plan; privacy plan; security and privacy CONOPS for the system; other relevant documents or records]. PL-08-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with information security and privacy responsibilities]. PL-08-Test [SELECT FROM: Organizational processes for designing the information security and privacy architecture; automated mechanisms supporting and/or implementing the design of the information security and privacy architecture]. PL-08(02) SECURITY AND PRIVACY ARCHITECTURES | SUPPLIER DIVERSITY ASSESSMENT OBJECTIVE: Determine if: PL-08(02)_ODP[01] controls to be allocated are defined; PL-08(02)_ODP[02] locations and architectural layers are defined; PL-08(02) that are allocated to are required to be obtained from different suppliers. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-08(02)-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing information security and privacy architecture development; enterprise architecture documentation; information security and privacy architecture documentation; system security plan; privacy plan; security and privacy CONOPS for the system; IT acquisitions policy; other relevant documents or records]. PL-08(02)-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy architecture development responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities]. PL-08(02)-Test [SELECT FROM: Organizational processes for obtaining information security and privacy safeguards from different suppliers]. PL-09 CENTRAL MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: PL-09_ODP security and privacy controls and related processes to be centrally managed are defined; PL-09 are centrally managed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-09-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing security and privacy plan development and implementation; system security plan; privacy plan; other relevant documents or records]. PL-09-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with responsibilities for planning/implementing central management of controls and related processes; organizational personnel with information security and privacy responsibilities]. PL-09-Test [SELECT FROM: Organizational processes for the central management of controls and related processes; automated mechanisms supporting and/or implementing central management of controls and related processes]. PL-10 BASELINE SELECTION ASSESSMENT OBJECTIVE: Determine if: PL-10 a control baseline for the system is selected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-10-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing system security and privacy plan development and implementation; procedures addressing system security and privacy plan reviews and updates; system design documentation; system architecture and configuration documentation; system categorization decision; information types stored, transmitted, and processed by the system; system element/component information; stakeholder needs analysis; list of security and privacy requirements allocated to the system, system elements, and environment of operation; list of contractual requirements allocated to external providers of the system or system element; business impact analysis or criticality analysis; risk assessments; risk management strategy; organizational security and privacy policy; federal or organization-approved or mandated baselines or overlays; system security plan; privacy plan; other relevant documents or records]. PL-10-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with responsibility for organizational risk management activities]. PL-11 BASELINE TAILORING ASSESSMENT OBJECTIVE: Determine if: PL-11 the selected control baseline is tailored by applying specified tailoring actions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PL-11-Examine [SELECT FROM: Security and privacy planning policy; procedures addressing system security and privacy plan development and implementation; system design documentation; system categorization decision; information types stored, transmitted, and processed by the system; system element/component information; stakeholder needs analysis; list of security and privacy requirements allocated to the system, system elements, and environment of operation; list of contractual requirements allocated to external providers of the system or system element; business impact analysis or criticality analysis; risk assessments; risk management strategy; organizational security and privacy policy; federal or organization-approved or mandated baselines or overlays; baseline tailoring rationale; system security plan; privacy plan; records of system security and privacy plan reviews and updates; other relevant documents or records]. PL-11-Interview [SELECT FROM: Organizational personnel with security and privacy planning and plan implementation responsibilities; organizational personnel with information security and privacy responsibilities]. 4.13 Program Management PM-01 INFORMATION SECURITY PROGRAM PLAN ASSESSMENT OBJECTIVE: Determine if: PM-01_ODP[01] the frequency at which to review and update the organization-wide information security program plan is defined; PM-01_ODP[02] events that trigger the review and update of the organization-wide information security program plan are defined; PM-01a.[01] an organization-wide information security program plan is developed; PM-01a.[02] the information security program plan is disseminated; PM-01a.01[01] the information security program plan provides an overview of the requirements for the security program; PM-01a.01[02] the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements; PM-01a.01[03] the information security program plan provides a description of the common controls in place or planned for meeting those requirements; PM-01a.02[01] the information security program plan includes the identification and assignment of roles; PM-01a.02[02] the information security program plan includes the identification and assignment of responsibilities; PM-01a.02[03] the information security program plan addresses management commitment; PM-01a.02[04] the information security program plan addresses coordination among organizational entities; PM-01a.02[05] the information security program plan addresses compliance; PM-01a.03 the information security program plan reflects the coordination among the organizational entities responsible for information security; PM-01a.04 the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-01b.[01] the information security program plan is reviewed and updated ; PM-01b.[02] the information security program plan is reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-01-Examine [SELECT FROM: Information security program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews and updates; procedures addressing coordination of the program plan with relevant entities; procedures for program plan approvals; records of program plan reviews and updates; other relevant documents or records]. PM-01-Interview [SELECT FROM: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel with information security responsibilities]. PM-01-Test [SELECT FROM: Organizational processes for information security program plan development, review, update, and approval; automated mechanisms supporting and/or implementing the information security program plan]. PM-02 INFORMATION SECURITY PROGRAM LEADERSHIP ROLE ASSESSMENT OBJECTIVE: Determine if: PM-02[01] a senior agency information security officer is appointed; PM-02[02] the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program; PM-02[03] the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program; PM-02[04] the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program; PM-02[05] the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-02-Examine [SELECT FROM: Information security program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews and updates; procedures addressing coordination of the program plan with relevant entities; other relevant documents or records]. PM-02-Interview [SELECT FROM: Organizational personnel with information security program planning and plan implementation responsibilities; senior information security officer; organizational personnel with information security responsibilities]. PM-03 INFORMATION SECURITY AND PRIVACY RESOURCES ASSESSMENT OBJECTIVE: Determine if: PM-03a.[01] the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented; PM-03a.[02] the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented; PM-03b.[01] the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards; PM-03b.[02] the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, Executive Orders, directives, policies, regulations, standards; PM-03c.[01] information security resources are made available for expenditure as planned; PM-03c.[02] privacy resources are made available for expenditure as planned. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-03-Examine [SELECT FROM: Information security program plan; Exhibit 300; Exhibit 53; business cases for capital planning and investment; procedures for capital planning and investment; documentation of exceptions to capital planning requirements; other relevant documents or records]. PM-03-Interview [SELECT FROM: Organizational personnel with information security program planning responsibilities; organizational personnel responsible for capital planning and investment; organizational personnel with information security responsibilities]. PM-03-Test [SELECT FROM: Organizational processes for capital planning and investment; organizational processes for business case, Exhibit 300, and Exhibit 53 development; automated mechanisms supporting the capital planning and investment process]. PM-04 PLAN OF ACTION AND MILESTONES PROCESS ASSESSMENT OBJECTIVE: Determine if: PM-04a.01[01] a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed; PM-04a.01[02] a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained; PM-04a.01[03] a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed; PM-04a.01[04] a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained; PM-04a.01[05] a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed; PM-04a.01[06] a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained; PM-04a.02[01] a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation; PM-04a.02[02] a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation; PM-04a.02[03] a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation; PM-04a.03[01] a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements; PM-04a.03[02] a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements; PM-04a.03[03] a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements; PM-04b.[01] plans of action and milestones are reviewed for consistency with the organizational risk management strategy; PM-04b.[02] plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-04-Examine [SELECT FROM: Information security program plan; plans of action and milestones; procedures addressing plans of action and milestones development and maintenance; procedures addressing plans of action and milestones reporting; procedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities; results of risk assessments associated with plans of action and milestones; OMB FISMA reporting requirements; other relevant documents or records]. PM-04-Interview [SELECT FROM: Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones; organizational personnel with information security responsibilities]. PM-04-Test [SELECT FROM: Organizational processes for plan of action and milestones development, review, maintenance, and reporting; automated mechanisms supporting plans of action and milestones]. PM-05 SYSTEM INVENTORY ASSESSMENT OBJECTIVE: Determine if: PM-05_ODP the frequency at which to update the inventory of organizational systems is defined; PM-05[01] an inventory of organizational systems is developed; PM-05[02] the inventory of organizational systems is updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-05-Examine [SELECT FROM: Information security program plan; system inventory; procedures addressing system inventory development and maintenance; OMB FISMA reporting guidance; other relevant documents or records]. PM-05-Interview [SELECT FROM: Organizational personnel with information security program planning and plan implementation responsibilities; organizational personnel responsible for developing and maintaining the system inventory; organizational personnel with information security responsibilities]. PM-05-Test [SELECT FROM: Organizational processes for system inventory development and maintenance; automated mechanisms supporting the system inventory]. PM-05(01) SYSTEM INVENTORY | INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: PM-05(01)_ODP the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined; PM-05(01)[01] an inventory of all systems, applications, and projects that process personally identifiable information is established; PM-05(01)[02] an inventory of all systems, applications, and projects that process personally identifiable information is maintained; PM-05(01)[03] an inventory of all systems, applications, and projects that process personally identifiable information is updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-05(01)-Examine [SELECT FROM: Procedures addressing system inventory development, maintenance, and updates; OMB FISMA reporting guidance; privacy program plan; information security program plan; personally identifiable information processing policy; system inventory; personally identifiable information inventory; data mapping documentation; other relevant documents or records]. PM-05(01)-Interview [SELECT FROM: Organizational personnel with privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing and maintaining the system inventory; organizational personnel with information security and privacy responsibilities]. PM-05(01)-Test [SELECT FROM: Organizational processes for system inventory development, maintenance, and updates; automated mechanisms supporting the system inventory]. PM-06 MEASURES OF PERFORMANCE ASSESSMENT OBJECTIVE: Determine if: PM-06[01] information security measures of performance are developed; PM-06[02] information security measures of performance are monitored; PM-06[03] the results of information security measures of performance are reported; PM-06[04] privacy measures of performance are developed; PM-06[05] privacy measures of performance are monitored; PM-06[06] the results of privacy measures of performance are reported. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-06-Examine [SELECT FROM: Information security program plan; privacy program plan; information security measures of performance; privacy measures of performance; procedures addressing the development, monitoring, and reporting of information security and privacy measures of performance; risk management strategy; other relevant documents or records]. PM-06-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing, monitoring, and reporting information security and privacy measures of performance; organizational personnel with information security and privacy responsibilities]. PM-06-Test [SELECT FROM: Organizational processes for developing, monitoring, and reporting information security and privacy measures of performance; automated mechanisms supporting the development, monitoring, and reporting of information security and privacy measures of performance]. PM-07 ENTERPRISE ARCHITECTURE ASSESSMENT OBJECTIVE: Determine if: PM-07[01] an enterprise architecture is developed with consideration for information security; PM-07[02] an enterprise architecture is maintained with consideration for information security; PM-07[03] an enterprise architecture is developed with consideration for privacy; PM-07[04] an enterprise architecture is maintained with consideration for privacy; PM-07[05] an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation; PM-07[06] an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-07-Examine [SELECT FROM: Information security program plan; privacy program plan; enterprise architecture documentation; procedures addressing enterprise architecture development; results of risk assessments of enterprise architecture; other relevant documents or records]. PM-07-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing enterprise architecture; organizational personnel responsible for risk assessments of enterprise architecture; organizational personnel with information security and privacy responsibilities]. PM-07-Test [SELECT FROM: Organizational processes for enterprise architecture development; automated mechanisms supporting the enterprise architecture and its development]. PM-07(01) ENTERPRISE ARCHITECTURE | OFFLOADING ASSESSMENT OBJECTIVE: Determine if: PM-07(01)_ODP non-essential functions or services to be offloaded are defined; PM-07(01) are offloaded to other systems, system components, or an external provider. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-07(01)-Examine [SELECT FROM: Information security program plan; privacy program plan; enterprise architecture documentation; procedures addressing enterprise architecture development; procedures for identifying and offloading functions or services; results of risk assessments of enterprise architecture; other relevant documents or records]. PM-07(01)-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing enterprise architecture; organizational personnel responsible for risk assessments of enterprise architecture; organizational personnel with information security and privacy responsibilities]. PM-07(01)-Test [SELECT FROM: Organizational processes for enterprise architecture development; automated mechanisms supporting the enterprise architecture and its development; mechanisms for offloading functions and services]. PM-08 CRITICAL INFRASTRUCTURE PLAN ASSESSMENT OBJECTIVE: Determine if: PM-08[01] information security issues are addressed in the development of a critical infrastructure and key resources protection plan; PM-08[02] information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan; PM-08[03] information security issues are addressed in the update of a critical infrastructure and key resources protection plan; PM-08[04] privacy issues are addressed in the development of a critical infrastructure and key resources protection plan; PM-08[05] privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan; PM-08[06] privacy issues are addressed in the update of a critical infrastructure and key resources protection plan. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-08-Examine [SELECT FROM: Information security program plan; privacy program plan; critical infrastructure and key resources protection plan; procedures addressing the development, documentation, and updating of the critical infrastructure and key resources protection plan; HSPD 7; National Infrastructure Protection Plan; other relevant documents or records]. PM-08-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for developing, documenting, and updating the critical infrastructure and key resources protection plan; organizational personnel with information security and privacy responsibilities]. PM-08-Test [SELECT FROM: Organizational processes for developing, documenting, and updating the critical infrastructure and key resources protection plan; automated mechanisms supporting the development, documentation, and updating of the critical infrastructure and key resources protection plan]. PM-09 RISK MANAGEMENT STRATEGY ASSESSMENT OBJECTIVE: Determine if: PM-09_ODP the frequency at which to review and update the risk management strategy is defined; PM-09a.01 a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; PM-09a.02 a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information; PM-09b. the risk management strategy is implemented consistently across the organization; PM-09c. the risk management strategy is reviewed and updated or as required to address organizational changes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-09-Examine [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; procedures addressing the development, implementation, review, and update of the risk management strategy; risk assessment results relevant to the risk management strategy; other relevant documents or records]. PM-09-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the development, implementation, review, and update of the risk management strategy; organizational personnel with information security and privacy responsibilities]. PM-09-Test [SELECT FROM: Organizational processes for the development, implementation, review, and update of the risk management strategy; automated mechanisms supporting the development, implementation, review, and update of the risk management strategy]. PM-10 AUTHORIZATION PROCESS ASSESSMENT OBJECTIVE: Determine if: PM-10a.[01] the security state of organizational systems and the environments in which those systems operate are managed through authorization processes; PM-10a.[02] the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes; PM-10b. individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process; PM-10c. the authorization processes are integrated into an organization-wide risk management program. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-10-Examine [SELECT FROM: Information security program plan; privacy program plan; procedures addressing management (i.e., documentation, tracking, and reporting) of the authorization process; assessment, authorization, and monitoring policy; assessment, authorization, and monitoring procedures; system authorization documentation; lists or other documentation about authorization process roles and responsibilities; risk assessment results relevant to the authorization process and the organization-wide risk management program; organizational risk management strategy; other relevant documents or records]. PM-10-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for management of the authorization process; organizational personnel with information security and privacy responsibilities]. PM-10-Test [SELECT FROM: Organizational processes for authorization; automated mechanisms supporting the authorization process]. PM-11 MISSION AND BUSINESS PROCESS DEFINITION ASSESSMENT OBJECTIVE: Determine if: PM-11_ODP the frequency at which to review and revise the mission and business processes is defined; PM-11a.[01] organizational mission and business processes are defined with consideration for information security; PM-11a.[02] organizational mission and business processes are defined with consideration for privacy; PM-11a.[03] organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; PM-11b.[01] information protection needs arising from the defined mission and business processes are determined; PM-11b.[02] personally identifiable information processing needs arising from the defined mission and business processes are determined; PM-11c. the mission and business processes are reviewed and revised . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-11-Examine [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; procedures for determining mission and business protection needs; information security and privacy risk assessment results relevant to the determination of mission and business protection needs; personally identifiable information processing policy; personally identifiable information inventory; other relevant documents or records]. PM-11-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for enterprise risk management; organizational personnel responsible for determining information protection needs for mission and business processes; organizational personnel with information security and privacy responsibilities]. PM-11-Test [SELECT FROM: Organizational processes for defining mission and business processes and their information protection needs]. PM-12 INSIDER THREAT PROGRAM ASSESSMENT OBJECTIVE: Determine if: PM-12 an insider threat program that includes a cross-discipline insider threat incident handling team is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-12-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the insider threat program; members of the cross-discipline insider threat incident handling team; legal counsel; organizational personnel with information security and privacy responsibilities]. PM-12-Test [SELECT FROM: Organizational processes for implementing the insider threat program and the cross-discipline insider threat incident handling team; automated mechanisms supporting and/or implementing the insider threat program and the cross-discipline insider threat incident handling team]. PM-13 SECURITY AND PRIVACY WORKFORCE ASSESSMENT OBJECTIVE: Determine if: PM-13[01] a security workforce development and improvement program is established; PM-13[02] a privacy workforce development and improvement program is established. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-13-Examine [SELECT FROM: Information security program plan; privacy program plan; information security and privacy workforce development and improvement program documentation; procedures for the information security and privacy workforce development and improvement program; information security and privacy role-based training program documentation; other relevant documents or records]. PM-13-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the information security and privacy workforce development and improvement program; organizational personnel with information security and privacy responsibilities]. PM-13-Test [SELECT FROM: Organizational processes for implementing the information security and privacy workforce development and improvement program; automated mechanisms supporting and/or implementing the information security and privacy workforce development and improvement program]. PM-14 TESTING, TRAINING, AND MONITORING ASSESSMENT OBJECTIVE: Determine if: PM-14a.01[01] a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed; PM-14a.01[02] a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained; PM-14a.01[03] a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed; PM-14a.01[04] a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained; PM-14a.02[01] a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed; PM-14a.02[02] a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed; PM-14b.[01] testing, training, and monitoring plans are reviewed for consistency with the organizational risk management strategy; PM-14b.[02] training plans are reviewed for consistency with the organizational risk management strategy; PM-14b.[03] monitoring plans are reviewed for consistency with the organizational risk management strategy; PM-14b.[04] testing plans are reviewed for consistency with organization-wide priorities for risk response actions; PM-14b.[05] training plans are reviewed for consistency with organization-wide priorities for risk response actions; PM-14b.[06] monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-14-Examine [SELECT FROM: Information security program plan; privacy program plan; plans for conducting security and privacy testing, training, and monitoring activities; organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities; risk management strategy; procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities; results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities; documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities; other relevant documents or records]. PM-14-Interview [SELECT FROM: Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities; organizational personnel with information security and privacy responsibilities]. PM-14-Test [SELECT FROM: Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities; automated mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities]. PM-15 SECURITY AND PRIVACY GROUPS AND ASSOCIATIONS ASSESSMENT OBJECTIVE: Determine if: PM-15a.[01] contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel; PM-15a.[02] contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel; PM-15b.[01] contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies; PM-15b.[02] contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies; PM-15c.[01] contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents; PM-15c.[02] contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-15-Examine [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; procedures for establishing and institutionalizing contacts with security and privacy groups and associations; lists or other records of contacts with and/or membership in security and privacy groups and associations; other relevant documents or records]. PM-15-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations; organizational personnel with information security and privacy responsibilities; personnel from selected groups and associations with which the organization has established and institutionalized contact]. PM-15-Test [SELECT FROM: Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations; automated mechanisms supporting contact with security and privacy groups and associations]. PM-16 THREAT AWARENESS PROGRAM ASSESSMENT OBJECTIVE: Determine if: PM-16 a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-16-Examine [SELECT FROM: Information security program plan; privacy program plan; threat awareness program policy; threat awareness program procedures; risk assessment results relevant to threat awareness; documentation about the cross-organization information-sharing capability; other relevant documents or records]. PM-16-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the threat awareness program; organizational personnel responsible for the cross-organization information-sharing capability; organizational personnel with information security and privacy responsibilities; external personnel with whom threat awareness information is shared by the organization]. PM-16-Test [SELECT FROM: Organizational processes for implementing the threat awareness program; organizational processes for implementing the cross-organization information-sharing capability; automated mechanisms supporting and/or implementing the threat awareness program; automated mechanisms supporting and/or implementing the cross-organization information-sharing capability]. PM-16(01) THREAT AWARENESS PROGRAM | AUTOMATED MEANS FOR SHARING THREAT INTELLIGENCE ASSESSMENT OBJECTIVE: Determine if: PM-16(01) automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-16(01)-Examine [SELECT FROM: Information security program plan; privacy program plan; threat awareness program policy; threat awareness program procedures; risk assessment results related to threat awareness; documentation about the cross-organization information-sharing capability; other relevant documents or records]. PM-16(01)-Interview [SELECT FROM: Organizational personnel with information security and privacy program planning and plan implementation responsibilities; organizational personnel responsible for the threat awareness program; organizational personnel responsible for the cross-organization information-sharing capability; organizational personnel with information security and privacy responsibilities; external personnel with whom threat awareness information is shared by the organization]. PM-16(01)-Test [SELECT FROM: Organizational processes for implementing the threat awareness program; organizational processes for implementing the cross-organization information-sharing capability; automated mechanisms supporting and/or implementing the threat awareness program; automated mechanisms supporting and/or implementing the cross-organization information-sharing capability]. PM-17 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION ON EXTERNAL SYSTEMS ASSESSMENT OBJECTIVE: Determine if: PM-17_ODP the frequency at which to review and update the policy and procedures is defined; PM-17a.[01] policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards; PM-17a.[02] procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, Executive Orders, directives, policies, regulations, and standards; PM-17b. policy and procedures are reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-17-Examine [SELECT FROM: Controlled unclassified information policy; controlled unclassified information procedures; other relevant documents or records.]. PM-17-Interview [SELECT FROM: Organizational personnel with controlled unclassified information responsibilities; organizational personnel with information security responsibilities.]. PM-18 PRIVACY PROGRAM PLAN ASSESSMENT OBJECTIVE: Determine if: PM-18_ODP the frequency of updates to the privacy program plan is defined; PM-18a.[01] an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed; PM-18a.01[01] the privacy program plan includes a description of the structure of the privacy program; PM-18a.01[02] the privacy program plan includes a description of the resources dedicated to the privacy program; PM-18a.02[01] the privacy program plan provides an overview of the requirements for the privacy program; PM-18a.02[02] the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program; PM-18a.02[03] the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program; PM-18a.03[01] the privacy program plan includes the role of the senior agency official for privacy; PM-18a.03[02] the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities; PM-18a.04[01] the privacy program plan describes management commitment; PM-18a.04[02] the privacy program plan describes compliance; PM-18a.04[03] the privacy program plan describes the strategic goals and objectives of the privacy program; PM-18a.05 the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy; PM-18a.06 the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; PM-18a.[02] the privacy program plan is disseminated; PM-18b.[01] the privacy program plan is updated ; PM-18b.[02] the privacy program plan is updated to address changes in federal privacy laws and policies; PM-18b.[03] the privacy program plan is updated to address organizational changes; PM-18b.[04] the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-18-Examine [SELECT FROM: Privacy program plan; procedures addressing program plan development and implementation; procedures addressing program plan reviews, updates, and approvals; procedures addressing coordination of the program plan with relevant entities; records of program plan reviews, updates, and approvals; other relevant documents or records]. PM-18-Interview [SELECT FROM: Organizational personnel with privacy program planning and plan implementation responsibilities; organizational personnel with privacy responsibilities]. PM-19 PRIVACY PROGRAM LEADERSHIP ROLE ASSESSMENT OBJECTIVE: Determine if: PM-19[01] a senior agency official for privacy with authority, mission, accountability, and resources is appointed; PM-19[02] the senior agency official for privacy coordinates applicable privacy requirements; PM-19[03] the senior agency official for privacy develops applicable privacy requirements; PM-19[04] the senior agency official for privacy implements applicable privacy requirements; PM-19[05] the senior agency official for privacy manages privacy risks through the organization-wide privacy program. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-19-Examine [SELECT FROM: Privacy program documents, including policies, procedures, plans, and reports; public privacy notices, including Federal Register notices; privacy impact assessments; privacy risk assessments; Privacy Act statements; system of records notices; computer matching agreements and notices; contracts, information sharing agreements, and memoranda of understanding; governing requirements, including laws, Executive Orders, regulations, standards, and guidance; other relevant documents or records]. PM-19-Interview [SELECT FROM: Organizational personnel with privacy program planning and plan implementation responsibilities; organizational personnel with privacy responsibilities; senior agency official for privacy; privacy officials]. PM-20 DISSEMINATION OF PRIVACY PROGRAM INFORMATION ASSESSMENT OBJECTIVE: Determine if: PM-20[01] a central resource webpage is maintained on the organization’s principal public website; PM-20[02] the webpage serves as a central source of information about the organization’s privacy program; PM-20a.[01] the webpage ensures that the public has access to information about organizational privacy activities; PM-20a.[02] the webpage ensures that the public can communicate with its senior agency official for privacy; PM-20b.[01] the webpage ensures that organizational privacy practices are publicly available; PM-20b.[02] the webpage ensures that organizational privacy reports are publicly available; PM-20c. the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-20-Examine [SELECT FROM: Public website; publicly posted privacy program documents, including policies, procedures, plans, and reports; position description of the senior agency official for privacy; public privacy notices, including Federal Register notices; privacy impact assessments; privacy risk assessments; Privacy Act statements and system of records notices; computer matching agreements and notices; other relevant documents or records]. PM-20-Interview [SELECT FROM: Organizational personnel with privacy program information dissemination responsibilities; organizational personnel with privacy responsibilities]. PM-20-Test [SELECT FROM: Location, access, availability, and functionality of privacy resource webpage]. PM-20(01) DISSEMINATION OF PRIVACY PROGRAM INFORMATION | PRIVACY POLICIES ON WEBSITES, APPLICATIONS, AND DIGITAL SERVICES ASSESSMENT OBJECTIVE: Determine if: PM-20(01)[01] privacy policies are developed and posted on all external-facing websites; PM-20(01)[02] privacy policies are developed and posted on all mobile applications; PM-20(01)[03] privacy policies are developed and posted on all other digital services; PM-20(01)(a)[01] the privacy policies are written in plain language; PM-20(01)(a)[02] the privacy policies are organized in a way that is easy to understand and navigate; PM-20(01)(b)[01] the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization; PM-20(01)(b)[02] the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization; PM-20(01)(c)[01] the privacy policies are updated whenever the organization makes a substantive change to the practices it describes; PM-20(01)(c)[02] the privacy policies include a time/date stamp to inform the public of the date of the most recent changes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-20(01)-Examine [SELECT FROM: Privacy program plan; privacy policies on the agency website, mobile applications, and/or other digital services]. PM-20(01)-Interview [SELECT FROM: Organizational personnel with privacy program information dissemination responsibilities; organizational personnel with privacy responsibilities]. PM-20(01)-Test [SELECT FROM: Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing; organizational procedures and practices for disseminating privacy program information; automated mechanisms supporting the dissemination of privacy program information]. PM-21 ACCOUNTING OF DISCLOSURES ASSESSMENT OBJECTIVE: Determine if: PM-21a. an accurate accounting of disclosures of personally identifiable information is developed and maintained; PM-21a.01[01] the accounting includes the date of each disclosure; PM-21a.01[02] the accounting includes the nature of each disclosure; PM-21a.01[03] the accounting includes the purpose of each disclosure; PM-21a.02[01] the accounting includes the name of the individual or organization to whom the disclosure was made; PM-21a.02[02] the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made; PM-21b. the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; PM-21c. the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-21-Examine [SELECT FROM: Privacy program plan; disclosure policies and procedures; records of disclosures; audit logs; Privacy Act policies and procedures; system of records notice; Privacy Act exemption rules.]. PM-21-Interview [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities.]. PM-21-Test [SELECT FROM: Organizational processes for disclosures; automated mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts.]. PM-22 PERSONALLY IDENTIFIABLE INFORMATION QUALITY MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: PM-22[01] organization-wide policies for personally identifiable information quality management are developed and documented; PM-22[02] organization-wide procedures for personally identifiable information quality management are developed and documented; PM-22a.[01] the policies address reviewing the accuracy of personally identifiable information across the information life cycle; PM-22a.[02] the policies address reviewing the relevance of personally identifiable information across the information life cycle; PM-22a.[03] the policies address reviewing the timeliness of personally identifiable information across the information life cycle; PM-22a.[04] the policies address reviewing the completeness of personally identifiable information across the information life cycle; PM-22a.[05] the procedures address reviewing the accuracy of personally identifiable information across the information life cycle; PM-22a.[06] the procedures address reviewing the relevance of personally identifiable information across the information life cycle; PM-22a.[07] the procedures address reviewing the timeliness of personally identifiable information across the information life cycle; PM-22a.[08] the procedures address reviewing the completeness of personally identifiable information across the information life cycle; PM-22b.[01] the policies address correcting or deleting inaccurate or outdated personally identifiable information; PM-22b.[02] the procedures address correcting or deleting inaccurate or outdated personally identifiable information; PM-22c.[01] the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; PM-22c.[02] the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; PM-22d.[01] the policies address appeals of adverse decisions on correction or deletion requests; PM-22d.[02] the procedures address appeals of adverse decisions on correction or deletion requests. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-22-Examine [SELECT FROM: Privacy program plan; policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion; records of monitoring PII quality management practices; documentation of reviews and updates of policies and procedures]. PM-22-Interview [SELECT FROM: Organizational personnel with privacy program information dissemination responsibilities; organizational personnel with privacy responsibilities]. PM-22-Test [SELECT FROM: [Organizational processes for data quality and personally identifiable information quality management procedures; automated mechanisms supporting and/or implementing quality management requirements]. PM-23 DATA GOVERNANCE BODY ASSESSMENT OBJECTIVE: Determine if: PM-23_ODP[01] the roles of a data governance body are defined; PM-23_ODP[02] the responsibilities of a data governance body are defined; PM-23 a data governance body consisting of with is established. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-23-Examine [SELECT FROM: Privacy program plan; documentation relating to a data governance body, including documents establishing such a body, its charter of operations, and any plans and reports; records of board meetings and decisions; records of requests to review data; policies, procedures, and standards that facilitate data governance]. PM-23-Interview [SELECT FROM: Officials serving on the data governance dody (e.g., chief information officer, senior agency information security officer, and senior agency official for privacy)]. PM-24 DATA INTEGRITY BOARD ASSESSMENT OBJECTIVE: Determine if: PM-24 a data integrity board is established; PM-24a. the data integrity board reviews proposals to conduct or participate in a matching program; PM-24b. the data integrity board conducts an annual review of all matching programs in which the agency has participated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-24-Examine [SELECT FROM: Privacy program plan; privacy program documents relating to a data integrity board, including documents establishing the board, its charter of operations, and any plans and reports; computer matching agreements and notices; information sharing agreements; memoranda of understanding; records documenting annual reviews; governing requirements, including laws, Executive Orders, regulations, standards, and guidance]. PM-24-Interview [SELECT FROM: members of the data integrity board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency Inspector General)]. PM-25 MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION USED IN TESTING, TRAINING, AND RESEARCH ASSESSMENT OBJECTIVE: Determine if: PM-25_ODP[01] the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined; PM-25_ODP[02] the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined; PM-25_ODP[03] the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined; PM-25_ODP[04] the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined; PM-25a.[01] policies that address the use of personally identifiable information for internal testing are developed and documented; PM-25a.[02] policies that address the use of personally identifiable information for internal training are developed and documented; PM-25a.[03] policies that address the use of personally identifiable information for internal research are developed and documented; PM-25a.[04] procedures that address the use of personally identifiable information for internal testing are developed and documented; PM-25a.[05] procedures that address the use of personally identifiable information for internal training are implemented; PM-25a.[06] procedures that address the use of personally identifiable information for internal research are implemented; PM-25a.[07] policies and procedures that address the use of personally identifiable information for internal testing, training, and research are implemented; PM-25b.[01] the amount of personally identifiable information used for internal testing purposes is limited or minimized; PM-25b.[02] the amount of personally identifiable information used for internal training purposes is limited or minimized; PM-25b.[03] the amount of personally identifiable information used for internal research purposes is limited or minimized; PM-25c.[01] the required use of personally identifiable information for internal testing is authorized; PM-25c.[02] the required use of personally identifiable information for internal training is authorized; PM-25c.[03] the required use of personally identifiable information for internal research is authorized; PM-25d.[01] policies are reviewed ; PM-25d.[02] policies are updated ; PM-25d.[03] procedures are reviewed ; PM-25d.[04] procedures are updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-25-Examine [SELECT FROM: Privacy program plan; policies and procedures for the minimization of personally identifiable information used in testing, training, and research; documentation supporting policy implementation (e.g., templates for testing, training, and research; privacy threshold analysis; privacy risk assessment); data sets used for testing, training, and research]. PM-25-Interview [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities; system developers; personnel with IRB responsibilities]. PM-25-Test [SELECT FROM: Organizational processes for data quality and personally identifiable information management; automated mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information]. PM-26 COMPLAINT MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: PM-26_ODP[01] the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined; PM-26_ODP[02] the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined; PM-26_ODP[03] the time period for acknowledging the receipt of complaints is defined; PM-26_ODP[04] the time period for responding to complaints is defined; PM-26 a process for receiving complaints, concerns, or questions from individuals about the organizational security and privacy practices is implemented; PM-26a.[01] the complaint management process includes mechanisms that are easy to use by the public; PM-26a.[02] the complaint management process includes mechanisms that are readily accessible by the public; PM-26b. the complaint management process includes all information necessary for successfully filing complaints; PM-26c.[01] the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within ; PM-26c.[02] the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within ; PM-26d. the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within ; PM-26e. the complaint management process includes responding to complaints, concerns, or questions from individuals within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-26-Examine [SELECT FROM: Privacy program plan; procedures addressing complaint management; complaint documentation; procedures addressing the reviews of complaints; other relevant documents or records]. PM-26-Interview [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities]. PM-26-Test [SELECT FROM: Organizational processes for complaint management; automated mechanisms supporting complaint management; tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms]. PM-27 PRIVACY REPORTING ASSESSMENT OBJECTIVE: Determine if: PM-27_ODP[01] privacy reports are defined; PM-27_ODP[02] privacy oversight bodies are defined; PM-27_ODP[03] officials responsible for monitoring privacy program compliance are defined; PM-27_ODP[04] the frequency for reviewing and updating privacy reports is defined; PM-27a. are developed; PM-27a.01 the privacy reports are disseminated to to demonstrate accountability with statutory, regulatory, and policy privacy mandates; PM-27a.02[01] the privacy reports are disseminated to ; PM-27a.02[02] the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance; PM-27b. the privacy reports are reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-27-Examine [SELECT FROM: Privacy program plan; internal and external privacy reports; privacy program plan; annual senior agency official for privacy reports to OMB; reports to Congress required by law, regulation, or policy, including internal policies; records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance; records of review and updates of privacy reports.]. PM-27-Interview [SELECT FROM: Organizational personnel with privacy program responsibilities; organizational personnel with privacy responsibilities; legal counsel.]. PM-28 RISK FRAMING ASSESSMENT OBJECTIVE: Determine if: PM-28_ODP[01] the personnel to receive the results of risk framing activities is/are defined; PM-28_ODP[02] the frequency for reviewing and updating risk framing considerations is defined; PM-28a.01[01] assumptions affecting risk assessments are identified and documented; PM-28a.01[02] assumptions affecting risk responses are identified and documented; PM-28a.01[03] assumptions affecting risk monitoring are identified and documented; PM-28a.02[01] constraints affecting risk assessments are identified and documented; PM-28a.02[02] constraints affecting risk responses are identified and documented; PM-28a.02[03] constraints affecting risk monitoring are identified and documented; PM-28a.03[01] priorities considered by the organization for managing risk are identified and documented; PM-28a.03[02] trade-offs considered by the organization for managing risk are identified and documented; PM-28a.04 organizational risk tolerance is identified and documented; PM-28b. the results of risk framing activities are distributed to ; PM-28c. risk framing considerations are reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-28-Examine [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management strategy; documentation of risk framing activities; policies and procedures for risk framing activities; risk management strategy]. PM-28-Interview [SELECT FROM: Organizational personnel (including mission, business, and system owners or stewards; authorizing officials; senior agency information security officer; senior agency official for privacy; and senior accountable official for risk management)]. PM-28-Test [SELECT FROM: Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing; organizational processes for risk framing; automated mechanisms supporting the development, review, update, and approval of risk framing]. PM-29 RISK MANAGEMENT PROGRAM LEADERSHIP ROLES ASSESSMENT OBJECTIVE: Determine if: PM-29a.[01] a Senior Accountable Official for Risk Management is appointed; PM-29a.[02] a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes; PM-29b.[01] a Risk Executive (function) is established; PM-29b.[02] a Risk Executive (function) views and analyzes risk from an organization-wide perspective; PM-29b.[03] a Risk Executive (function) ensures that the management of risk is consistent across the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-29-Examine [SELECT FROM: Information security program plan; privacy program plan; risk management strategy; supply chain risk management strategy; documentation of appointment, roles, and responsibilities of a Senior Accountable Official for Risk Management; documentation of actions taken by the Official; documentation of the establishment, policies, and procedures of a Risk Executive (function)]. PM-29-Interview [SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security and privacy program responsibilities]. PM-30 SUPPLY CHAIN RISK MANAGEMENT STRATEGY ASSESSMENT OBJECTIVE: Determine if: PM-30_ODP the frequency for reviewing and updating the supply chain risk management strategy is defined; PM-30a.[01] an organization-wide strategy for managing supply chain risks is developed; PM-30a.[02] the supply chain risk management strategy addresses risks associated with the development of systems; PM-30a.[03] the supply chain risk management strategy addresses risks associated with the development of system components;the supply chain risk management strategy addresses risks associated with the development of system services; PM-30a.[04] the supply chain risk management strategy addresses risks associated with the acquisition of systems; PM-30a.[05] the supply chain risk management strategy addresses risks associated with the acquisition of system components; PM-30a.[06] the supply chain risk management strategy addresses risks associated with the acquisition of system services; PM-30a.[07] the supply chain risk management strategy addresses risks associated with the maintenance of systems; PM-30a.[08] the supply chain risk management strategy addresses risks associated with the maintenance of system components; PM-30a.[09] the supply chain risk management strategy addresses risks associated with the maintenance of system services; PM-30a.[10] the supply chain risk management strategy addresses risks associated with the disposal of systems; PM-30a.[11] the supply chain risk management strategy addresses risks associated with the disposal of system components; PM-30a.[12] the supply chain risk management strategy addresses risks associated with the disposal of system services; PM-30b. the supply chain risk management strategy is implemented consistently across the organization; PM-30c. the supply chain risk management strategy is reviewed and updated or as required to address organizational changes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-30-Examine [SELECT FROM: Supply chain risk management strategy; organizational risk management strategy; enterprise risk management documents; other relevant documents or records]. PM-30-Interview [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities]. PM-30(01) SUPPLY CHAIN RISK MANAGEMENT STRATEGY | SUPPLIERS OF CRITICAL OR MISSION-ESSENTIAL ITEMS ASSESSMENT OBJECTIVE: Determine if: PM-30(01)[01] suppliers of critical or mission-essential technologies, products, and services are identified; PM-30(01)[02] suppliers of critical or mission-essential technologies, products, and services are prioritized; PM-30(01)[03] suppliers of critical or mission-essential technologies, products, and services are assessed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-30(01)-Examine [SELECT FROM: Supply chain risk management strategy; organization-wide risk management strategy; enterprise risk management documents; inventory records or suppliers; assessment and prioritization documentation; critical or mission-essential technologies, products, and service documents or records; other relevant documents or records]. PM-30(01)-Interview [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities]. PM-30(01)-Test [SELECT FROM: Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services; organizational processes for maintaining an inventory of suppliers; organizational process for associating suppliers with critical or mission-essential technologies, products, and services]. PM-31 CONTINUOUS MONITORING STRATEGY ASSESSMENT OBJECTIVE: Determine if: PM-31_ODP[01] the metrics for organization-wide continuous monitoring are defined; PM-31_ODP[02] the frequency for monitoring is defined; PM-31_ODP[03] the frequency for assessing control effectiveness is defined; PM-31_ODP[04] the personnel or roles for reporting the security status of organizational systems to is/are defined; PM-31_ODP[05] the personnel or roles for reporting the privacy status of organizational systems to is/are defined; PM-31_ODP[06] the frequency at which to report the security status of organizational systems is defined; PM-31_ODP[07] the frequency at which to report the privacy status of organizational systems is defined; PM-31 an organization-wide continuous monitoring strategy is developed; PM-31a. continuous monitoring programs are implemented that include establishing to be monitored; PM-31b.[01] continuous monitoring programs are implemented that establish for monitoring; PM-31b.[02] continuous monitoring programs are implemented that establish for assessment of control effectiveness; PM-31c. continuous monitoring programs are implemented that include monitoring on an ongoing basis in accordance with the continuous monitoring strategy; PM-31d.[01] continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring; PM-31d.[02] continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring; PM-31e.[01] continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information; PM-31e.[02] continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information; PM-31f.[01] continuous monitoring programs are implemented that include reporting the security status of organizational systems to ; PM-31f.[02] continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-31-Examine [SELECT FROM: Information security program plan; privacy program plan; supply chain risk management plan; continuous monitoring strategy; risk management strategy; information security continuous monitoring program documentation, reporting, metrics, and artifacts; information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts; assessment and authorization policy; procedures addressing the continuous monitoring of controls; privacy program continuous monitoring documentation, reporting, metrics, and artifacts; continuous monitoring program records, security, and privacy impact analyses; status reports; risk response documentation; other relevant documents or records.]. PM-31-Interview [SELECT FROM: Senior Accountable Official for Risk Management; chief information officer; senior agency information security officer; senior agency official for privacy; organizational personnel with information security, privacy, and supply chain risk management program responsibilities]. PM-31-Test [SELECT FROM: Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring]. PM-32 PURPOSING ASSESSMENT OBJECTIVE: Determine if: PM-32_ODP the systems or system components supporting mission-essential services or functions are defined; PM-32 supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PM-32-Examine [SELECT FROM: Information security program plan; privacy program plan; list of essential services and functions; organizational analysis of information resources; risk management strategy; other relevant documents or records.]. PM-32-Interview [SELECT FROM: Organizational personnel with information security, privacy, and supply chain risk management program responsibilities]. 4.14 Personnel Security PS-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: PS-01_ODP[01] personnel or roles to whom the personnel security policy is to be disseminated is/are defined; PS-01_ODP[02] personnel or roles to whom the personnel security procedures are to be disseminated is/are defined; PS-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; PS-01_ODP[04] an official to manage the personnel security policy and procedures is defined; PS-01_ODP[05] the frequency at which the current personnel security policy is reviewed and updated is defined; PS-01_ODP[06] events that would require the current personnel security policy to be reviewed and updated are defined; PS-01_ODP[07] the frequency at which the current personnel security procedures are reviewed and updated is defined; PS-01_ODP[08] events that would require the personnel security procedures to be reviewed and updated are defined; PS-01a.[01] a personnel security policy is developed and documented; PS-01a.[02] the personnel security policy is disseminated to ; PS-01a.[03] personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented; PS-01a.[04] the personnel security procedures are disseminated to ; PS-01a.01(a)[01] the personnel security policy addresses purpose; PS-01a.01(a)[02] the personnel security policy addresses scope; PS-01a.01(a)[03] the personnel security policy addresses roles; PS-01a.01(a)[04] the personnel security policy addresses responsibilities; PS-01a.01(a)[05] the personnel security policy addresses management commitment; PS-01a.01(a)[06] the personnel security policy addresses coordination among organizational entities; PS-01a.01(a)[07] the personnel security policy addresses compliance; PS-01a.01(b) the personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; PS-01b. the is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures; PS-01c.01[01] the current personnel security policy is reviewed and updated ; PS-01c.01[02] the current personnel security policy is reviewed and updated following ; PS-01c.02[01] the current personnel security procedures are reviewed and updated ; PS-01c.02[02] the current personnel security procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-01-Examine [SELECT FROM: Personnel security policy; personnel security procedures; system security plan; privacy plan; risk management strategy documentation; audit findings; other relevant documents or records]. PS-01-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-02 POSITION RISK DESIGNATION ASSESSMENT OBJECTIVE: Determine if: PS-02_ODP the frequency at which to review and update position risk designations is defined; PS-02a. a risk designation is assigned to all organizational positions; PS-02b. screening criteria are established for individuals filling organizational positions; PS-02c. position risk designations are reviewed and updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-02-Examine [SELECT FROM: Personnel security policy; procedures addressing position categorization; appropriate codes of federal regulations; list of risk designations for organizational positions; records of position risk designation reviews and updates; system security plan; other relevant documents or records]. PS-02-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-02-Test [SELECT FROM: Organizational processes for assigning, reviewing, and updating position risk designations; organizational processes for establishing screening criteria]. PS-03 PERSONNEL SCREENING ASSESSMENT OBJECTIVE: Determine if: PS-03_ODP[01] conditions requiring rescreening of individuals are defined; PS-03_ODP[02] the frequency of rescreening individuals where it is so indicated is defined; PS-03a. individuals are screened prior to authorizing access to the system; PS-03b.[01] individuals are rescreened in accordance with ; PS-03b.[02] where rescreening is so indicated, individuals are rescreened . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-03-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records]. PS-03-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-03-Test [SELECT FROM: Organizational processes for personnel screening]. PS-03(01) PERSONNEL SCREENING | CLASSIFIED INFORMATION ASSESSMENT OBJECTIVE: Determine if: PS-03(01)[01] individuals accessing a system processing, storing, or transmitting classified information are cleared; PS-03(01)[02] individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-03(01)-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records]. PS-03(01)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-03(01)-Test [SELECT FROM: Organizational processes for clearing and indoctrinating personnel for access to classified information]. PS-03(02) PERSONNEL SCREENING | FORMAL INDOCTRINATION ASSESSMENT OBJECTIVE: Determine if: PS-03(02) individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-03(02)-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel screening; indoctrination documents; records of screened personnel; system security plan; other relevant documents or records]. PS-03(02)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-03(02)-Test [SELECT FROM: Organizational processes for formal indoctrination for all relevant types of information to which personnel have access]. PS-03(03) PERSONNEL SCREENING | INFORMATION REQUIRING SPECIAL PROTECTIVE MEASURES ASSESSMENT OBJECTIVE: Determine if: PS-03(03)_ODP additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined; PS-03(03)(a) individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties; PS-03(03)(b) individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-03(03)-Examine [SELECT FROM: Personnel security policy; access control policy, procedures addressing personnel screening; records of screened personnel; screening criteria; records of access authorizations; system security plan; other relevant documents or records]. PS-03(03)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-03(03)-Test [SELECT FROM: Organizational processes for ensuring valid access authorizations for information requiring special protection; organizational process for additional personnel screening for information requiring special protection]. PS-03(04) PERSONNEL SCREENING | CITIZENSHIP REQUIREMENTS ASSESSMENT OBJECTIVE: Determine if: PS-03(04)_ODP[01] information types that are processed, stored, or transmitted by a system are defined; PS-03(04)_ODP[02] citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information are defined; PS-03(04) individuals accessing a system processing, storing, or transmitting meet . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-03(04)-Examine [SELECT FROM: Personnel security policy; access control policy, procedures addressing personnel screening; records of screened personnel; screening criteria; records of access authorizations; system security plan; other relevant documents or records]. PS-03(04)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-03(04)-Test [SELECT FROM: Organizational processes for ensuring valid access authorizations for information requiring citizenship; organizational process for additional personnel screening for information requiring citizenship]. PS-04 PERSONNEL TERMINATION ASSESSMENT OBJECTIVE: Determine if: PS-04_ODP[01] a time period within which to disable system access is defined; PS-04_ODP[02] information security topics to be discussed when conducting exit interviews are defined; PS-04a. upon termination of individual employment, system access is disabled within ; PS-04b. upon termination of individual employment, any authenticators and credentials are terminated or revoked; PS-04c. upon termination of individual employment, exit interviews that include a discussion of are conducted; PS-04d. upon termination of individual employment, all security-related organizational system-related property is retrieved; PS-04e. upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-04-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel termination; records of personnel termination actions; list of system accounts; records of terminated or revoked authenticators/credentials; records of exit interviews; system security plan; other relevant documents or records]. PS-04-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. PS-04-Test [SELECT FROM: Organizational processes for personnel termination; automated mechanisms supporting and/or implementing personnel termination notifications; automated mechanisms for disabling system access/revoking authenticators]. PS-04(01) PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS ASSESSMENT OBJECTIVE: Determine if: PS-04(01)(a) terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information; PS-04(01)(b) terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-04(01)-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel termination; signed post-employment acknowledgement forms; list of applicable, legally binding post-employment requirements; system security plan; other relevant documents or records]. PS-04(01)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-04(01)-Test [SELECT FROM: Organizational processes for post-employment requirements]. PS-04(02) PERSONNEL TERMINATION | AUTOMATED ACTIONS ASSESSMENT OBJECTIVE: Determine if: PS-04(02)_ODP[01] automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined; PS-04(02)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {notifyof individual termination actions; disable access to system resources}; PS-04(02)_ODP[03] personnel or roles to be notified upon termination of an individual is/are defined (if selected); PS-04(02) are used to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-04(02)-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel termination; system design documentation; system configuration settings and associated documentation; records of personnel termination actions; automated notifications of employee terminations; system security plan; other relevant documents or records]. PS-04(02)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security responsibilities]. PS-04(02)-Test [SELECT FROM: Organizational processes for personnel termination; automated mechanisms supporting and/or implementing personnel termination notifications]. PS-05 PERSONNEL TRANSFER ASSESSMENT OBJECTIVE: Determine if: PS-05_ODP[01] transfer or reassignment actions to be initiated following transfer or reassignment are defined; PS-05_ODP[02] the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined; PS-05_ODP[03] personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined; PS-05_ODP[04] time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined; PS-05a. the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization; PS-05b. are initiated within ; PS-05c. access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer; PS-05d. are notified within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-05-Examine [SELECT FROM: Personnel security policy; procedures addressing personnel transfer; records of personnel transfer actions; list of system and facility access authorizations; system security plan; other relevant documents or records]. PS-05-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with account management responsibilities; system/network administrators; organizational personnel with information security responsibilities]. PS-05-Test [SELECT FROM: Organizational processes for personnel transfer; automated mechanisms supporting and/or implementing personnel transfer notifications; automated mechanisms for disabling system access/revoking authenticators]. PS-06 ACCESS AGREEMENTS ASSESSMENT OBJECTIVE: Determine if: PS-06_ODP[01] the frequency at which to review and update access agreements is defined; PS-06_ODP[02] the frequency at which to re-sign access agreements to maintain access to organizational information is defined; PS-06a. access agreements are developed and documented for organizational systems; PS-06b. the access agreements are reviewed and updated ; PS-06c.01 individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access; PS-06c.02 individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-06-Examine [SELECT FROM: Personnel security policy; personnel security procedures; procedures addressing access agreements for organizational information and systems; access control policy; access control procedures; access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements); documentation of access agreement reviews, updates, and re-signing; system security plan; privacy plan; other relevant documents or records]. PS-06-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel who have signed/resigned access agreements; organizational personnel with information security and privacy responsibilities]. PS-06-Test [SELECT FROM: Organizational processes for reviewing, updating, and re-signing access agreements; automated mechanisms supporting the reviewing, updating, and re-signing of access agreements]. PS-06(01) ACCESS AGREEMENTS | INFORMATION REQUIRING SPECIAL PROTECTION [WITHDRAWN: Incorporated into PS-03.] PS-06(02) ACCESS AGREEMENTS | CLASSIFIED INFORMATION REQUIRING SPECIAL PROTECTION ASSESSMENT OBJECTIVE: Determine if: PS-06(02)(a) access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties; PS-06(02)(b) access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria; PS-06(02)(c) access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-06(02)-Examine [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and systems; access agreements; access authorizations; personnel security criteria; signed non-disclosure agreements; system security plan; other relevant documents or records]. PS-06(02)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel who have signed non-disclosure agreements; organizational personnel with information security responsibilities]. PS-06(02)-Test [SELECT FROM: Organizational processes for access to classified information requiring special protection]. PS-06(03) ACCESS AGREEMENTS | POST-EMPLOYMENT REQUIREMENTS ASSESSMENT OBJECTIVE: Determine if: PS-06(03)(a) individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information; PS-06(03)(b) individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-06(03)-Examine [SELECT FROM: Personnel security policy; procedures addressing access agreements for organizational information and systems; signed post-employment acknowledgement forms; access agreements; list of applicable, legally binding post-employment requirements; system security plan; other relevant documents or records]. PS-06(03)-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel who have signed access agreements that include post-employment requirements; organizational personnel with information security responsibilities]. PS-06(03)-Test [SELECT FROM: Organizational processes for post-employment requirements; automated mechanisms supporting notifications and individual acknowledgements of post-employment requirements]. PS-07 EXTERNAL PERSONNEL SECURITY ASSESSMENT OBJECTIVE: Determine if: PS-07_ODP[01] personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined; PS-07_ODP[02] time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined; PS-07(a) personnel security requirements are established, including security roles and responsibilities for external providers; PS-07(b) external providers are required to comply with personnel security policies and procedures established by the organization; PS-07(c) personnel security requirements are documented; PS-07(d) external providers are required to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within ; PS-07(e) provider compliance with personnel security requirements is monitored. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-07-Examine [SELECT FROM: Personnel security policy; procedures addressing external personnel security; list of personnel security requirements; acquisition documents; service-level agreements; compliance monitoring process; system security plan; other relevant documents or records]. PS-07-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; external providers; system/network administrators; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities]. PS-07-Test [SELECT FROM: Organizational processes for managing and monitoring external personnel security; automated mechanisms supporting and/or implementing the monitoring of provider compliance]. PS-08 PERSONNEL SANCTIONS ASSESSMENT OBJECTIVE: Determine if: PS-08_ODP[01] personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined; PS-08_ODP[02] the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined; PS-08a. a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures; PS-08b. is/are notified within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-08-Examine [SELECT FROM: Personnel security policy; personnel security procedures; procedures addressing personnel sanctions; access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements); list of personnel or roles to be notified of formal employee sanctions; records or notifications of formal employee sanctions; system security plan; privacy plan; personally identifiable information processing policy; other relevant documents or records]. PS-08-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; legal counsel; organizational personnel with information security and privacy responsibilities]. PS-08-Test [SELECT FROM: Organizational processes for managing formal employee sanctions; automated mechanisms supporting and/or implementing formal employee sanctions notifications]. PS-09 POSITION DESCRIPTIONS ASSESSMENT OBJECTIVE: Determine if: PS-09[01] security roles and responsibilities are incorporated into organizational position descriptions; PS-09[02] privacy roles and responsibilities are incorporated into organizational position descriptions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PS-09-Examine [SELECT FROM: Personnel security policy; personnel security procedures; procedures addressing position descriptions; security and privacy position descriptions; system security plan; privacy plan; privacy program plan; other relevant documents or records]. PS-09-Interview [SELECT FROM: Organizational personnel with personnel security responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with human capital management responsibilities]. PS-09-Test [SELECT FROM: Organizational processes for managing position descriptions]. 4.15 Personally Identifiable Information Processing and Transparency PT-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: PT-01_ODP[01] personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is/are defined; PT-01_ODP[02] personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is/are defined; PT-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; PT-01_ODP[04] an official to manage the personally identifiable information processing and transparency policy and procedures is defined; PT-01_ODP[05] the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined; PT-01_ODP[06] events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined; PT-01_ODP[07] the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined; PT-01_ODP[08] events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined; PT-01a.[01] a personally identifiable information processing and transparency policy is developed and documented; PT-01a.[02] the personally identifiable information processing and transparency policy is disseminated to ; PT-01a.[03] personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented; PT-01a.[04] the personally identifiable information processing and transparency procedures are disseminated to ; PT-01a.01(a)[01] the personally identifiable information processing and transparency policy addresses purpose; PT-01a.01(a)[02] the personally identifiable information processing and transparency policy addresses scope; PT-01a.01(a)[03] the personally identifiable information processing and transparency policy addresses roles; PT-01a.01(a)[04] the personally identifiable information processing and transparency policy addresses responsibilities; PT-01a.01(a)[05] the personally identifiable information processing and transparency policy addresses management commitment; PT-01a.01(a)[06] the personally identifiable information processing and transparency policy addresses coordination among organizational entities; PT-01a.01(a)[07] the personally identifiable information processing and transparency policy addresses compliance; PT-01a.01(b) the personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; PT-01b. the is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; PT-01c.01[01] the current personally identifiable information processing and transparency policy is reviewed and updated ; PT-01c.01[02] the current personally identifiable information processing and transparency policy is reviewed and updated following ; PT-01c.02[01] the current personally identifiable information processing and transparency procedures are reviewed and updated ; PT-01c.02[02] the current personally identifiable information processing and transparency procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-01-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy plan; privacy program plan; other relevant documents or records]. PT-01-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-02 AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: PT-02_ODP[01] the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined; PT-02_ODP[02] the type of processing of personally identifiable information is defined; PT-02_ODP[03] the type of processing of personally identifiable information to be restricted is defined; PT-02a. the that permits the of personally identifiable information is determined and documented; PT-02b. the of personally identifiable information is restricted to only that which is authorized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-02-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy plan; other relevant documents or records]. PT-02-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-02-Test [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; automated mechanisms supporting and/or implementing the restriction of personally identifiable information processing]. PT-02(01) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | DATA TAGGING ASSESSMENT OBJECTIVE: Determine if: PT-02(01)_ODP[01] the authorized processing of personally identifiable information is defined; PT-02(01)_ODP[02] elements of personally identifiable information to be tagged are defined; PT-02(01) data tags containing are attached to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-02(01)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures including procedures addressing data tagging; data tag definitions; documented requirements for use and monitoring of data tagging; data extracts with corresponding data tags; privacy plan; other relevant documents or records]. PT-02(01)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-02(01)-Test [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; organizational processes for data tagging; automated mechanisms for applying and monitoring data tagging; automated mechanisms supporting and/or implementing the restriction of personally identifiable information processing]. PT-02(02) AUTHORITY TO PROCESS PERSONALLY IDENTIFIABLE INFORMATION | AUTOMATION ASSESSMENT OBJECTIVE: Determine if: PT-02(02)_ODP automated mechanisms used to manage enforcement of the authorized processing of personally identifiable information are defined; PT-02(02) enforcement of the authorized processing of personally identifiable information is managed using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-02(02)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy plan; other relevant documents or records]. PT-02(02)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-02(02)-Test [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; automated mechanisms supporting and/or implementing the management of authorized personally identifiable information processing]. PT-03 PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES ASSESSMENT OBJECTIVE: Determine if: PT-03_ODP[01] the purpose(s) for processing personally identifiable information is/are defined; PT-03_ODP[02] the processing of personally identifiable information to be restricted is defined; PT-03_ODP[03] mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined; PT-03_ODP[04] requirements for changing the processing of personally identifiable information are defined; PT-03a. the for processing personally identifiable information is/are identified and documented; PT-03b.[01] the purpose(s) is/are described in the public privacy notices of the organization; PT-03b.[02] the purpose(s) is/are described in the policies of the organization; PT-03c. the of personally identifiable information are restricted to only that which is compatible with the identified purpose(s); PT-03d.[01] changes in the processing of personally identifiable information are monitored; PT-03d.[02] are implemented to ensure that any changes are made in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-03-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; configuration management plan; organizational privacy notices; organizational policies; Privacy Act statements; computer matching notices; applicable Federal Register notices; documented requirements for enforcing and monitoring the processing of personally identifiable information; privacy plan; other relevant documents or records]. PT-03-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-03-Test [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; automated mechanisms supporting and/or implementing the management of authorized personally identifiable information processing; organizational processes for monitoring changes in processing personally identifiable information]. PT-03(01) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | DATA TAGGING ASSESSMENT OBJECTIVE: Determine if: PT-03(01)_ODP[01] processing purposes to be contained in data tags are defined; PT-03(01)_ODP[02] elements of personally identifiable information to be tagged are defined; PT-03(01) data tags containing are attached to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-03(01)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; documented description of how data tags are used to identify personally identifiable information data elements and their authorized uses; data tag schema; data extracts with corresponding data tags; privacy plan; other relevant documents or records]. PT-03(01)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with data tagging responsibilities; organizational personnel with information security and privacy responsibilities]. PT-03(01)-Test [SELECT FROM: Organizational processes for authorizing the processing of personally identifiable information; automated mechanisms supporting and/or implementing data tagging]. PT-03(02) PERSONALLY IDENTIFIABLE INFORMATION PROCESSING PURPOSES | AUTOMATION ASSESSMENT OBJECTIVE: Determine if: PT-03(02)_ODP automated mechanisms for tracking the processing purposes of personally identifiable information are defined; PT-03(02) the processing purposes of personally identifiable information are tracked using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-03(02)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; data extracts with corresponding data tags; privacy plan; other relevant documents or records]. PT-03(02)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-03(02)-Test [SELECT FROM: Organizational processes for managing the enforcement of authorized processing of personally identifiable information; automated tracking mechanisms]. PT-04 CONSENT ASSESSMENT OBJECTIVE: Determine if: PT-04_ODP the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined; PT-04 the are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-04-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; consent policies and procedures; consent tools and mechanisms; consent presentation or display (user interface); privacy plan; other relevant documents or records]. PT-04-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-04-Test [SELECT FROM: Organizational processes for the collection of personally identifiable information; consent tools or mechanisms for users to authorize the processing of their personally identifiable information; automated mechanisms implementing consent]. PT-04(01) CONSENT | TAILORED CONSENT ASSESSMENT OBJECTIVE: Determine if: PT-04(01)_ODP tailoring mechanisms for processing selected elements of personally identifiable information permissions are defined; PT-04(01) are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-04(01)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; consent policies and procedures; consent tools and mechanisms; consent presentation or display (user interface); privacy plan; other relevant documents or records]. PT-04(01)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with user interface or user experience responsibilities; organizational personnel with information security and privacy responsibilities]. PT-04(01)-Test [SELECT FROM: Organizational processes for consenting to the processing of personally identifiable information; consent tools or mechanisms; automated mechanisms implementing consent]. PT-04(02) CONSENT | JUST-IN-TIME CONSENT ASSESSMENT OBJECTIVE: Determine if: PT-04(02)_ODP[01] consent mechanisms to be presented to individuals are defined; PT-04(02)_ODP[02] the frequency at which to present consent mechanisms to individuals is defined; PT-04(02)_ODP[03] personally identifiable information processing to be presented in conjunction with organization-defined consent mechanisms is defined; PT-04(02) are presented to individuals and in conjunction with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-04(02)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; consent policies and procedures; privacy plan; other relevant documents or records]. PT-04(02)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with user interface or user experience responsibilities; organizational personnel with information security and privacy responsibilities]. PT-04(02)-Test [SELECT FROM: Organizational processes for the collection of personally identifiable information; mechanisms for obtaining just-in-time consent from users for the processing of their personally identifiable information; automated mechanisms implementing just-in-time consent]. PT-04(03) CONSENT | REVOCATION ASSESSMENT OBJECTIVE: Determine if: PT-04(03)_ODP the tools or mechanisms to be implemented for revoking consent to the processing of personally identifiable information are defined; PT-04(03) the are implemented for individuals to revoke consent to the processing of their personally identifiable information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-04(03)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; consent revocation policies and procedures; consent revocation user interface or user experience; privacy plan; other relevant documents or records]. PT-04(03)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with user interface or user experience responsibilities; organizational personnel with information security and privacy responsibilities]. PT-04(03)-Test [SELECT FROM: Organizational processes for consenting to the processing of personally identifiable information; tools or mechanisms for implementing consent revocation]. PT-05 PRIVACY NOTICE ASSESSMENT OBJECTIVE: Determine if: PT-05_ODP[01] the frequency at which a notice is provided to individuals after initial interaction with an organization is defined; PT-05_ODP[02] information to be included with the notice about the processing of personally identifiable information is defined; PT-05a.[01] a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization; PT-05a.[02] a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals ; PT-05b. a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language; PT-05c. a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided; PT-05d. a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided; PT-05e. a notice to individuals about the processing of personally identifiable information which includes is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-05-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act statements; privacy plan; other relevant documents or records]. PT-05-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with user interface or user experience responsibilities; organizational personnel with information security and privacy responsibilities]. PT-05-Test [SELECT FROM: Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information]. PT-05(01) PRIVACY NOTICE | JUST-IN-TIME NOTICE ASSESSMENT OBJECTIVE: Determine if: PT-05(01)_ODP the frequency at which to present a notice of personally identifiable information processing is defined; PT-05(01) a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or . POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-05(01)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; privacy plan; other relevant documents or records]. PT-05(01)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with user interface or user experience responsibilities; organizational personnel with information security and privacy responsibilities]. PT-05(01)-Test [SELECT FROM: Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information]. PT-05(02) PRIVACY NOTICE | PRIVACY ACT STATEMENTS ASSESSMENT OBJECTIVE: Determine if: PT-05(02) Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-05(02)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; forms that include Privacy Act statements; privacy plan; other relevant documents or records]. PT-05(02)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-05(02)-Test [SELECT FROM: Organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals]. PT-06 SYSTEM OF RECORDS NOTICE ASSESSMENT OBJECTIVE: Determine if: PT-06a.[01] system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records; PT-06a.[02] new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records; PT-06b. system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records; PT-06c. system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-06-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; Federal Register notices; privacy plan; other relevant documents or records]. PT-06-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-06-Test [SELECT FROM: Organizational processes for Privacy Act system of records maintenance]. PT-06(01) SYSTEM OF RECORDS NOTICE | ROUTINE USES ASSESSMENT OBJECTIVE: Determine if: PT-06(01)_ODP the frequency at which to review all routine uses published in the system of records notice is defined; PT-06(01) all routine uses published in the system of records notice are reviewed to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-06(01)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; privacy plan; other relevant documents or records]. PT-06(01)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-06(01)-Test [SELECT FROM: Organizational processes for reviewing system of records notices]. PT-06(02) SYSTEM OF RECORDS NOTICE | EXEMPTION RULES ASSESSMENT OBJECTIVE: Determine if: PT-06(02)_ODP the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined; PT-06(02)[01] all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they remain appropriate and necessary in accordance with law; PT-06(02)[02] all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they have been promulgated as regulations; PT-06(02)[03] all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they are accurately described in the system of records notice. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-06(02)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; Privacy Act exemptions; privacy plan; other relevant documents or records]. PT-06(02)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-06(02)-Test [SELECT FROM: Organizational processes for Privacy Act system of records maintenance]. PT-07 SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: PT-07_ODP processing conditions to be applied for specific categories of personally identifiable information are defined; PT-07 are applied for specific categories of personally identifiable information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-07-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; computer matching agreements and notices; contracts; privacy information sharing agreements; memoranda of understanding; governing requirements; privacy plan; other relevant documents or records]. PT-07-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-07-Test [SELECT FROM: Organizational processes for supporting and/or implementing personally identifiable information processing]. PT-07(01) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | SOCIAL SECURITY NUMBERS ASSESSMENT OBJECTIVE: Determine if: PT-07(01)(a)[01] when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated; PT-07(01)(a)[02] when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored; PT-07(01)(b) when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number; PT-07(01)(c)[01] when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it; PT-07(01)(c)[02] when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited; PT-07(01)(c)[03] when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-07(01)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; privacy plan; other relevant documents or records]. PT-07(01)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-07(01)-Test [SELECT FROM: Organizational processes for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers; implementation of an alternative to Social Security numbers as identifiers]. PT-07(02) SPECIFIC CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION | FIRST AMENDMENT INFORMATION ASSESSMENT OBJECTIVE: Determine if: PT-07(02) the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-07(02)-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; privacy plan; other relevant documents or records]. PT-07(02)-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-07(02)-Test [SELECT FROM: Organizational processes for supporting and/or implementing personally identifiable information processing]. PT-08 COMPUTER MATCHING REQUIREMENTS ASSESSMENT OBJECTIVE: Determine if: PT-08a. approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program; PT-08b.[01] a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program; PT-08b.[02] a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program; PT-08c. a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program; PT-08d. the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program; PT-08e.[01] individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program; PT-08e.[02] individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program. POTENTIAL ASSESSMENT METHODS AND OBJECTS: PT-08-Examine [SELECT FROM: Personally identifiable information processing and transparency policy and procedures; privacy notice; Privacy Act system of records; Federal Register notices; Data Integrity Board determinations; contracts; information sharing agreements; memoranda of understanding; governing requirements; privacy plan; other relevant documents or records]. PT-08-Interview [SELECT FROM: Organizational personnel with personally identifiable information processing and transparency responsibilities; organizational personnel with information security and privacy responsibilities]. PT-08-Test [SELECT FROM: Organizational processes for supporting and/or implementing personally identifiable information processing; matching program]. 4.16 Risk Assessment RA-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: RA-01_ODP[01] personnel or roles to whom the risk assessment policy is to be disseminated is/are defined; RA-01_ODP[02] personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined; RA-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; RA-01_ODP[04] an official to manage the risk assessment policy and procedures is defined; RA-01_ODP[05] the frequency at which the current risk assessment policy is reviewed and updated is defined; RA-01_ODP[06] events that would require the current risk assessment policy to be reviewed and updated are defined; RA-01_ODP[07] the frequency at which the current risk assessment procedures are reviewed and updated is defined; RA-01_ODP[08] events that would require risk assessment procedures to be reviewed and updated are defined; RA-01a.[01] a risk assessment policy is developed and documented; RA-01a.[02] the risk assessment policy is disseminated to ; RA-01a.[03] risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented; RA-01a.[04] the risk assessment procedures are disseminated to ; RA-01a.01(a)[01] the risk assessment policy addresses purpose; RA-01a.01(a)[02] the risk assessment policy addresses scope; RA-01a.01(a)[03] the risk assessment policy addresses roles; RA-01a.01(a)[04] the risk assessment policy addresses responsibilities; RA-01a.01(a)[05] the risk assessment policy addresses management commitment; RA-01a.01(a)[06] the risk assessment policy addresses coordination among organizational entities; RA-01a.01(a)[07] the risk assessment policy addresses compliance; RA-01a.01(b) the risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; RA-01b. the is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures; RA-01c.01[01] the current risk assessment policy is reviewed and updated ; RA-01c.01[02] the current risk assessment policy is reviewed and updated following ; RA-01c.02[01] the current risk assessment procedures are reviewed and updated ; RA-01c.02[02] the current risk assessment procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-01-Examine [SELECT FROM: Risk assessment policy and procedures; system security plan; privacy plan; other relevant documents or records]. RA-01-Interview [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. RA-02 SECURITY CATEGORIZATION ASSESSMENT OBJECTIVE: Determine if: RA-02a. the system and the information it processes, stores, and transmits are categorized; RA-02b. the security categorization results, including supporting rationale, are documented in the security plan for the system; RA-02c. the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-02-Examine [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing security categorization of organizational information and systems; security categorization documentation; system security plan; privacy plan; other relevant documents or records]. RA-02-Interview [SELECT FROM: Organizational personnel with security categorization and risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. RA-02-Test [SELECT FROM: Organizational processes for security categorization]. RA-02(01) SECURITY CATEGORIZATION | IMPACT-LEVEL PRIORITIZATION ASSESSMENT OBJECTIVE: Determine if: RA-02(01) an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-02(01)-Examine [SELECT FROM: Risk assessment policy; security and privacy planning policy and procedures; procedures addressing security categorization of organizational information and systems; security categorization documentation; system security plan; privacy plan; other relevant documents or records]. RA-02(01)-Interview [SELECT FROM: Organizational personnel with security categorization and risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. RA-02(01)-Test [SELECT FROM: Organizational processes for security categorization]. RA-03 RISK ASSESSMENT ASSESSMENT OBJECTIVE: Determine if: RA-03_ODP[01] one of the following PARAMETER VALUES is selected: {security and privacy plans; risk assessment report; }; RA-03_ODP[02] a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected); RA-03_ODP[03] the frequency to review risk assessment results is defined; RA-03_ODP[04] personnel or roles to whom risk assessment results are to be disseminated is/are defined; RA-03_ODP[05] the frequency to update the risk assessment is defined; RA-03a.01 a risk assessment is conducted to identify threats to and vulnerabilities in the system; RA-03a.02 a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information; RA-03a.03 a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information; RA-03b. risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments; RA-03c. risk assessment results are documented in ; RA-03d. risk assessment results are reviewed ; RA-03e. risk assessment results are disseminated to ; RA-03f. the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-03-Examine [SELECT FROM: Risk assessment policy; risk assessment procedures; security and privacy planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; system security plan; privacy plan; other relevant documents or records]. RA-03-Interview [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security and privacy responsibilities]. RA-03-Test [SELECT FROM: Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment]. RA-03(01) RISK ASSESSMENT | SUPPLY CHAIN RISK ASSESSMENT ASSESSMENT OBJECTIVE: Determine if: RA-03(01)_ODP[01] systems to assess supply chain risks are defined; RA-03(01)_ODP[02] system components to assess supply chain risks are defined; RA-03(01)_ODP[03] system services to assess supply chain risks are defined; RA-03(01)_ODP[04] the frequency to update the supply chain risk assessment is defined; RA-03(01)(a)[01] supply chain risks associated with are assessed; RA-03(01)(a)[02] supply chain risks associated with are assessed; RA-03(01)(a)[03] supply chain risks associated with are assessed; RA-03(01)(b) the supply chain risk assessment is updated , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-03(01)-Examine [SELECT FROM: Supply chain risk management policy; inventory of critical systems, system components, and system services; risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of supply chain risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; acquisition policy; system security plan; supply chain risk management plan; other relevant documents or records]. RA-03(01)-Interview [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security responsibilities; organizational personnel with supply chain risk management responsibilities]. RA-03(01)-Test [SELECT FROM: Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment]. RA-03(02) RISK ASSESSMENT | USE OF ALL-SOURCE INTELLIGENCE ASSESSMENT OBJECTIVE: Determine if: RA-03(02) all-source intelligence is used to assist in the analysis of risk. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-03(02)-Examine [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; risk intelligence reports; system security plan; other relevant documents or records]. RA-03(02)-Interview [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security responsibilities]. RA-03(02)-Test [SELECT FROM: Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment]. RA-03(03) RISK ASSESSMENT | DYNAMIC THREAT AWARENESS ASSESSMENT OBJECTIVE: Determine if: RA-03(03)_ODP means to determine the current cyber threat environment on an ongoing basis; RA-03(03) the current cyber threat environment is determined on an ongoing basis using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-03(03)-Examine [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; risk reports; system security plan; other relevant documents or records]. RA-03(03)-Interview [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security responsibilities]. RA-03(03)-Test [SELECT FROM: Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment]. RA-03(04) RISK ASSESSMENT | PREDICTIVE CYBER ANALYTICS ASSESSMENT OBJECTIVE: Determine if: RA-03(04)_ODP[01] advanced automation capabilities to predict and identify risks are defined; RA-03(04)_ODP[02] systems or system components where advanced automation and analytics capabilities are to be employed are defined; RA-03(04)_ODP[03] advanced analytics capabilities to predict and identify risks are defined; RA-03(04)[01] are employed to predict and identify risks to ; RA-03(04)[02] are employed to predict and identify risks to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-03(04)-Examine [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; risk reports; system security plan; other relevant documents or records]. RA-03(04)-Interview [SELECT FROM: Organizational personnel with risk assessment responsibilities; organizational personnel with security responsibilities]. RA-03(04)-Test [SELECT FROM: Organizational processes for risk assessment; automated mechanisms supporting and/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment]. RA-04 RISK ASSESSMENT UPDATE [WITHDRAWN: Incorporated into RA-03.] RA-05 VULNERABILITY MONITORING AND SCANNING ASSESSMENT OBJECTIVE: Determine if: RA-05_ODP[01] frequency for monitoring systems and hosted applications for vulnerabilities is defined; RA-05_ODP[02] frequency for scanning systems and hosted applications for vulnerabilities is defined; RA-05_ODP[03] response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined; RA-05_ODP[04] personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared; RA-05a.[01] systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported; RA-05a.[02] systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported; RA-05b. vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools; RA-05b.01 vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations; RA-05b.02 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures; RA-05b.03 vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact; RA-05c. vulnerability scan reports and results from vulnerability monitoring are analyzed; RA-05d. legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk; RA-05e. information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems; RA-05f. vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05-Examine [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. RA-05-Interview [SELECT FROM: Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with vulnerability remediation responsibilities; organizational personnel with security responsibilities; system/network administrators]. RA-05-Test [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; automated mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing]. RA-05(01) VULNERABILITY MONITORING AND SCANNING | UPDATE TOOL CAPABILITY [WITHDRAWN: Incorporated into RA-05.] RA-05(02) VULNERABILITY MONITORING AND SCANNING | UPDATE VULNERABILITIES TO BE SCANNED ASSESSMENT OBJECTIVE: Determine if: RA-05(02)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {; prior to a new scan; when new vulnerabilities are identified and reported}; RA-05(02)_ODP[02] the frequency for updating the system vulnerabilities scanned is defined (if selected); RA-05(02) the system vulnerabilities to be scanned are updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(02)-Examine [SELECT FROM: Procedures addressing vulnerability scanning; assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. RA-05(02)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with security responsibilities; system/network administrators]. RA-05(02)-Test [SELECT FROM: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning]. RA-05(03) VULNERABILITY MONITORING AND SCANNING | BREADTH AND DEPTH OF COVERAGE ASSESSMENT OBJECTIVE: Determine if: RA-05(03) the breadth and depth of vulnerability scanning coverage are defined. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(03)-Examine [SELECT FROM: Procedures addressing vulnerability scanning; assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. RA-05(03)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with security responsibilities]. RA-05(03)-Test [SELECT FROM: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning]. RA-05(04) VULNERABILITY MONITORING AND SCANNING | DISCOVERABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: RA-05(04)_ODP corrective actions to be taken if information about the system is discoverable are defined; RA-05(04)[01] information about the system is discoverable; RA-05(04)[02] are taken when information about the system is confirmed as discoverable. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(04)-Examine [SELECT FROM: Procedures addressing vulnerability scanning; assessment report; penetration test results; vulnerability scanning results; risk assessment report; records of corrective actions taken; incident response records; audit records; system security plan; other relevant documents or records]. RA-05(04)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning and/or penetration testing responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel responsible for risk response; organizational personnel responsible for incident management and response; organizational personnel with security responsibilities]. RA-05(04)-Test [SELECT FROM: Organizational processes for vulnerability scanning; organizational processes for risk response; organizational processes for incident management and response; automated mechanisms/tools supporting and/or implementing vulnerability scanning; automated mechanisms supporting and/or implementing risk response; automated mechanisms supporting and/or implementing incident management and response]. RA-05(05) VULNERABILITY MONITORING AND SCANNING | PRIVILEGED ACCESS ASSESSMENT OBJECTIVE: Determine if: RA-05(05)_ODP[01] system components to which privileged access is authorized for selected vulnerability scanning activities are defined; RA-05(05)_ODP[02] vulnerability scanning activities selected for privileged access authorization to system components are defined; RA-05(05) privileged access authorization is implemented to for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(05)-Examine [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; system design documentation; system configuration settings and associated documentation; list of system components for vulnerability scanning; personnel access authorization list; authorization credentials; access authorization records; system security plan; other relevant documents or records]. RA-05(05)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; system/network administrators; organizational personnel responsible for access control to the system; organizational personnel responsible for configuration management of the system; system developers; organizational personnel with security responsibilities]. RA-05(05)-Test [SELECT FROM: Organizational processes for vulnerability scanning; organizational processes for access control; automated mechanisms supporting and/or implementing access control; automated mechanisms/tools supporting and/or implementing vulnerability scanning]. RA-05(06) VULNERABILITY MONITORING AND SCANNING | AUTOMATED TREND ANALYSES ASSESSMENT OBJECTIVE: Determine if: RA-05(06)_ODP automated mechanisms to compare the results of multiple vulnerability scans are defined; RA-05(06) the results of multiple vulnerability scans are compared using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(06)-Examine [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; system design documentation; vulnerability scanning tools and techniques documentation; vulnerability scanning results; system security plan; other relevant documents or records]. RA-05(06)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with security responsibilities]. RA-05(06)-Test [SELECT FROM: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning; automated mechanisms supporting and/or implementing trend analysis of vulnerability scan results]. RA-05(07) VULNERABILITY MONITORING AND SCANNING | AUTOMATED DETECTION AND NOTIFICATION OF UNAUTHORIZED COMPONENTS [WITHDRAWN: Incorporated into CM-08.] RA-05(08) VULNERABILITY MONITORING AND SCANNING | REVIEW HISTORIC AUDIT LOGS ASSESSMENT OBJECTIVE: Determine if: RA-05(08)_ODP[01] a system whose historic audit logs are to be reviewed is defined; RA-05(08)_ODP[02] a time period for a potential previous exploit of a system is defined; RA-05(08) historic audit logs are reviewed to determine if a vulnerability identified in a has been previously exploited within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(08)-Examine [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; audit logs; records of audit log reviews; vulnerability scanning results; patch and vulnerability management records; system security plan; other relevant documents or records]. RA-05(08)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with audit record review responsibilities; system/network administrators; organizational personnel with security responsibilities]. RA-05(08)-Test [SELECT FROM: Organizational processes for vulnerability scanning; organizational process for audit record review and response; automated mechanisms/tools supporting and/or implementing vulnerability scanning; automated mechanisms supporting and/or implementing audit record review]. RA-05(09) VULNERABILITY MONITORING AND SCANNING | PENETRATION TESTING AND ANALYSES [WITHDRAWN: Incorporated into CA-08.] RA-05(10) VULNERABILITY MONITORING AND SCANNING | CORRELATE SCANNING INFORMATION ASSESSMENT OBJECTIVE: Determine if: RA-05(10) the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(10)-Examine [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; vulnerability scanning tools and techniques documentation; vulnerability scanning results; vulnerability management records; audit records; event/vulnerability correlation logs; system security plan; other relevant documents or records]. RA-05(10)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with security responsibilities]. RA-05(10)-Test [SELECT FROM: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning; automated mechanisms implementing correlation of vulnerability scan results]. RA-05(11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM ASSESSMENT OBJECTIVE: Determine if: RA-05(11) a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-05(11)-Examine [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; vulnerability scanning tools and techniques documentation; vulnerability scanning results; vulnerability management records; audit records; public reporting channel; system security plan; other relevant documents or records]. RA-05(11)-Interview [SELECT FROM: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with security responsibilities]. RA-05(11)-Test [SELECT FROM: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning; automated mechanisms implementing public reporting of vulnerabilities]. RA-06 TECHNICAL SURVEILLANCE COUNTERMEASURES SURVEY ASSESSMENT OBJECTIVE: Determine if: RA-06_ODP[01] locations to employ technical surveillance countermeasure surveys are defined; RA-06_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {; when}; RA-06_ODP[03] the frequency at which to employ technical surveillance countermeasure surveys is defined (if selected); RA-06_ODP[04] events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined (if selected); RA-06 a technical surveillance countermeasures survey is employed at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-06-Examine [SELECT FROM: Risk assessment policy; procedures addressing technical surveillance countermeasures surveys; audit records/event logs; system security plan; other relevant documents or records]. RA-06-Interview [SELECT FROM: Organizational personnel with technical surveillance countermeasures surveys responsibilities; system/network administrators; organizational personnel with security responsibilities]. RA-06-Test [SELECT FROM: Organizational processes for technical surveillance countermeasures surveys; automated mechanisms/tools supporting and/or implementing technical surveillance countermeasures surveys]. RA-07 RISK RESPONSE ASSESSMENT OBJECTIVE: Determine if: RA-07[01] findings from security assessments are responded to in accordance with organizational risk tolerance; RA-07[02] findings from privacy assessments are responded to in accordance with organizational risk tolerance; RA-07[03] findings from monitoring are responded to in accordance with organizational risk tolerance; RA-07[04] findings from audits are responded to in accordance with organizational risk tolerance. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-07-Examine [SELECT FROM: Risk assessment policy; assessment reports; audit records/event logs; system security plan; privacy plan; other relevant documents or records]. RA-07-Interview [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; system/network administrators; organizational personnel with security and privacy responsibilities]. RA-07-Test [SELECT FROM: Organizational processes for assessments and audits; automated mechanisms/tools supporting and/or implementing assessments and auditing]. RA-08 PRIVACY IMPACT ASSESSMENTS ASSESSMENT OBJECTIVE: Determine if: RA-08a. privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information; RA-08b.[01] privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology; RA-08b.[02] privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government. POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-08-Examine [SELECT FROM: Risk assessment policy; security and privacy risk assessment reports; acquisitions documents; system security plan; privacy plan; other relevant documents or records]. RA-08-Interview [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; system/network administrators; system developers; program managers; legal counsel; organizational personnel with security and privacy responsibilities]. RA-08-Test [SELECT FROM: Organizational processes for assessments and audits; automated mechanisms/tools supporting and/or implementing assessments and auditing]. RA-09 CRITICALITY ANALYSIS ASSESSMENT OBJECTIVE: Determine if: RA-09_ODP[01] systems, system components, or system services to be analyzed for criticality are defined; RA-09_ODP[02] decision points in the system development life cycle when a criticality analysis is to be performed are defined; RA-09 critical system components and functions are identified by performing a criticality analysis for at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-09-Examine [SELECT FROM: Risk assessment policy; assessment reports; criticality analysis/finalized criticality for each component/subcomponent; audit records/event logs; analysis reports; system security plan; other relevant documents or records]. RA-09-Interview [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; organizational personnel with criticality analysis responsibilities; system/network administrators; organizational personnel with security responsibilities]. RA-09-Test [SELECT FROM: Organizational processes for assessments and audits; automated mechanisms/tools supporting and/or implementing assessments and auditing]. RA-10 THREAT HUNTING ASSESSMENT OBJECTIVE: Determine if: RA-10_ODP the frequency at which to employ the threat hunting capability is defined; RA-10a.01 a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems; RA-10a.02 a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls; RA-10b. the threat hunting capability is employed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: RA-10-Examine [SELECT FROM: Risk assessment policy; assessment reports; audit records/event logs; threat hunting capability; system security plan; other relevant documents or records]. RA-10-Interview [SELECT FROM: Organizational personnel with threat hunting responsibilities; system/network administrators; organizational personnel with security responsibilities]. RA-10-Test [SELECT FROM: Organizational processes for assessments and audits; automated mechanisms/tools supporting and/or implementing threat hunting capabilities]. 4.17 System and Services Acquisition SA-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: SA-01_ODP[01] personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined; SA-01_ODP[02] personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined; SA-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; SA-01_ODP[04] an official to manage the system and services acquisition policy and procedures is defined; SA-01_ODP[05] the frequency at which the current system and services acquisition policy is reviewed and updated is defined; SA-01_ODP[06] events that would require the current system and services acquisition policy to be reviewed and updated are defined; SA-01_ODP[07] the frequency at which the current system and services acquisition procedures are reviewed and updated is defined; SA-01_ODP[08] events that would require the system and services acquisition procedures to be reviewed and updated are defined; SA-01a.[01] a system and services acquisition policy is developed and documented; SA-01a.[02] the system and services acquisition policy is disseminated to ; SA-01a.[03] system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented; SA-01a.[04] the system and services acquisition procedures are disseminated to ; SA-01a.01(a)[01] the system and services acquisition policy addresses purpose; SA-01a.01(a)[02] the system and services acquisition policy addresses scope; SA-01a.01(a)[03] the system and services acquisition policy addresses roles; SA-01a.01(a)[04] the system and services acquisition policy addresses responsibilities; SA-01a.01(a)[05] the system and services acquisition policy addresses management commitment; SA-01a.01(a)[06] the system and services acquisition policy addresses coordination among organizational entities; SA-01a.01(a)[07] the system and services acquisition policy addresses compliance; SA-01a.01(b) the system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; SA-01b. the is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; SA-01c.01[01] the system and services acquisition policy is reviewed and updated ; SA-01c.01[02] the current system and services acquisition policy is reviewed and updated following ; SA-01c.02[01] the current system and services acquisition procedures are reviewed and updated ; SA-01c.02[02] the current system and services acquisition procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-01-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; supply chain risk management policy; supply chain risk management procedures; supply chain risk management plan; system security plan; privacy plan; other relevant documents or records]. SA-01-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SA-02 ALLOCATION OF RESOURCES ASSESSMENT OBJECTIVE: Determine if: SA-02a.[01] the high-level information security requirements for the system or system service are determined in mission and business process planning; SA-02a.[02] the high-level privacy requirements for the system or system service are determined in mission and business process planning; SA-02b.[01] the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process; SA-02b.[02] the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process; SA-02c.[01] a discrete line item for information security is established in organizational programming and budgeting documentation; SA-02c.[02] a discrete line item for privacy is established in organizational programming and budgeting documentation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-02-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; system and services acquisition strategy and plans; procedures addressing the allocation of resources to information security and privacy requirements; procedures addressing capital planning and investment control; organizational programming and budgeting documentation; system security plan; privacy plan; supply chain risk management policy; other relevant documents or records]. SA-02-Interview [SELECT FROM: Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SA-02-Test [SELECT FROM: Organizational processes for determining information security and privacy requirements; organizational processes for capital planning, programming, and budgeting; automated mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting]. SA-03 SYSTEM DEVELOPMENT LIFE CYCLE ASSESSMENT OBJECTIVE: Determine if: SA-03_ODP system development life cycle is defined; SA-03a.[01] the system is acquired, developed, and managed using that incorporates information security considerations; SA-03a.[02] the system is acquired, developed, and managed using that incorporates privacy considerations; SA-03b.[01] information security roles and responsibilities are defined and documented throughout the system development life cycle; SA-03b.[02] privacy roles and responsibilities are defined and documented throughout the system development life cycle; SA-03c.[01] individuals with information security roles and responsibilities are identified; SA-03c.[02] individuals with privacy roles and responsibilities are identified; SA-03d.[01] organizational information security risk management processes are integrated into system development life cycle activities; SA-03d.[02] organizational privacy risk management processes are integrated into system development life cycle activities. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-03-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process; system development life cycle documentation; organizational risk management strategy; information security and privacy risk management strategy documentation; system security plan; privacy plan; privacy program plan; enterprise architecture documentation; role-based security and privacy training program documentation; data mapping documentation; other relevant documents or records]. SA-03-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with system life cycle development responsibilities; organizational personnel with supply chain risk management responsibilities]. SA-03-Test [SELECT FROM: Organizational processes for defining and documenting the system development life cycle; organizational processes for identifying system development life cycle roles and responsibilities; organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle; automated mechanisms supporting and/or implementing the system development life cycle]. SA-03(01) SYSTEM DEVELOPMENT LIFE CYCLE | MANAGE PREPRODUCTION ENVIRONMENT ASSESSMENT OBJECTIVE: Determine if: SA-03(01) system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-03(01)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the integration of security and supply chain risk management into the system development life cycle process; system development life cycle documentation; procedures addressing program protection planning; criticality analysis results; security and supply chain risk management strategy/program documentation; system security plan; supply chain risk management plan; other relevant documents or records]. SA-03(01)-Interview [SELECT FROM: Organizational personnel with security and system life cycle development responsibilities; organizational personnel with information security responsibilities]. SA-03(01)-Test [SELECT FROM: Organizational processes for defining and documenting the system development life cycle; organizational processes for identifying system development life cycle roles and responsibilities; organizational process for integrating security risk management into the system development life cycle; automated mechanisms supporting and/or implementing the system development life cycle]. SA-03(02) SYSTEM DEVELOPMENT LIFE CYCLE | USE OF LIVE OR OPERATIONAL DATA ASSESSMENT OBJECTIVE: Determine if: SA-03(02)a.[01] the use of live data in pre-production environments is approved for the system, system component, or system service; SA-03(02)a.[02] the use of live data in pre-production environments is documented for the system, system component, or system service; SA-03(02)a.[03] the use of live data in pre-production environments is controlled for the system, system component, or system service; SA-03(02)b. pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-03(02)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security and privacy into the system development life cycle process; system development life cycle documentation; security risk assessment documentation; privacy impact assessment; privacy risk assessment documentation; system security plan; privacy plan; data mapping documentation; personally identifiable information processing policy; procedures addressing the authority to test with personally identifiable information; procedures addressing the minimization of personally identifiable information used in testing, training, and research; other relevant documents or records]. SA-03(02)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibility; organizational personnel with system life cycle development responsibilities]. SA-03(02)-Test [SELECT FROM: Organizational processes the use of live data in pre-production environments; mechanisms for protecting live data in pre-production environments]. SA-03(03) SYSTEM DEVELOPMENT LIFE CYCLE | TECHNOLOGY REFRESH ASSESSMENT OBJECTIVE: Determine if: SA-03(03)[01] a technology refresh schedule is planned for the system throughout the system development life cycle; SA-03(03)[02] a technology refresh schedule is implemented for the system throughout the system development life cycle. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-03(03)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing technology refresh planning and implementation; system development life cycle documentation; technology refresh schedule; security risk assessment documentation; privacy impact assessment; privacy risk assessment documentation; system security plan; privacy plan; other relevant documents or records]. SA-03(03)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with system life cycle development responsibilities]. SA-03(03)-Test [SELECT FROM: Organizational processes for defining and documenting the system development life cycle; organizational processes for identifying system development life cycle roles and responsibilities; organizational processes for integrating security and privacy risk management into the system development life cycle; automated mechanisms supporting and/or implementing the system development life cycle]. SA-04 ACQUISITION PROCESS ASSESSMENT OBJECTIVE: Determine if: SA-04_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {standardized contract language; }; SA-04_ODP[02] contract language is defined (if selected); SA-04a.[01] security functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04a.[02] privacy functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04b. strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04c.[01] security assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04c.[02] privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04d.[01] controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04d.[02] controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04e.[01] security documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04e.[02] privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04f.[01] requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04f.[02] requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04g. the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04h.[01] the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service; SA-04h.[02] the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using ; SA-04h.[03] the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using ; SA-04i. acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component, or system service. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process; configuration management plan; acquisition contracts for the system, system component, or system service; system design documentation; system security plan; supply chain risk management plan; privacy plan; other relevant documents or records]. SA-04-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; organizational personnel with supply chain risk management responsibilities]. SA-04-Test [SELECT FROM: Organizational processes for determining system security and privacy functional, strength, and assurance requirements; organizational processes for developing acquisition contracts; automated mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts]. SA-04(01) ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF CONTROLS ASSESSMENT OBJECTIVE: Determine if: SA-04(01) the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(01)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system services; system security plan; privacy plan; other relevant documents or records]. SA-04(01)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system developers]. SA-04(01)-Test [SELECT FROM: Organizational processes for determining system security functional requirements; organizational processes for developing acquisition contracts; automated mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts]. SA-04(02) ACQUISITION PROCESS | DESIGN AND IMPLEMENTATION INFORMATION FOR CONTROLS ASSESSMENT OBJECTIVE: Determine if: SA-04(02)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; }; SA-04(02)_ODP[02] design and implementation information is defined (if selected); SA-04(02)_ODP[03] level of detail is defined; SA-04(02) the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(02)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system components, or system services; design and implementation information for controls employed in the system, system component, or system service; system security plan; other relevant documents or records]. SA-04(02)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility to determine system security requirements; system developers or service provider; organizational personnel with information security responsibilities]. SA-04(02)-Test [SELECT FROM: Organizational processes for determining the level of detail for system design and controls; organizational processes for developing acquisition contracts; automated mechanisms supporting and/or implementing development of system design details]. SA-04(03) ACQUISITION PROCESS | DEVELOPMENT METHODS, TECHNIQUES, AND PRACTICES ASSESSMENT OBJECTIVE: Determine if: SA-04(03)_ODP[01] systems engineering methods are defined; SA-04(03)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {; }; SA-04(03)_ODP[03] system security engineering methods (if selected); SA-04(03)_ODP[04] privacy engineering methods (if selected); SA-04(03)_ODP[05] one or more of the following PARAMETER VALUES is/are selected: {; ; }; SA-04(03)_ODP[06] software development methods are defined (if selected); SA-04(03)_ODP[07] testing, evaluation, assessment, verification, and validation methods are defined (if selected); SA-04(03)_ODP[08] quality control processes are defined (if selected); SA-04(03)(a) the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes ; SA-04(03)(b) the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes ; SA-04(03)(c) the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(03)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system service; list of systems security and privacy engineering methods to be included in the developer’s system development life cycle process; list of software development methods to be included in the developer’s system development life cycle process; list of testing, evaluation, or validation techniques to be included in the developer’s system development life cycle process; list of quality control processes to be included in the developer’s system development life cycle process; system security plan; privacy plan; other relevant documents or records]. SA-04(03)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with system life cycle responsibilities; system developers or service provider]. SA-04(03)-Test [SELECT FROM: Organizational processes for development methods, techniques, and processes]. SA-04(04) ACQUISITION PROCESS | ASSIGNMENT OF COMPONENTS TO SYSTEMS [WITHDRAWN: Incorporated into CM-08(09).] SA-04(05) ACQUISITION PROCESS | SYSTEM, COMPONENT, AND SERVICE CONFIGURATIONS ASSESSMENT OBJECTIVE: Determine if: SA-04(05)_ODP security configurations for the system, component, or service are defined; SA-04(05)(a) the developer of the system, system component, or system service is required to deliver the system, component, or service with implemented; SA-04(05)(b) the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(05)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system service; security configurations to be implemented by the developer of the system, system component, or system service; service level agreements; system security plan; other relevant documents or records]. SA-04(05)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility to determine system security requirements; system developers or service provider; organizational personnel with information security responsibilities]. SA-04(05)-Test [SELECT FROM: Automated mechanisms used to verify that the configuration of the system, component, or service is delivered as specified]. SA-04(06) ACQUISITION PROCESS | USE OF INFORMATION ASSURANCE PRODUCTS ASSESSMENT OBJECTIVE: Determine if: SA-04(06)(a) only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed; SA-04(06)(b) these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(06)-Examine [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system service; security configurations to be implemented by the developer of the system, system component, or system service; service level agreements; NSA-approved list; system security plan; other relevant documents or records]. SA-04(06)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility to determine system security requirements; organizational personnel responsible for ensuring information assurance products are NSA-approved and are evaluated and/or validated products in accordance with NSA-approved procedures; organizational personnel with information security responsibilities]. SA-04(06)-Test [SELECT FROM: Organizational processes for selecting and employing evaluated and/or validated information assurance products and services that compose an NSA-approved solution to protect classified information]. SA-04(07) ACQUISITION PROCESS | NIAP-APPROVED PROTECTION PROFILES ASSESSMENT OBJECTIVE: Determine if: SA-04(07)(a) the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; SA-04(07)(b) if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(07)-Examine [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documents; acquisition documentation; acquisition contracts for the system, system component, or system service; NAIP-approved protection profiles; FIPS-validation information for cryptographic functionality; system security plan; other relevant documents or records]. SA-04(07)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for determining system security requirements; organizational personnel responsible for ensuring that information assurance products have been evaluated against a NIAP-approved protection profile or for ensuring products relying on cryptographic functionality are FIPS-validated; organizational personnel with information security responsibilities]. SA-04(07)-Test [SELECT FROM: Organizational processes for selecting and employing products/services evaluated against a NIAP-approved protection profile or FIPS-validated products]. SA-04(08) ACQUISITION PROCESS | CONTINUOUS MONITORING PLAN FOR CONTROLS ASSESSMENT OBJECTIVE: Determine if: SA-04(08) the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(08)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing developer continuous monitoring plans; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; developer continuous monitoring plans; security assessment plans; acquisition contracts for the system, system component, or system service; acquisition documentation; solicitation documentation; service level agreements; system security plan; other relevant documents or records]. SA-04(08)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for determining system security requirements; system developers; organizational personnel with information security responsibilities]. SA-04(08)-Test [SELECT FROM: Vendor processes for continuous monitoring; automated mechanisms supporting and/or implementing developer continuous monitoring]. SA-04(09) ACQUISITION PROCESS | FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES IN USE ASSESSMENT OBJECTIVE: Determine if: SA-04(09)[01] the developer of the system, system component, or system service is required to identify the functions intended for organizational use; SA-04(09)[02] the developer of the system, system component, or system service is required to identify the ports intended for organizational use; SA-04(09)[03] the developer of the system, system component, or system service is required to identify the protocols intended for organizational use; SA-04(09)[04] the developer of the system, system component, or system service is required to identify the services intended for organizational use. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(09)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; system design documentation; system documentation, including functions, ports, protocols, and services intended for organizational use; acquisition contracts for systems or services; acquisition documentation; solicitation documentation; service level agreements; organizational security requirements, descriptions, and criteria for developers of systems, system components, and system services; system security plan; other relevant documents or records]. SA-04(09)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for determining system security requirements; system/network administrators; organizational personnel operating, using, and/or maintaining the system; system developers; organizational personnel with information security responsibilities]. SA-04(10) ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS ASSESSMENT OBJECTIVE: Determine if: SA-04(10) only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(10)-Examine [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process; solicitation documentation; acquisition documentation; acquisition contracts for the system, system component, or system service; service level agreements; FIPS 201 approved products list; system security plan; other relevant documents or records]. SA-04(10)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for determining system security requirements; organizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented; organizational personnel with information security responsibilities]. SA-04(10)-Test [SELECT FROM: Organizational processes for selecting and employing FIPS 201-approved products]. SA-04(11) ACQUISITION PROCESS | SYSTEM OF RECORDS ASSESSMENT OBJECTIVE: Determine if: SA-04(11)_ODP Privacy Act requirements for the operation of a system of records are defined; SA-04(11) are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(11)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of Privacy Act requirements into systems of records operated by external organizations; solicitation documentation; acquisition documentation; acquisition contracts for the system, system component, or system service; service level agreements; system security plan; privacy plan; personally identifiable information processing policy; privacy program plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-04(11)-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities]. SA-04(11)-Test [SELECT FROM: Contract management processes to verify Privacy Act requirements are defined for the operation of a system of records; vendor processes for demonstrating incorporation of Privacy Act requirements in its operation of a system of records]. SA-04(12) ACQUISITION PROCESS | DATA OWNERSHIP ASSESSMENT OBJECTIVE: Determine if: SA-04(12)_ODP time frame to remove data from a contractor system and return it to the organization is defined; SA-04(12)(a) organizational data ownership requirements are included in the acquisition contract; SA-04(12)(b) all data to be removed from the contractor’s system and returned to the organization is required within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-04(12)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process; procedures addressing the disposition of personally identifiable information; solicitation documentation; acquisition documentation; acquisition contracts for the system or system service; personally identifiable information processing policy; service level agreements; information sharing agreements; memoranda of understanding; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-04(12)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for data management and processing requirements; organizational personnel with information security and privacy responsibilities]. SA-04(12)-Test [SELECT FROM: Contract management processes to verify that data is removed as required; vendor processes for removing data in required timeframe; automated mechanisms verifying the removal and return of data]. SA-05 SYSTEM DOCUMENTATION ASSESSMENT OBJECTIVE: Determine if: SA-05_ODP[01] actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined; SA-05_ODP[02] personnel or roles to distribute system documentation to is/are defined; SA-05a.01[01] administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed; SA-05a.01[02] administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed; SA-05a.01[03] administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed; SA-05a.02[01] administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed; SA-05a.02[02] administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed; SA-05a.02[03] administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed; SA-05a.02[04] administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed; SA-05b.01[01] user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed; SA-05b.01[02] user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed; SA-05b.01[03] user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed; SA-05b.01[04] user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed; SA-05b.02[01] user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed; SA-05b.02[02] user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed; SA-05b.03[01] user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed; SA-05b.03[02] user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed; SA-05c.[01] attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented; SA-05c.[02] after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, are taken in response; SA-05d. documentation is distributed to . SA-05.a.03[01] administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed; SA-05.a.03[02] administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed; POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-05-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system documentation; system documentation, including administrator and user guides; system design documentation; records documenting attempts to obtain unavailable or nonexistent system documentation; list of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation; risk management strategy documentation; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-05-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; system administrators; organizational personnel responsible for operating, using, and/or maintaining the system; system developers]. SA-05-Test [SELECT FROM: Organizational processes for obtaining, protecting, and distributing system administrator and user documentation]. SA-05(01) SYSTEM DOCUMENTATION | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS [WITHDRAWN: Incorporated into SA-04(01).] SA-05(02) SYSTEM DOCUMENTATION | SECURITY-RELEVANT EXTERNAL SYSTEM INTERFACES [WITHDRAWN: Incorporated into SA-04(02).] SA-05(03) SYSTEM DOCUMENTATION | HIGH-LEVEL DESIGN [WITHDRAWN: Incorporated into SA-04(02).] SA-05(04) SYSTEM DOCUMENTATION | LOW-LEVEL DESIGN [WITHDRAWN: Incorporated into SA-04(02).] SA-05(05) SYSTEM DOCUMENTATION | SOURCE CODE [WITHDRAWN: Incorporated into SA-04(02).] SA-06 SOFTWARE USAGE RESTRICTIONS [WITHDRAWN: Incorporated into CM-10, SI-07.] SA-07 USER-INSTALLED SOFTWARE [WITHDRAWN: Incorporated into CM-11, SI-07.] SA-08 SECURITY AND PRIVACY ENGINEERING PRINCIPLES ASSESSMENT OBJECTIVE: Determine if: SA-08_ODP[01] systems security engineering principles are defined; SA-08_ODP[02] privacy engineering principles are defined; SA-08[01] are applied in the specification of the system and system components; SA-08[02] are applied in the design of the system and system components; SA-08[03] are applied in the development of the system and system components; SA-08[04] are applied in the implementation of the system and system components; SA-08[05] are applied in the modification of the system and system components; SA-08[06] are applied in the specification of the system and system components; SA-08[07] are applied in the design of the system and system components; SA-08[08] are applied in the development of the system and system components; SA-08[09] are applied in the implementation of the system and system components; SA-08[10] are applied in the modification of the system and system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; assessment and authorization procedures; procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-08-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers]. SA-08-Test [SELECT FROM: Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification]. SA-08(01) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | CLEAR ABSTRACTIONS ASSESSMENT OBJECTIVE: Determine if: SA-08(01) the security design principle of clear abstractions is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(01)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of clear abstractions used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(01)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(01)-Test [SELECT FROM: Organizational processes for applying the security design principle of clear abstractions to system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of clear abstractions to system specification, design, development, implementation, and modification]. SA-08(02) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | LEAST COMMON MECHANISM ASSESSMENT OBJECTIVE: Determine if: SA-08(02)_ODP systems or system components that implement the security design principle of least common mechanism are defined; SA-08(02) implement the security design principle of least common mechanism. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(02)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of least common mechanism used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(02)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(02)-Test [SELECT FROM: Organizational processes for applying the security design principle of least common mechanism in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of least common mechanism in system specification, design, development, implementation, and modification]. SA-08(03) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MODULARITY AND LAYERING ASSESSMENT OBJECTIVE: Determine if: SA-08(03)_ODP[01] systems or system components that implement the security design principle of modularity are defined; SA-08(03)_ODP[02] systems or system components that implement the security design principle of layering are defined; SA-08(03)[01] implement the security design principle of modularity; SA-08(03)[02] implement the security design principle of layering. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(03)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principles of modularity and layering used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(03)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(03)-Test [SELECT FROM: Organizational processes for applying the security design principles of modularity and layering in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principles of modularity and layering in system specification, design, development, implementation, and modification; automated mechanisms supporting and/or implementing an isolation boundary]. SA-08(04) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PARTIALLY ORDERED DEPENDENCIES ASSESSMENT OBJECTIVE: Determine if: SA-08(04)_ODP systems or system components that implement the security design principle of least partially ordered dependencies are defined; SA-08(04) implement the security design principle of partially ordered dependencies. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(04)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of partially ordered dependencies used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(04)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(04)-Test [SELECT FROM: Organizational processes for applying the security design principle of partially ordered dependencies in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of partially ordered dependencies in system specification, design, development, implementation, and modification]. SA-08(05) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | EFFICIENTLY MEDIATED ACCESS ASSESSMENT OBJECTIVE: Determine if: SA-08(05)_ODP systems or system components that implement the security design principle of efficiently mediated access are defined; SA-08(05) implement the security design principle of efficiently mediated access. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(05)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of efficiently mediated access used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(05)-Interview [SELECT FROM: Organizational personnel with acquisition/contracting responsibilities; organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(05)-Test [SELECT FROM: Organizational processes for applying the security design principle of efficiently mediated access in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of efficiently mediated access in system specification, design, development, implementation, and modification]. SA-08(06) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MINIMIZED SHARING ASSESSMENT OBJECTIVE: Determine if: SA-08(06)_ODP systems or system components that implement the security design principle of minimized sharing are defined; SA-08(06) implement the security design principle of minimized sharing. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(06)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of minimized sharing used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(06)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(06)-Test [SELECT FROM: Organizational processes for applying the security design principle of minimized sharing in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of minimized sharing in system specification, design, development, implementation, and modification]. SA-08(07) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | REDUCED COMPLEXITY ASSESSMENT OBJECTIVE: Determine if: SA-08(07)_ODP systems or system components that implement the security design principle of reduced complexity are defined; SA-08(07) implement the security design principle of reduced complexity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(07)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of reduced complexity used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(07)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(07)-Test [SELECT FROM: Organizational processes for applying the security design principle of reduced complexity in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of reduced complexity in system specification, design, development, implementation, and modification]. SA-08(08) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE EVOLVABILITY ASSESSMENT OBJECTIVE: Determine if: SA-08(08)_ODP systems or system components that implement the security design principle of secure evolvability are defined; SA-08(08) implement the security design principle of secure evolvability. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(08)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of secure evolvability used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(08)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(08)-Test [SELECT FROM: Organizational processes for applying the security design principle of secure evolvability in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of secure evolvability in system specification, design, development, implementation, and modification]. SA-08(09) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | TRUSTED COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SA-08(09)_ODP systems or system components that implement the security design principle of trusted components are defined; SA-08(09) implement the security design principle of trusted components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(09)-Examine [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system; system design documentation; security, supply chain risk management, and privacy requirements and specifications for the system; system security and privacy architecture; procedures for determining component assurance; system security plan; other relevant documents or records]. SA-08(09)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SA-08(09)-Test [SELECT FROM: Organizational processes for applying the security design principle of trusted components in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification]. SA-08(10) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HIERARCHICAL TRUST ASSESSMENT OBJECTIVE: Determine if: SA-08(10)_ODP systems or system components that implement the security design principle of hierarchical trust are defined; SA-08(10) implement the security design principle of hierarchical trust. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(10)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of hierarchical trust used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(10)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(10)-Test [SELECT FROM: Organizational processes for applying the security design principle of hierarchical trust in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of hierarchical trust in system specification, design, development, implementation, and modification]. SA-08(11) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | INVERSE MODIFICATION THRESHOLD ASSESSMENT OBJECTIVE: Determine if: SA-08(11)_ODP systems or system components that implement the security design principle of inverse modification threshold are defined; SA-08(11) implement the security design principle of inverse modification threshold. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(11)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of inverse modification threshold used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(11)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(11)-Test [SELECT FROM: Organizational processes for applying the security design principle of inverse modification threshold in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of inverse modification threshold in system specification, design, development, implementation, and modification]. SA-08(12) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HIERARCHICAL PROTECTION ASSESSMENT OBJECTIVE: Determine if: SA-08(12)_ODP systems or system components that implement the security design principle of hierarchical protection are defined; SA-08(12) implement the security design principle of hierarchical protection. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(12)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of hierarchical protection used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(12)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(12)-Test [SELECT FROM: Organizational processes for applying the security design principle of hierarchical protection in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of hierarchical protection in system specification, design, development, implementation, and modification]. SA-08(13) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MINIMIZED SECURITY ELEMENTS ASSESSMENT OBJECTIVE: Determine if: SA-08(13)_ODP systems or system components that implement the security design principle of minimized security elements are defined; SA-08(13) implement the security design principle of minimized security elements. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(13)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of minimized security elements used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(13)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(13)-Test [SELECT FROM: Organizational processes for applying the security design principle of minimized security elements in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of minimized security elements in system specification, design, development, implementation, and modification]. SA-08(14) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | LEAST PRIVILEGE ASSESSMENT OBJECTIVE: Determine if: SA-08(14)_ODP systems or system components that implement the security design principle of least privilege are defined; SA-08(14) implement the security design principle of least privilege. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(14)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of least privilege used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(14)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(14)-Test [SELECT FROM: Organizational processes for applying the security design principle of least privilege in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of least privilege in system specification, design, development, implementation, and modification]. SA-08(15) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PREDICATE PERMISSION ASSESSMENT OBJECTIVE: Determine if: SA-08(15)_ODP systems or system components that implement the security design principle of predicate permission are defined; SA-08(15) implement the security design principle of predicate permission. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(15)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of predicate permission used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(15)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(15)-Test [SELECT FROM: Organizational processes for applying the security design principle of predicate permission in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of predicate permission in system specification, design, development, implementation, and modification]. SA-08(16) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SELF-RELIANT TRUSTWORTHINESS ASSESSMENT OBJECTIVE: Determine if: SA-08(16)_ODP systems or system components that implement the security design principle of self-reliant trustworthiness are defined; SA-08(16) implement the security design principle of self-reliant trustworthiness. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(16)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of self-reliant trustworthiness used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(16)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(16)-Test [SELECT FROM: Organizational processes for applying the security design principle of self-reliant trustworthiness in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of self-reliant trustworthiness in system specification, design, development, implementation, and modification]. SA-08(17) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DISTRIBUTED COMPOSITION ASSESSMENT OBJECTIVE: Determine if: SA-08(17)_ODP systems or system components that implement the security design principle of secure distributed composition are defined; SA-08(17) implement the security design principle of secure distributed composition. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(17)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of secure distributed composition used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(17)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(17)-Test [SELECT FROM: Organizational processes for applying the security design principle of secure distributed composition in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of secure distributed composition in system specification, design, development, implementation, and modification]. SA-08(18) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | TRUSTED COMMUNICATIONS CHANNELS ASSESSMENT OBJECTIVE: Determine if: SA-08(18)_ODP systems or system components that implement the security design principle of trusted communications channels are defined; SA-08(18) implement the security design principle of trusted communications channels. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(18)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of trusted communications channels used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(18)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(18)-Test [SELECT FROM: Organizational processes for applying the security design principle of trusted communications channels in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of trusted communications channels in system specification, design, development, implementation, and modification]. SA-08(19) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | CONTINUOUS PROTECTION ASSESSMENT OBJECTIVE: Determine if: SA-08(19)_ODP systems or system components that implement the security design principle of continuous protection are defined; SA-08(19) implement the security design principle of continuous protection. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(19)-Examine [SELECT FROM: System and services acquisition policy; access control policy; system and communications protection policy; procedures addressing boundary protection; procedures addressing the security design principle of continuous protection used in the specification, design, development, implementation, and modification of the system; system configuration settings and associated documentation; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(19)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; organizational personnel with access enforcement responsibilities; system/network administrators; system developers; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SA-08(19)-Test [SELECT FROM: Organizational processes for applying the security design principle of continuous protection in system specification, design, development, implementation, and modification; automated mechanisms implementing access enforcement functions; automated mechanisms supporting the application of the security design principle of continuous protection in system specification, design, development, implementation, and modification; automated mechanisms supporting and/or implementing secure failure]. SA-08(20) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE METADATA MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: SA-08(20)_ODP systems or system components that implement the security design principle of secure metadata management are defined; SA-08(20) implement the security design principle of secure metadata management. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(20)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of metadata management used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(20)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(20)-Test [SELECT FROM: Organizational processes for applying the security design principle of metadata management in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of metadata management in system specification, design, development, implementation, and modification]. SA-08(21) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SELF-ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SA-08(21)_ODP systems or system components that implement the security design principle of self-analysis are defined; SA-08(21) implement the security design principle of self-analysis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(21)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of self-analysis used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(21)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(21)-Test [SELECT FROM: Organizational processes for applying the security design principle of self-analysis in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of self-analysis in system specification, design, development, implementation, and modification]. SA-08(22) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | ACCOUNTABILITY AND TRACEABILITY ASSESSMENT OBJECTIVE: Determine if: SA-08(22)_ODP[01] systems or system components that implement the security design principle of accountability are defined; SA-08(22)_ODP[02] systems or system components that implement the security design principle of traceability are defined; SA-08(22)[01] implement the security design principle of accountability; SA-08(22)[02] implement the security design principle of traceability. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(22)-Examine [SELECT FROM: System and services acquisition policy; audit and accountability policy; access control policy; procedures addressing least privilege; procedures addressing auditable events; identification and authentication policy; procedures addressing user identification and authentication; procedures addressing the security design principle of accountability and traceability used in the specification, design, development, implementation, and modification of the system; system design documentation; system audit records; system auditable events; system configuration settings and associated documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(22)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with audit and accountability responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(22)-Test [SELECT FROM: Organizational processes for applying the security design principle of accountability and traceability in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of accountability and traceability in system specification, design, development, implementation, and modification; automated mechanisms implementing information system auditing; automated mechanisms implementing least privilege functions]. SA-08(23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS ASSESSMENT OBJECTIVE: Determine if: SA-08(23)_ODP systems or system components that implement the security design principle of secure defaults are defined; SA-08(23) implement the security design principle of secure defaults. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(23)-Examine [SELECT FROM: System and services acquisition policy; configuration management policy; procedures addressing the security design principle of secure defaults used in the specification, design, development, implementation, and modification of the system; system design documentation; procedures addressing the baseline configuration of the system; configuration management plan; system architecture and configuration documentation; system configuration settings and associated documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; procedures addressing system documentation; system documentation; system security plan; other relevant documents or records]. SA-08(23)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(23)-Test [SELECT FROM: Organizational processes for applying the security design principle of secure defaults in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of secure defaults in system specification, design, development, implementation, and modification; organizational processes for managing baseline configurations; automated mechanisms supporting configuration control of the baseline configuration]. SA-08(24) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE FAILURE AND RECOVERY ASSESSMENT OBJECTIVE: Determine if: SA-08(24)_ODP[01] systems or system components that implement the security design principle of secure failure are defined; SA-08(24)_ODP[02] systems or system components that implement the security design principle of secure recovery are defined; SA-08(24)[01] implement the security design principle of secure failure; SA-08(24)[02] implement the security design principle of secure recovery. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(24)-Examine [SELECT FROM: System and services acquisition policy; system and communications protection policy; contingency planning policy; procedures addressing information system recovery and reconstitution; procedures addressing the security design principle of secure failure and recovery used in the specification, design, development, implementation, and modification of the system; contingency plan; procedures addressing system backup; contingency plan test documentation; contingency plan test results; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(24)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; organizational personnel with contingency plan testing responsibilities; organizational personnel with system recovery and reconstitution responsibilities; system developers; organizational personnel with information security responsibilities; organizational personnel with information system backup responsibilities]. SA-08(24)-Test [SELECT FROM: Organizational processes for applying the security design principle of secure failure and recovery in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of secure failure and recovery in system specification, design, development, implementation, and modification; automated mechanisms supporting and/or implementing secure failure; organizational processes for contingency plan testing; automated mechanisms supporting contingency plan testing; automated mechanisms supporting recovery and reconstitution of the system; organizational processes for conducting system backups; automated mechanisms supporting and/or implementing system backups]. SA-08(25) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | ECONOMIC SECURITY ASSESSMENT OBJECTIVE: Determine if: SA-08(25)_ODP systems or system components that implement the security design principle of economic security are defined; SA-08(25) implement the security design principle of economic security. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(25)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of economic security used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; cost-benefit analysis; system security plan; other relevant documents or records]. SA-08(25)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(25)-Test [SELECT FROM: Organizational processes for applying the security design principle of economic security in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of economic security in system specification, design, development, implementation, and modification]. SA-08(26) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PERFORMANCE SECURITY ASSESSMENT OBJECTIVE: Determine if: SA-08(26)_ODP systems or system components that implement the security design principle of performance security are defined; SA-08(26) implement the security design principle of performance security. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(26)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of performance security used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; trade-off analysis between performance and security; system security plan; other relevant documents or records]. SA-08(26)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(26)-Test [SELECT FROM: Organizational processes for applying the security design principle of performance security in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of performance security in system specification, design, development, implementation, and modification]. SA-08(27) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | HUMAN FACTORED SECURITY ASSESSMENT OBJECTIVE: Determine if: SA-08(27)_ODP systems or system components that implement the security design principle of human factored security are defined; SA-08(27) implement the security design principle of human factored security. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(27)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of human factored security used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; usability analysis; system security plan; other relevant documents or records]. SA-08(27)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with human factored security responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(27)-Test [SELECT FROM: Organizational processes for applying the security design principle of human factored security in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of human factored security in system specification, design, development, implementation, and modification; automated mechanisms that enforce security policies]. SA-08(28) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | ACCEPTABLE SECURITY ASSESSMENT OBJECTIVE: Determine if: SA-08(28)_ODP systems or system components that implement the security design principle of acceptable security are defined; SA-08(28) implement the security design principle of acceptable security. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(28)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the security design principle of acceptable security used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; personally identifiable information processing policy; privacy notifications provided to users; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-08(28)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers]. SA-08(28)-Test [SELECT FROM: Organizational processes for applying the security design principle of acceptable security in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of acceptable security in system specification, design, development, implementation, and modification; automated mechanisms that enforce security policies]. SA-08(29) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | REPEATABLE AND DOCUMENTED PROCEDURES ASSESSMENT OBJECTIVE: Determine if: SA-08(29)_ODP systems or system components that implement the security design principle of repeatable and documented procedures are defined; SA-08(29) implement the security design principle of repeatable and documented procedures. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(29)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of repeatable and documented procedures used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(29)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(29)-Test [SELECT FROM: Organizational processes for applying the security design principle of repeatable and documented procedures in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of repeatable and documented procedures in system specification, design, development, implementation, and modification; automated mechanisms that enforce security policies]. SA-08(30) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | PROCEDURAL RIGOR ASSESSMENT OBJECTIVE: Determine if: SA-08(30)_ODP systems or system components that implement the security design principle of procedural rigor are defined; SA-08(30) implement the security design principle of procedural rigor. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(30)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of procedural rigor used in the specification, design, development, implementation, and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(30)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(30)-Test [SELECT FROM: Organizational processes for applying the security design principle of procedural rigor in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of procedural rigor in system specification, design, development, implementation, and modification; automated mechanisms that enforce security policies]. SA-08(31) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE SYSTEM MODIFICATION ASSESSMENT OBJECTIVE: Determine if: SA-08(31)_ODP systems or system components that implement the security design principle of secure system modification are defined; SA-08(31) implement the security design principle of secure system modification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(31)-Examine [SELECT FROM: System and services acquisition policy; configuration management policy and procedures; procedures addressing the security design principle of secure system modification used in the specification, design, development, implementation, and modification of the system; system design documentation; system configuration settings and associated documentation; change control records; security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(31)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(31)-Test [SELECT FROM: Organizational processes for applying the security design principle of secure system modification in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of secure system modification in system specification, design, development, implementation, and modification; automated mechanisms that enforce security policies; organizational processes for managing change configuration; automated mechanisms supporting configuration control]. SA-08(32) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SUFFICIENT DOCUMENTATION ASSESSMENT OBJECTIVE: Determine if: SA-08(32)_ODP systems or system components that implement the security design principle of sufficient documentation are defined; SA-08(32) implement the security design principle of sufficient documentation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(32)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the security design principle of sufficient documentation used in the specification, design, development, implementation, and modification of the system; system design documentation; system configuration settings and associated documentation; change control records; security and privacy requirements and specifications for the system; system security and privacy documentation; system security and privacy architecture; system security plan; other relevant documents or records]. SA-08(32)-Interview [SELECT FROM: Organizational personnel with the responsibility for determining system security and privacy requirements; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers; organizational personnel with information security responsibilities]. SA-08(32)-Test [SELECT FROM: Organizational processes for applying the security design principle of sufficient documentation in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification; automated mechanisms that enforce security policies; organizational processes for managing change configuration; automated mechanisms supporting configuration control]. SA-08(33) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | MINIMIZATION ASSESSMENT OBJECTIVE: Determine if: SA-08(33)_ODP processes that implement the privacy principle of minimization are defined; SA-08(33) the privacy principle of minimization is implemented using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-08(33)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; personally identifiable information processing policy; procedures addressing the minimization of personally identifiable information in system design; system design documentation; system configuration settings and associated documentation; change control records; information security and privacy requirements and specifications for the system; system security and privacy architecture; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-08(33)-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with system specification, design, development, implementation, and modification responsibilities; system developers]. SA-08(33)-Test [SELECT FROM: Organizational processes for applying the privacy design principle of minimization in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification; automated mechanisms that enforce security and privacy policy; organizational processes for managing change configuration; automated mechanisms supporting configuration control]. SA-09 EXTERNAL SYSTEM SERVICES ASSESSMENT OBJECTIVE: Determine if: SA-09_ODP[01] controls to be employed by external system service providers are defined; SA-09_ODP[02] processes, methods, and techniques employed to monitor control compliance by external service providers are defined; SA-09a.[01] providers of external system services comply with organizational security requirements; SA-09a.[02] providers of external system services comply with organizational privacy requirements; SA-09a.[03] providers of external system services employ ; SA-09b.[01] organizational oversight with regard to external system services are defined and documented; SA-09b.[02] user roles and responsibilities with regard to external system services are defined and documented; SA-09c. are employed to monitor control compliance by external service providers on an ongoing basis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing methods and techniques for monitoring control compliance by external service providers of system services; acquisition documentation; contracts; service level agreements; interagency agreements; licensing agreements; list of organizational security and privacy requirements for external provider services; control assessment results or reports from external providers of system services; system security plan; privacy plan; supply chain risk management plan; other relevant documents or records]. SA-09-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; external providers of system services; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SA-09-Test [SELECT FROM: Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis; automated mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis]. SA-09(01) EXTERNAL SYSTEM SERVICES | RISK ASSESSMENTS AND ORGANIZATIONAL APPROVALS ASSESSMENT OBJECTIVE: Determine if: SA-09(01)_ODP personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined; SA-09(01)(a) an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services; SA-09(01)(b) approve the acquisition or outsourcing of dedicated information security services. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(01)-Examine [SELECT FROM: System and services acquisition policy; supply chain risk management policy and procedures; procedures addressing external system services; acquisition documentation; acquisition contracts for the system, system component, or system service; risk assessment reports; approval records for the acquisition or outsourcing of dedicated security services; system security plan; supply chain risk management plan; other relevant documents or records]. SA-09(01)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with system security responsibilities; external providers of system services; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SA-09(01)-Test [SELECT FROM: Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services; organizational processes for approving the outsourcing of dedicated security services; automated mechanisms supporting and/or implementing risk assessment; automated mechanisms supporting and/or implementing approval processes]. SA-09(02) EXTERNAL SYSTEM SERVICES | IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS, AND SERVICES ASSESSMENT OBJECTIVE: Determine if: SA-09(02)_ODP external system services that require the identification of functions, ports, protocols, and other services are defined; SA-09(02) providers of are required to identify the functions, ports, protocols, and other services required for the use of such services. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(02)-Examine [SELECT FROM: System and services acquisition policy; supply chain risk management policy and procedures; procedures addressing external system services; acquisition contracts for the system, system component, or system service; acquisition documentation; solicitation documentation; service level agreements; organizational security requirements and security specifications for external service providers; list of required functions, ports, protocols, and other services; system security plan; other relevant documents or records]. SA-09(02)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system/network administrators; external providers of system services]. SA-09(03) EXTERNAL SYSTEM SERVICES | ESTABLISH AND MAINTAIN TRUST RELATIONSHIP WITH PROVIDERS ASSESSMENT OBJECTIVE: Determine if: SA-09(03)_ODP[01] security requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined; SA-09(03)_ODP[02] privacy requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined; SA-09(03)[01] trust relationships with external service provides based on are established and documented; SA-09(03)[02] trust relationships with external service provides based on are maintained; SA-09(03)[03] trust relationships with external service provides based on are established and documented; SA-09(03)[04] trust relationships with external service provides based on are maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(03)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; acquisition contracts for the system, system component, or system service; acquisition documentation; solicitation documentation; service level agreements; list of organizational security and privacy requirements, properties, factors, or conditions for external provider services; documentation of trust relationships with external service providers; system security plan; privacy plan; supply chain risk management plan; other relevant documents or records]. SA-09(03)-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. SA-09(04) EXTERNAL SYSTEM SERVICES | CONSISTENT INTERESTS OF CONSUMERS AND PROVIDERS ASSESSMENT OBJECTIVE: Determine if: SA-09(04)_ODP[01] external service providers are defined; SA-09(04)_ODP[02] actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined; SA-09(04) are taken to verify that the interests of are consistent with and reflect organizational interests. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(04)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; organizational security requirements/safeguards for external service providers; personnel security policies for external service providers; assessments performed on external service providers; system security plan; supply chain risk management plan; other relevant documents or records]. SA-09(04)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. SA-09(04)-Test [SELECT FROM: Organizational processes for defining and employing safeguards to ensure consistent interests with external service providers; automated mechanisms supporting and/or implementing safeguards to ensure consistent interests with external service providers]. SA-09(05) EXTERNAL SYSTEM SERVICES | PROCESSING, STORAGE, AND SERVICE LOCATION ASSESSMENT OBJECTIVE: Determine if: SA-09(05)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {information processing; information or data; system services}; SA-09(05)_ODP[02] locations where is/are to be restricted are defined; SA-09(05)_ODP[03] requirements or conditions for restricting the location of are defined; SA-09(05) based on , is/are restricted to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(05)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; restricted locations for information processing; information/data and/or system services; information processing, information/data, and/or system services to be maintained in restricted locations; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. SA-09(05)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. SA-09(05)-Test [SELECT FROM: Organizational processes for defining the requirements to restrict locations of information processing, information/data, or information services; organizational processes for ensuring the location is restricted in accordance with requirements or conditions]. SA-09(06) EXTERNAL SYSTEM SERVICES | ORGANIZATION-CONTROLLED CRYPTOGRAPHIC KEYS ASSESSMENT OBJECTIVE: Determine if: SA-09(06) exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(06)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; procedures addressing organization-controlled cryptographic key management; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. SA-09(06)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organization personnel with cryptographic key management responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. SA-09(06)-Test [SELECT FROM: Organizational processes for cryptographic key management; automated mechanisms for supporting and implementing the management of organization-controlled cryptographic keys]. SA-09(07) EXTERNAL SYSTEM SERVICES | ORGANIZATION-CONTROLLED INTEGRITY CHECKING ASSESSMENT OBJECTIVE: Determine if: SA-09(07) the capability is provided to check the integrity of information while it resides in the external system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(07)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; procedures addressing organization-controlled integrity checking; information/data and/or system services; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. SA-09(07)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organization personnel with integrity checking responsibilities; external providers of system services; organizational personnel with supply chain risk management responsibilities]. SA-09(07)-Test [SELECT FROM: Organizational processes for integrity checking; automated mechanisms for supporting and implementing integrity checking of information in external systems]. SA-09(08) EXTERNAL SYSTEM SERVICES | PROCESSING AND STORAGE LOCATION — U.S. JURISDICTION ASSESSMENT OBJECTIVE: Determine if: SA-09(08) the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-09(08)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing external system services; acquisition contracts for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; procedures addressing determining jurisdiction restrictions for processing and storage location; information/data and/or system services; organizational security requirements or conditions for external providers; system security plan; supply chain risk management plan; other relevant documents or records]. SA-09(08)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organization personnel with supply chain risk management responsibilities; external providers of system services]. SA-09(08)-Test [SELECT FROM: Organizational processes restricting external system service providers to process and store information within the legal jurisdictional boundary of the United States]. SA-10 DEVELOPER CONFIGURATION MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: SA-10_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {design; development; implementation; operation; disposal}; SA-10_ODP[02] configuration items under configuration management are defined; SA-10_ODP[03] personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined; SA-10a. the developer of the system, system component, or system service is required to perform configuration management during system, component, or service ; SA-10b.[01] the developer of the system, system component, or system service is required to document the integrity of changes to ; SA-10b.[02] the developer of the system, system component, or system service is required to manage the integrity of changes to ; SA-10b.[03] the developer of the system, system component, or system service is required to control the integrity of changes to ; SA-10c. the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service; SA-10d.[01] the developer of the system, system component, or system service is required to document approved changes to the system, component, or service; SA-10d.[02] the developer of the system, system component, or system service is required to document the potential security impacts of approved changes; SA-10d.[03] the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes; SA-10e.[01] the developer of the system, system component, or system service is required to track security flaws within the system, component, or service; SA-10e.[02] the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service; SA-10e.[03] the developer of the system, system component, or system service is required to report findings to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; security flaw and flaw resolution tracking records; system change authorization records; change control records; configuration management records; system security plan; other relevant documents or records]. SA-10-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-10-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(01) DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE AND FIRMWARE INTEGRITY VERIFICATION ASSESSMENT OBJECTIVE: Determine if: SA-10(01) the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(01)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; software and firmware integrity verification records; system change authorization records; change control records; configuration management records; system security plan; supply chain risk management plan; other relevant documents or records]. SA-10(01)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers; organizational personnel with supply chain risk management responsibilities]. SA-10(01)-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(02) DEVELOPER CONFIGURATION MANAGEMENT | ALTERNATIVE CONFIGURATION MANAGEMENT PROCESSES ASSESSMENT OBJECTIVE: Determine if: SA-10(02) an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(02)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; configuration management policy; configuration management plan; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; security impact analyses; privacy impact analyses; privacy impact assessment; privacy risk assessment documentation; system security plan; privacy plan; other relevant documents or records]. SA-10(02)-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-10(02)-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(03) DEVELOPER CONFIGURATION MANAGEMENT | HARDWARE INTEGRITY VERIFICATION ASSESSMENT OBJECTIVE: Determine if: SA-10(03) the developer of the system, system component, or system service is required to enable integrity verification of hardware components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(03)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; hardware integrity verification records; system security plan; supply chain risk management plan; other relevant documents or records]. SA-10(03)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers; organizational personnel with supply chain risk management responsibilities]. SA-10(03)-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(04) DEVELOPER CONFIGURATION MANAGEMENT | TRUSTED GENERATION ASSESSMENT OBJECTIVE: Determine if: SA-10(04)[01] the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions; SA-10(04)[02] the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions; SA-10(04)[03] the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(04)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; change control records; configuration management records; configuration control audit records; system security plan; other relevant documents or records]. SA-10(04)-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(05) DEVELOPER CONFIGURATION MANAGEMENT | MAPPING INTEGRITY FOR VERSION CONTROL ASSESSMENT OBJECTIVE: Determine if: SA-10(05) the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(05)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; change control records; configuration management records; version control change/update records; integrity verification records between master copies of security-relevant hardware, software, and firmware (including designs and source code); system security plan; other relevant documents or records]. SA-10(05)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-10(05)-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(06) DEVELOPER CONFIGURATION MANAGEMENT | TRUSTED DISTRIBUTION ASSESSMENT OBJECTIVE: Determine if: SA-10(06) the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(06)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer configuration management; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; change control records; configuration management records; system security plan; other relevant documents or records]. SA-10(06)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-10(06)-Test [SELECT FROM: Organizational processes for monitoring developer configuration management; automated mechanisms supporting and/or implementing the monitoring of developer configuration management]. SA-10(07) DEVELOPER CONFIGURATION MANAGEMENT | SECURITY AND PRIVACY REPRESENTATIVES ASSESSMENT OBJECTIVE: Determine if: SA-10(07)_ODP[01] security representatives to be included in the configuration change management and control process are defined; SA-10(07)_ODP[02] privacy representatives to be included in the configuration change management and control process are defined; SA-10(07)_ODP[03] configuration change management and control processes in which security representatives are required to be included are defined; SA-10(07)_ODP[04] configuration change management and control processes in which privacy representatives are required to be included are defined; SA-10(07)[01] are required to be included in the ; SA-10(07)[02] are required to be included in the . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-10(07)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; configuration management policy; configuration management plan; solicitation documentation requiring representatives for security and privacy; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; change control records; configuration management records; system security plan; other relevant documents or records]. SA-10(07)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-11 DEVELOPER TESTING AND EVALUATION ASSESSMENT OBJECTIVE: Determine if: SA-11_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {unit; integration; system; regression}; SA-11_ODP[02] frequency at which to conduct testing/evaluation is defined; SA-11_ODP[03] depth and coverage of testing/evaluation is defined; SA-11a.[01] the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments; SA-11a.[02] the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments; SA-11a.[03] the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments; SA-11a.[04] the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments; SA-11b. the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation at ; SA-11c.[01] the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan; SA-11c.[02] the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation; SA-11d. the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process; SA-11e. the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system developer security and privacy testing; procedures addressing flaw remediation; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; security and privacy architecture; system design documentation; system developer security and privacy assessment plans; results of developer security and privacy assessments for the system, system component, or system service; security and privacy flaw and remediation tracking records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-11-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with developer security and privacy testing responsibilities; system developers]. SA-11-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security and privacy testing and evaluation]. SA-11(01) DEVELOPER TESTING AND EVALUATION | STATIC CODE ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SA-11(01)[01] the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws; SA-11(01)[02] the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(01)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system developer security testing; procedures addressing flaw remediation; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; security and privacy architecture; system design documentation; system developer security and privacy assessment plans; results of system developer security and privacy assessments; security flaw and remediation tracking records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-11(01)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security and privacy testing responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-11(01)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation; static code analysis tools]. SA-11(02) DEVELOPER TESTING AND EVALUATION | THREAT MODELING AND VULNERABILITY ANALYSES ASSESSMENT OBJECTIVE: Determine if: SA-11(02)_ODP[01] information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined; SA-11(02)_ODP[02] the tools and methods to be employed for threat modeling and vulnerability analyses are defined; SA-11(02)_ODP[03] the breadth and depth of threat modeling to be conducted is defined; SA-11(02)_ODP[04] the breadth and depth of vulnerability analyses to be conducted is defined; SA-11(02)_ODP[05] acceptance criteria to be met by produced evidence for threat modeling are defined; SA-11(02)_ODP[06] acceptance criteria to be met by produced evidence for vulnerability analyses are defined; SA-11(02)(a)[01] the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses ; SA-11(02)(a)[02] the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses ; SA-11(02)(a)[03] the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses ; SA-11(02)(a)[04] the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses ; SA-11(02)(b)[01] the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs ; SA-11(02)(b)[02] the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs ; SA-11(02)(b)[03] the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs ; SA-11(02)(b)[04] the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs ; SA-11(02)(c)[01] the developer of the system, system component, or system service is required to perform threat modeling at during development of the system, component, or service; SA-11(02)(c)[02] the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at ; SA-11(02)(d)[01] the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets ; SA-11(02)(d)[02] the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets ; SA-11(02)(d)[03] the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets ; SA-11(02)(d)[04] the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(02)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security test plans; records of developer security testing results for the system, system component, or system service; vulnerability scanning results; system risk assessment reports; threat and vulnerability analysis reports; system security plan; supply chain risk management plan; other relevant documents or records]. SA-11(02)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; organizational personnel with supply chain risk management responsibilities]. SA-11(02)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation]. SA-11(03) DEVELOPER TESTING AND EVALUATION | INDEPENDENT VERIFICATION OF ASSESSMENT PLANS AND EVIDENCE ASSESSMENT OBJECTIVE: Determine if: SA-11(03)_ODP independence criteria to be satisfied by an independent agent are defined; SA-11(03)(a)[01] an independent agent is required to satisfy to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation; SA-11(03)(a)[02] an independent agent is required to satisfy to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation; SA-11(03)(b) the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(03)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; independent verification and validation reports; security and privacy assessment plans; results of security and privacy assessments for the system, system component, or system service; system security plan; privacy plan; privacy program plan; other relevant documents or records]. SA-11(03)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent]. SA-11(03)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation]. SA-11(04) DEVELOPER TESTING AND EVALUATION | MANUAL CODE REVIEWS ASSESSMENT OBJECTIVE: Determine if: SA-11(04)_ODP[01] specific code requiring manual code review is defined; SA-11(04)_ODP[02] processes, procedures, and/or techniques used for manual code reviews are defined; SA-11(04) the developer of the system, system component, or system service is required to perform a manual code review of using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(04)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; processes, procedures, and/or techniques for performing manual code reviews; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security testing and evaluation plans; system developer security testing and evaluation results; list of code requiring manual reviews; records of manual code reviews; system security plan; other relevant documents or records]. SA-11(04)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent]. SA-11(04)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer testing and evaluation]. SA-11(05) DEVELOPER TESTING AND EVALUATION | PENETRATION TESTING ASSESSMENT OBJECTIVE: Determine if: SA-11(05)_ODP[01] the breadth of penetration testing is defined; SA-11(05)_ODP[02] the depth of penetration testing is defined; SA-11(05)_ODP[03] constraints of penetration testing are defined; SA-11(05)(a)[01] the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: ; SA-11(05)(a)[02] the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: ; SA-11(05)(b) the developer of the system, system component, or system service is required to perform penetration testing under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(05)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer penetration testing and evaluation plans; system developer penetration testing and evaluation results; system security plan; privacy plan; personally identifiable information processing policy; other relevant documents or records]. SA-11(05)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent]. SA-11(05)-Test [SELECT FROM: Organizational processes for monitoring developer security and privacy assessments; automated mechanisms supporting and/or implementing the monitoring of developer security and privacy assessments]. SA-11(06) DEVELOPER TESTING AND EVALUATION | ATTACK SURFACE REVIEWS ASSESSMENT OBJECTIVE: Determine if: SA-11(06) the developer of the system, system component, or system service is required to perform attack surface reviews. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(06)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security testing and evaluation plans; system developer security testing and evaluation results; records of attack surface reviews; system security plan; other relevant documents or records]. SA-11(06)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-11(06)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation]. SA-11(07) DEVELOPER TESTING AND EVALUATION | VERIFY SCOPE OF TESTING AND EVALUATION ASSESSMENT OBJECTIVE: Determine if: SA-11(07)_ODP[01] the breadth of testing and evaluation of required controls is defined; SA-11(07)_ODP[02] the depth of testing and evaluation of required controls is defined; SA-11(07)[01] the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at ; SA-11(07)[02] the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(07)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security testing and evaluation plans; system developer security testing and evaluation results; system security plan; other relevant documents or records]. SA-11(07)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; system developers; independent verification agent]. SA-11(07)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation]. SA-11(08) DEVELOPER TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SA-11(08)[01] the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws; SA-11(08)[02] the developer of the system, system component, or system service is required to document the results of the analysis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(08)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; procedures addressing flaw remediation; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security test and evaluation plans; security test and evaluation results; security flaw and remediation tracking reports; system security plan; other relevant documents or records]. SA-11(08)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-11(08)-Test [SELECT FROM: Organizational processes for monitoring developer security testing and evaluation; automated mechanisms supporting and/or implementing the monitoring of developer security testing and evaluation]. SA-11(09) DEVELOPER TESTING AND EVALUATION | INTERACTIVE APPLICATION SECURITY TESTING ASSESSMENT OBJECTIVE: Determine if: SA-11(09)[01] the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws; SA-11(09)[02] the developer of the system, system component, or system service is required to document the results of flaw identification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-11(09)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing system developer security testing; procedures addressing interactive application security testing; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer security test and evaluation plans; security test and evaluation results; security flaw and remediation tracking reports; system security plan; other relevant documents or records]. SA-11(09)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with developer security testing responsibilities; organizational personnel with configuration management responsibilities; system developers]. SA-11(09)-Test [SELECT FROM: Organizational processes for interactive application security testing; automated mechanisms supporting and/or implementing the interactive application security testing]. SA-12 SUPPLY CHAIN PROTECTION [WITHDRAWN: Incorporated into SR Family.] SA-12(01) SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES / TOOLS / METHODS [WITHDRAWN: Moved to SR-05.] SA-12(02) SUPPLY CHAIN PROTECTION | SUPPLIER REVIEWS [WITHDRAWN: Moved to SR-06.] SA-12(03) SUPPLY CHAIN PROTECTION | TRUSTED SHIPPING AND WAREHOUSING [WITHDRAWN: Incorporated into SR-03.] SA-12(04) SUPPLY CHAIN PROTECTION | DIVERSITY OF SUPPLIERS [WITHDRAWN: Moved to SR-03(01).] SA-12(05) SUPPLY CHAIN PROTECTION | LIMITATION OF HARM [WITHDRAWN: Moved to SR-03(02).] SA-12(06) SUPPLY CHAIN PROTECTION | MINIMIZING PROCUREMENT TIME [WITHDRAWN: Incorporated into SR-05(01).] SA-12(07) SUPPLY CHAIN PROTECTION | ASSESSMENTS PRIOR TO SELECTION / ACCEPTANCE / UPDATE [WITHDRAWN: Moved to SR-05(02).] SA-12(08) SUPPLY CHAIN PROTECTION | USE OF ALL-SOURCE INTELLIGENCE [WITHDRAWN: Incorporated into RA-03(02).] SA-12(09) SUPPLY CHAIN PROTECTION | OPERATIONS SECURITY [WITHDRAWN: Moved to SR-07.] SA-12(10) SUPPLY CHAIN PROTECTION | VALIDATE AS GENUINE AND NOT ALTERED [WITHDRAWN: Moved to SR-04(03).] SA-12(11) SUPPLY CHAIN PROTECTION | PENETRATION TESTING / ANALYSIS OF ELEMENTS, PROCESSES, AND ACTORS [WITHDRAWN: Moved to SR-06(01).] SA-12(12) SUPPLY CHAIN PROTECTION | INTER-ORGANIZATIONAL AGREEMENTS [WITHDRAWN: Moved to SR-08.] SA-12(13) SUPPLY CHAIN PROTECTION | CRITICAL INFORMATION SYSTEM COMPONENTS [WITHDRAWN: Incorporated into MA-06, RA-09.] SA-12(14) SUPPLY CHAIN PROTECTION | IDENTITY AND TRACEABILITY [WITHDRAWN: Incorporated into SR-04(01), SR-04(02).] SA-12(15) SUPPLY CHAIN PROTECTION | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES [WITHDRAWN: Incorporated into SR-03.] SA-13 TRUSTWORTHINESS [WITHDRAWN: Incorporated into SA-08.] SA-14 CRITICALITY ANALYSIS [WITHDRAWN: Incorporated into RA-09.] SA-14(01) CRITICALITY ANALYSIS | CRITICAL COMPONENTS WITH NO VIABLE ALTERNATIVE SOURCING [WITHDRAWN: Incorporated into SA-20.] SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS ASSESSMENT OBJECTIVE: Determine if: SA-15_ODP[01] frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined; SA-15_ODP[02] security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined; SA-15_ODP[03] privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined; SA-15a.01[01] the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements; SA-15a.01[02] the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements; SA-15a.02[01] the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process; SA-15a.02[02] the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process; SA-15a.03[01] the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process; SA-15a.03[02] the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process; SA-15a.04 the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development; SA-15b.[01] the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy ; SA-15b.[02] the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing development process, standards, and tools; procedures addressing the integration of security and privacy requirements during the development process; solicitation documentation; acquisition documentation; critical component inventory documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer documentation listing tool options/configuration guides; configuration management policy; configuration management records; documentation of development process reviews using maturity models; change control records; configuration control records; documented reviews of the development process, standards, tools, and tool options/configurations; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-15-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer]. SA-15(01) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | QUALITY METRICS ASSESSMENT OBJECTIVE: Determine if: SA-15(01)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {; ; upon delivery}; SA-15(01)_ODP[02] frequency at which to provide evidence of meeting the quality metrics is defined (if selected); SA-15(01)_ODP[03] program review milestones are defined (if selected); SA-15(01)(a) the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process; SA-15(01)(b) the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(01)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing the integration of security requirements into the acquisition process; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; list of quality metrics; documentation evidence of meeting quality metrics; system security plan; other relevant documents or records]. SA-15(01)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer]. SA-15(02) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | SECURITY AND PRIVACY TRACKING TOOLS ASSESSMENT OBJECTIVE: Determine if: SA-15(02)[01] the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process; SA-15(02)[02] the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(02)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing development process, standards, and tools; procedures addressing the integration of security and privacy requirements into the acquisition process; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; documentation of the selection of security and privacy tracking tools; evidence of employing security and privacy tracking tools; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-15(02)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with privacy responsibilities]. SA-15(03) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CRITICALITY ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SA-15(03)_ODP[01] decision points in the system development life cycle are defined; SA-15(03)_ODP[02] the breadth of criticality analysis is defined; SA-15(03)_ODP[03] the depth of criticality analysis is defined; SA-15(03)(a) the developer of the system, system component, or system service is required to perform a criticality analysis at in the system development life cycle; SA-15(03)(b)[01] the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: ; SA-15(03)(b)[02] the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(03)-Examine [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing criticality analysis requirements for the system, system component, or system service; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; criticality analysis documentation; business impact analysis documentation; software development life cycle documentation; system security plan; other relevant documents or records]. SA-15(03)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for performing criticality analysis; system developer; organizational personnel with supply chain risk management responsibilities]. SA-15(03)-Test [SELECT FROM: Organizational processes for performing criticality analysis; automated mechanisms supporting and/or implementing criticality analysis]. SA-15(04) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | THREAT MODELING AND VULNERABILITY ANALYSIS [WITHDRAWN: Incorporated into SA-11(02).] SA-15(05) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ATTACK SURFACE REDUCTION ASSESSMENT OBJECTIVE: Determine if: SA-15(05)_ODP thresholds to which attack surfaces are to be reduced are defined; SA-15(05) the developer of the system, system component, or system service is required to reduce attack surfaces to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(05)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; procedures addressing attack surface reduction; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system or system service; system design documentation; network diagram; system configuration settings and associated documentation establishing/enforcing organization-defined thresholds for reducing attack surfaces; list of restricted ports, protocols, functions, and services; system security plan; other relevant documents or records]. SA-15(05)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for attack surface reduction thresholds; system developer]. SA-15(05)-Test [SELECT FROM: Organizational processes for defining attack surface reduction thresholds]. SA-15(06) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | CONTINUOUS IMPROVEMENT ASSESSMENT OBJECTIVE: Determine if: SA-15(06) the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(06)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; quality goals and metrics for improving the system development process; security assessments; quality control reviews of system development process; plans of action and milestones for improving the system development process; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-15(06)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer]. SA-15(07) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | AUTOMATED VULNERABILITY ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SA-15(07)_ODP[01] frequency at which to conduct vulnerability analysis is defined; SA-15(07)_ODP[02] tools used to perform automated vulnerability analysis are defined; SA-15(07)_ODP[03] personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is/are defined; SA-15(07)(a) the developer of the system, system component, or system service is required to perform automated vulnerability analysis using ; SA-15(07)(b) the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities ; SA-15(07)(c) the developer of the system, system component, or system service is required to determine potential risk mitigations for delivered vulnerabilities; SA-15(07)(d) the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(07)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; vulnerability analysis tools and associated documentation; risk assessment reports; vulnerability analysis results; vulnerability mitigation reports; risk mitigation strategy documentation; system security plan; other relevant documents or records]. SA-15(07)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel performing automated vulnerability analysis on the system]. SA-15(07)-Test [SELECT FROM: Organizational processes for vulnerability analysis of systems, system components, or system services under development; automated mechanisms supporting and/or implementing vulnerability analysis of systems, system components, or system services under development]. SA-15(08) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | REUSE OF THREAT AND VULNERABILITY INFORMATION ASSESSMENT OBJECTIVE: Determine if: SA-15(08)[01] the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process; SA-15(08)[02] the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(08)-Examine [SELECT FROM: System and services acquisition policy; supply chain risk management plan; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; threat modeling and vulnerability analyses from similar systems, system components, or system services; system security plan; other relevant documents or records]. SA-15(08)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with supply chain risk management responsibilities]. SA-15(09) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | USE OF LIVE DATA [WITHDRAWN: Incorporated into SA-03(02).] SA-15(10) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | INCIDENT RESPONSE PLAN ASSESSMENT OBJECTIVE: Determine if: SA-15(10)[01] the developer of the system, system component, or system service is required to provide an incident response plan; SA-15(10)[02] the developer of the system, system component, or system service is required to implement an incident response plan; SA-15(10)[03] the developer of the system, system component, or system service is required to test an incident response plan. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(10)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing incident response, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system components or services; acquisition documentation; solicitation documentation; service level agreements; developer incident response plan; system security plan; privacy plan; supply chain risk management plan; other relevant documents or records]. SA-15(10)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with supply chain risk management responsibilities]. SA-15(11) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | ARCHIVE SYSTEM OR COMPONENT ASSESSMENT OBJECTIVE: Determine if: SA-15(11) the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(11)-Examine [SELECT FROM: System and services acquisition policy; procedures addressing development process, standards, and tools; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system or system component; evidence of archived system or component; system security plan; privacy plan; other relevant documents or records]. SA-15(11)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with privacy responsibilities]. SA-15(12) DEVELOPMENT PROCESS, STANDARDS, AND TOOLS | MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: SA-15(12) the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-15(12)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing the development process; procedures addressing the minimization of personally identifiable information in testing, training, and research; personally identifiable information processing policy; procedures addressing the authority to test with personally identifiable information; standards and tools; solicitation documentation; service level agreements; acquisition contracts for the system or services; system security plan; privacy plan; other relevant documents or records]. SA-15(12)-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer]. SA-15(12)-Test [SELECT FROM: Organizational processes for the minimization of personally identifiable information in development and test environments; automated mechanisms to facilitate minimization of personally identifiable information in development and test environments]. SA-16 DEVELOPER-PROVIDED TRAINING ASSESSMENT OBJECTIVE: Determine if: SA-16_ODP training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined; SA-16 the developer of the system, system component, or system service is required to provide on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-16-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; procedures addressing developer-provided training; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; organizational security and privacy training policy; developer-provided training materials; training records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SA-16-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer; external or internal (in-house) developers with training responsibilities for the system, system component, or information system service]. SA-17 DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN ASSESSMENT OBJECTIVE: Determine if: SA-17(a)[01] the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture; SA-17(a)[02] the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture; SA-17(b)[01] the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components; SA-17(b)[02] the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components; SA-17(c)[01] the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection; SA-17(c)[02] the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; enterprise architecture policy; enterprise architecture documentation; procedures addressing developer security and privacy architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; information system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records]. SA-17-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer]. SA-17(01) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | FORMAL POLICY MODEL ASSESSMENT OBJECTIVE: Determine if: SA-17(01)_ODP[01] organizational security policy to be enforced is defined; SA-17(01)_ODP[02] organizational privacy policy to be enforced is defined; SA-17(01)(a)[01] as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the to be enforced; SA-17(01)(a)[02] as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the to be enforced; SA-17(01)(b)[01] the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented; SA-17(01)(b)[02] the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(01)-Examine [SELECT FROM: System and services acquisition policy; system and services acquisition procedures; enterprise architecture policy; enterprise architecture documentation; procedures addressing developer security and privacy architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system configuration settings and associated documentation; system security plan; privacy plan; other relevant documents or records]. SA-17(01)-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer]. SA-17(02) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | SECURITY-RELEVANT COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SA-17(02)(a)[01] the developer of the system, system component, or system service is required to define security-relevant hardware; SA-17(02)(a)[02] the developer of the system, system component, or system service is required to define security-relevant software; SA-17(02)(a)[03] the developer of the system, system component, or system service is required to define security-relevant firmware; SA-17(02)(b) the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(02)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; list of security-relevant hardware, software, and firmware components; documented rationale of completeness regarding definitions provided for security-relevant hardware, software, and firmware; system security plan; other relevant documents or records]. SA-17(02)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developers; organizational personnel with information security architecture and design responsibilities]. SA-17(03) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | FORMAL CORRESPONDENCE ASSESSMENT OBJECTIVE: Determine if: SA-17(03)(a)[01] as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions; SA-17(03)(a)[02] as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages; SA-17(03)(a)[03] as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects; SA-17(03)(b) the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary; SA-17(03)(c) the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; SA-17(03)(d) the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; SA-17(03)(e) the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(03)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; formal policy model; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; formal top-level specification documentation; system security architecture and design documentation; system design documentation; system configuration settings and associated documentation; documentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification documentation; system security plan; other relevant documents or records]. SA-17(03)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities]. SA-17(04) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | INFORMAL CORRESPONDENCE ASSESSMENT OBJECTIVE: Determine if: SA-17(04)_ODP one of the following PARAMETER VALUES is selected: {informal demonstration, convincing argument with formal methods as feasible}; SA-17(04)(a)[01] as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions; SA-17(04)(a)[02] as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages; SA-17(04)(a)[03] as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects; SA-17(04)(b) the developer of the system, system component, or system service is required to show via that the descriptive top-level specification is consistent with the formal policy model; SA-17(04)(c) the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware; SA-17(04)(d) the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; SA-17(04)(e) the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(04)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; formal policy model; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; informal, descriptive top-level specification documentation; system security architecture and design documentation; system design documentation; system configuration settings and associated documentation; documentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the informal, descriptive top-level specification documentation; system security plan; other relevant documents or records]. SA-17(04)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities]. SA-17(05) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | CONCEPTUALLY SIMPLE DESIGN ASSESSMENT OBJECTIVE: Determine if: SA-17(05)(a) the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; SA-17(05)(b) the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(05)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system security architecture documentation; system configuration settings and associated documentation; developer documentation describing the design and structure of security-relevant hardware, software, and firmware components; system security plan; other relevant documents or records]. SA-17(05)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities]. SA-17(06) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | STRUCTURE FOR TESTING ASSESSMENT OBJECTIVE: Determine if: SA-17(06) the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(06)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system security architecture documentation; privacy architecture documentation; system configuration settings and associated documentation; developer documentation describing the design and structure of security-relevant hardware, software, and firmware components to facilitate testing; system security plan; privacy plan; other relevant documents or records]. SA-17(06)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel with information security and privacy architecture and design responsibilities]. SA-17(07) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | STRUCTURE FOR LEAST PRIVILEGE ASSESSMENT OBJECTIVE: Determine if: SA-17(07) the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(07)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design specifications for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system security architecture documentation; system configuration settings and associated documentation; developer documentation describing the design and structure of security-relevant hardware, software, and firmware components to facilitate controlling access with least privilege; system security plan; other relevant documents or records]. SA-17(07)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture and design responsibilities]. SA-17(08) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | ORCHESTRATION ASSESSMENT OBJECTIVE: Determine if: SA-17(08)_ODP[01] critical systems or system components are defined; SA-17(08)_ODP[02] capabilities to be implemented by systems or components are defined; SA-17(08) are designed with coordinated behavior to implement . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(08)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security and privacy architecture and design; enterprise architecture; security architecture; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system configuration settings and associated documentation; developer documentation describing design orchestration; system security plan; privacy plan; other relevant documents or records]. SA-17(08)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel with information security architecture responsibilities]. SA-17(09) DEVELOPER SECURITY AND PRIVACY ARCHITECTURE AND DESIGN | DESIGN DIVERSITY ASSESSMENT OBJECTIVE: Determine if: SA-17(09)_ODP critical systems or system components to be designed differently are defined; SA-17(09) different designs are used for to satisfy a common set of requirements or to provide equivalent functionality. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-17(09)-Examine [SELECT FROM: System and services acquisition policy; enterprise architecture policy; procedures addressing developer security architecture and design diversity for the system; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system design documentation; system security architecture documentation; system configuration settings and associated documentation; developer documentation describing design diversity; system security plan; other relevant documents or records]. SA-17(09)-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; system developer; organizational personnel with information security architecture responsibilities]. SA-18 TAMPER RESISTANCE AND DETECTION [WITHDRAWN: Moved to SR-09.] SA-18(01) TAMPER RESISTANCE AND DETECTION | MULTIPLE PHASES OF SYSTEM DEVELOPMENT LIFE CYCLE [WITHDRAWN: Moved to SR-09(01).] SA-18(02) TAMPER RESISTANCE AND DETECTION | INSPECTION OF SYSTEMS OR COMPONENTS [WITHDRAWN: Moved to SR-10.] SA-19 COMPONENT AUTHENTICITY [WITHDRAWN: Moved to SR-11.] SA-19(01) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING [WITHDRAWN: Moved to SR-11(01).] SA-19(02) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR [WITHDRAWN: Moved to SR-11(02).] SA-19(03) COMPONENT AUTHENTICITY | COMPONENT DISPOSAL [WITHDRAWN: Moved to SR-12.] SA-19(04) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING [WITHDRAWN: Moved to SR-11(03).] SA-20 CUSTOMIZED DEVELOPMENT OF CRITICAL COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SA-20_ODP critical system components to be reimplemented or custom-developed are defined; SA-20 are reimplemented or custom-developed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-20-Examine [SELECT FROM: Supply chain risk management plan; system and services acquisition policy; procedures addressing the customized development of critical system components; system design documentation; system configuration settings and associated documentation; system development life cycle documentation addressing the custom development of critical system components; configuration management records; system audit records; system security plan; other relevant documents or records]. SA-20-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with responsibility for the reimplementation or customized development of critical system components]. SA-20-Test [SELECT FROM: Organizational processes for the reimplementation or customized development of critical system components; automated mechanisms supporting and/or implementing reimplementation or customized development of critical system components]. SA-21 DEVELOPER SCREENING ASSESSMENT OBJECTIVE: Determine if: SA-21_ODP[01] the system, systems component, or system service that the developer has access to is/are defined; SA-21_ODP[02] official government duties assigned to the developer are defined; SA-21_ODP[03] additional personnel screening criteria for the developer are defined; SA-21(a) the developer of is required to have appropriate access authorizations as determined by assigned ; SA-21(b) the developer of is required to satisfy . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-21-Examine [SELECT FROM: System and services acquisition policy; personnel security policy and procedures; procedures addressing personnel screening; system design documentation; acquisition documentation; service level agreements; acquisition contracts for developer services; system configuration settings and associated documentation; list of appropriate access authorizations required by the developers of the system; personnel screening criteria and associated documentation; system security plan; supply chain risk management plan; other relevant documents or records]. SA-21-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel responsible for developer screening]. SA-21-Test [SELECT FROM: Organizational processes for developer screening; automated mechanisms supporting developer screening]. SA-21(01) DEVELOPER SCREENING | VALIDATION OF SCREENING [WITHDRAWN: Incorporated into SA-21.] SA-22 UNSUPPORTED SYSTEM COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SA-22_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {in-house support; }; SA-22_ODP[02] support from external providers is defined (if selected); SA-22(a) system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer; SA-22(b) provide options for alternative sources for continued support for unsupported components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-22-Examine [SELECT FROM: System and services acquisition policy; procedures addressing the replacement or continued use of unsupported system components; documented evidence of replacing unsupported system components; documented approvals (including justification) for the continued use of unsupported system components; system security plan; supply chain risk management plan; other relevant documents or records]. SA-22-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with the responsibility for the system development life cycle; organizational personnel responsible for component replacement]. SA-22-Test [SELECT FROM: Organizational processes for replacing unsupported system components; automated mechanisms supporting and/or implementing the replacement of unsupported system components]. SA-22(01) UNSUPPORTED SYSTEM COMPONENTS | ALTERNATIVE SOURCES FOR CONTINUED SUPPORT [WITHDRAWN: Incorporated into SA-22.] SA-23 SPECIALIZATION ASSESSMENT OBJECTIVE: Determine if: SA-23_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {design modification; augmentation; reconfiguration}; SA-23_ODP[02] systems or system components supporting mission-essential services or functions are defined; SA-23 is employed on supporting essential services or functions to increase the trustworthiness in those systems or components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SA-23-Examine [SELECT FROM: System and services acquisition policy; procedures addressing design modification, augmentation, or reconfiguration of systems or system components; documented evidence of design modification, augmentation, or reconfiguration; system security plan; supply chain risk management plan; other relevant documents or records]. SA-23-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with the responsibility for security architecture; organizational personnel responsible for configuration management]. SA-23-Test [SELECT FROM: Organizational processes for the modification of design, augmentation, or reconfiguration of systems or system components; automated mechanisms supporting and/or implementing design modification, augmentation, or reconfiguration of systems or system components]. 4.18 System and Communications Protection SC-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: SC-01_ODP[01] personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined; SC-01_ODP[02] personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined; SC-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business-process-level; system-level}; SC-01_ODP[04] an official to manage the system and communications protection policy and procedures is defined; SC-01_ODP[05] the frequency at which the current system and communications protection policy is reviewed and updated is defined; SC-01_ODP[06] events that would require the current system and communications protection policy to be reviewed and updated are defined; SC-01_ODP[07] the frequency at which the current system and communications protection procedures are reviewed and updated is defined; SC-01_ODP[08] events that would require the system and communications protection procedures to be reviewed and updated are defined; SC-01a.[01] a system and communications protection policy is developed and documented; SC-01a.[02] the system and communications protection policy is disseminated to ; SC-01a.[03] system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented; SC-01a.[04] the system and communications protection procedures are disseminated to ; SC-01a.01(a)[01] the system and communications protection policy addresses purpose; SC-01a.01(a)[02] the system and communications protection policy addresses scope; SC-01a.01(a)[03] the system and communications protection policy addresses roles; SC-01a.01(a)[04] the system and communications protection policy addresses responsibilities; SC-01a.01(a)[05] the system and communications protection policy addresses management commitment; SC-01a.01(a)[06] the system and communications protection policy addresses coordination among organizational entities; SC-01a.01(a)[07] the system and communications protection policy addresses compliance; SC-01a.01(b) the system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; SC-01b. the is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; SC-01c.01[01] the current system and communications protection policy is reviewed and updated ; SC-01c.01[02] the current system and communications protection policy is reviewed and updated following ; SC-01c.02[01] the current system and communications protection procedures are reviewed and updated ; SC-01c.02[02] the current system and communications protection procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-01-Examine [SELECT FROM: System and communications protection policy; system and communications protection procedures; system security plan; privacy plan; risk management strategy documentation; audit findings; other relevant documents or records]. SC-01-Interview [SELECT FROM: Organizational personnel with system and communications protection responsibilities; organizational personnel with information security and privacy responsibilities]. SC-02 SEPARATION OF SYSTEM AND USER FUNCTIONALITY ASSESSMENT OBJECTIVE: Determine if: SC-02 user functionality, including user interface services, are separated from system management functionality. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-02-Examine [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-02-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-02-Test [SELECT FROM: Separation of user functionality from system management functionality]. SC-02(01) SEPARATION OF SYSTEM AND USER FUNCTIONALITY | INTERFACES FOR NON-PRIVILEGED USERS ASSESSMENT OBJECTIVE: Determine if: SC-02(01) the presentation of system management functionality is prevented at interfaces to non-privileged users. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-02(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-02(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; non-privileged users of the system; system developer]. SC-02(01)-Test [SELECT FROM: Separation of user functionality from system management functionality]. SC-02(02) SEPARATION OF SYSTEM AND USER FUNCTIONALITY | DISASSOCIABILITY ASSESSMENT OBJECTIVE: Determine if: SC-02(02) state information is stored separately from applications and software. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-02(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing application and software partitioning; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-02(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developer]. SC-02(02)-Test [SELECT FROM: Separation of application state information from software]. SC-03 SECURITY FUNCTION ISOLATION ASSESSMENT OBJECTIVE: Determine if: SC-03 security functions are isolated from non-security functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-03-Examine [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of security functions to be isolated from non-security functions; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-03-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-03-Test [SELECT FROM: Separation of security functions from non-security functions within the system]. SC-03(01) SECURITY FUNCTION ISOLATION | HARDWARE SEPARATION ASSESSMENT OBJECTIVE: Determine if: SC-03(01) hardware separation mechanisms are employed to implement security function isolation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-03(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; system design documentation; hardware separation mechanisms; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-03(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-03(01)-Test [SELECT FROM: Separation of security functions from non-security functions within the system]. SC-03(02) SECURITY FUNCTION ISOLATION | ACCESS AND FLOW CONTROL FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: SC-03(02)[01] security functions enforcing access control are isolated from non-security functions;security functions enforcing access control are isolated from other security functions; SC-03(02)[03] security functions enforcing information flow control are isolated from non-security functions;security functions enforcing information flow control are isolated from other security functions. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-03(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; list of critical security functions; system design documentation; system configuration settings and associated documentation; system audit records system security plan; other relevant documents or records]. SC-03(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-03(02)-Test [SELECT FROM: Isolation of security functions enforcing access and information flow control]. SC-03(03) SECURITY FUNCTION ISOLATION | MINIMIZE NONSECURITY FUNCTIONALITY ASSESSMENT OBJECTIVE: Determine if: SC-03(03) the number of non-security functions included within the isolation boundary containing security functions is minimized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-03(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-03(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-03(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing an isolation boundary]. SC-03(04) SECURITY FUNCTION ISOLATION | MODULE COUPLING AND COHESIVENESS ASSESSMENT OBJECTIVE: Determine if: SC-03(04)[01] security functions are implemented as largely independent modules that maximize internal cohesiveness within modules; SC-03(04)[02] security functions are implemented as largely independent modules that minimize coupling between modules. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-03(04)-Examine [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-03(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-03(04)-Test [SELECT FROM: Organizational processes for maximizing internal cohesiveness within modules and minimizing coupling between modules; automated mechanisms supporting and/or implementing security functions as independent modules]. SC-03(05) SECURITY FUNCTION ISOLATION | LAYERED STRUCTURES ASSESSMENT OBJECTIVE: Determine if: SC-03(05) security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-03(05)-Examine [SELECT FROM: System and communications protection policy; procedures addressing security function isolation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-03(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-03(05)-Test [SELECT FROM: Organizational processes for implementing security functions as a layered structure that minimizes interactions between layers and avoids dependence by lower layers on functionality/correctness of higher layers; automated mechanisms supporting and/or implementing security functions as a layered structure]. SC-04 INFORMATION IN SHARED SYSTEM RESOURCES ASSESSMENT OBJECTIVE: Determine if: SC-04[01] unauthorized information transfer via shared system resources is prevented; SC-04[02] unintended information transfer via shared system resources is prevented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-04-Examine [SELECT FROM: System and communications protection policy; procedures addressing information protection in shared system resources; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-04-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-04-Test [SELECT FROM: Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources]. SC-04(01) INFORMATION IN SHARED SYSTEM RESOURCES | SECURITY LEVELS [WITHDRAWN: Incorporated into SC-04.] SC-04(02) INFORMATION IN SHARED SYSTEM RESOURCES | MULTILEVEL OR PERIODS PROCESSING ASSESSMENT OBJECTIVE: Determine if: SC-04(02)_ODP procedures to prevent unauthorized information transfer via shared resources are defined; SC-04(02) unauthorized information transfer via shared resources is prevented in accordance with when system processing explicitly switches between different information classification levels or security categories. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-04(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing information protection in shared system resources; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-04(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-04(02)-Test [SELECT FROM: Automated mechanisms preventing unauthorized transfer of information via shared system resources]. SC-05 DENIAL-OF-SERVICE PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-05_ODP[01] types of denial-of-service events to be protected against or limited are defined; SC-05_ODP[02] one of the following PARAMETER VALUES is selected: {protect against; limit}; SC-05_ODP[03] controls by type of denial-of-service event are defined; SC-05a. the effects of are ; SC-05b. are employed to achieve the denial-of-service protection objective. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-05-Examine [SELECT FROM: System and communications protection policy; procedures addressing denial-of-service protection; system design documentation; list of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks; list of security safeguards protecting against or limiting the effects of denial-of-service attacks; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-05-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities; system developer]. SC-05-Test [SELECT FROM: Automated mechanisms protecting against or limiting the effects of denial-of-service attacks]. SC-05(01) DENIAL-OF-SERVICE PROTECTION | RESTRICT ABILITY TO ATTACK OTHER SYSTEMS ASSESSMENT OBJECTIVE: Determine if: SC-05(01)_ODP denial-of-service attacks to be restricted are defined; SC-05(01) the ability of individuals to launch against other systems is restricted. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-05(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing denial-of-service protection; system design documentation; list of denial-of-service attacks launched by individuals against systems; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-05(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities; system developer]. SC-05(01)-Test [SELECT FROM: Automated mechanisms restricting the ability to launch denial-of-service attacks against other systems]. SC-05(02) DENIAL-OF-SERVICE PROTECTION | CAPACITY, BANDWIDTH, AND REDUNDANCY ASSESSMENT OBJECTIVE: Determine if: SC-05(02) capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-05(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing denial-of-service protection; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-05(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities; system developer]. SC-05(02)-Test [SELECT FROM: Automated mechanisms implementing management of system bandwidth, capacity, and redundancy to limit the effects of information flooding denial-of-service attacks]. SC-05(03) DENIAL-OF-SERVICE PROTECTION | DETECTION AND MONITORING ASSESSMENT OBJECTIVE: Determine if: SC-05(03)_ODP[01] monitoring tools for detecting indicators of denial-of-service attacks are defined; SC-05(03)_ODP[02] system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined; SC-05(03)(a) are employed to detect indicators of denial-of-service attacks against or launched from the system; SC-05(03)(b) are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-05(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing denial-of-service protection; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-05(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with detection and monitoring responsibilities]. SC-05(03)-Test [SELECT FROM: Automated mechanisms/tools implementing system monitoring for denial-of-service attacks]. SC-06 RESOURCE AVAILABILITY ASSESSMENT OBJECTIVE: Determine if: SC-06_ODP[01] resources to be allocated to protect the availability of resources are defined; SC-06_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {priority; quota; }; SC-06_ODP[03] controls to protect the availability of resources are defined (if selected); SC-06 the availability of resources is protected by allocating by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-06-Examine [SELECT FROM: System and communications protection policy; procedures addressing prioritization of system resources; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-06-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-06-Test [SELECT FROM: Automated mechanisms supporting and/or implementing resource allocation capability; safeguards employed to protect availability of resources]. SC-07 BOUNDARY PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-07_ODP one of the following PARAMETER VALUES is selected: {physically; logically}; SC-07a.[01] communications at external managed interfaces to the system are monitored; SC-07a.[02] communications at external managed interfaces to the system are controlled; SC-07a.[03] communications at key internal managed interfaces within the system are monitored; SC-07a.[04] communications at key internal managed interfaces within the system are controlled; SC-07b. subnetworks for publicly accessible system components are separated from internal organizational networks; SC-07c. external networks or systems are only connected through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; enterprise security architecture documentation; system audit records; system security plan; other relevant documents or records]. SC-07-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities]. SC-07(01) BOUNDARY PROTECTION | PHYSICALLY SEPARATED SUBNETWORKS [WITHDRAWN: Incorporated into SC-07.] SC-07(02) BOUNDARY PROTECTION | PUBLIC ACCESS [WITHDRAWN: Incorporated into SC-07.] SC-07(03) BOUNDARY PROTECTION | ACCESS POINTS ASSESSMENT OBJECTIVE: Determine if: SC-07(03) the number of external network connections to the system is limited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; boundary protection hardware and software; system architecture and configuration documentation; system configuration settings and associated documentation; communications and network traffic monitoring logs; system audit records; system security plan; other relevant documents or records]. SC-07(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(03)-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities; automated mechanisms limiting the number of external network connections to the system]. SC-07(04) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES ASSESSMENT OBJECTIVE: Determine if: SC-07(04)_ODP the frequency at which to review exceptions to traffic flow policy is defined; SC-07(04)(a) a managed interface is implemented for each external telecommunication service; SC-07(04)(b) a traffic flow policy is established for each managed interface; SC-07(04)(c)[01] the confidentiality of the information being transmitted across each interface is protected; SC-07(04)(c)[02] the integrity of the information being transmitted across each interface is protected; SC-07(04)(d) each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need; SC-07(04)(e)[01] exceptions to the traffic flow policy are reviewed ; SC-07(04)(e)[02] exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed; SC-07(04)(f) unauthorized exchanges of control plan traffic with external networks are prevented; SC-07(04)(g) information is published to enable remote networks to detect unauthorized control plane traffic from internal networks; SC-07(04)(h) unauthorized control plan traffic is filtered from external networks. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(04)-Examine [SELECT FROM: System and communications protection policy; traffic flow policy; information flow control policy; procedures addressing boundary protection; system security architecture; system design documentation; boundary protection hardware and software; system architecture and configuration documentation; system configuration settings and associated documentation; records of traffic flow policy exceptions; system audit records; system security plan; other relevant documents or records]. SC-07(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(04)-Test [SELECT FROM: Organizational processes for documenting and reviewing exceptions to the traffic flow policy; organizational processes for removing exceptions to the traffic flow policy; automated mechanisms implementing boundary protection capabilities; managed interfaces implementing traffic flow policy]. SC-07(05) BOUNDARY PROTECTION | DENY BY DEFAULT — ALLOW BY EXCEPTION ASSESSMENT OBJECTIVE: Determine if: SC-07(05)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {at managed interfaces; for}; SC-07(05)_ODP[02] systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected). SC-07(05)[01] network communications traffic is denied by default ; SC-07(05)[02] network communications traffic is allowed by exception . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(05)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(05)-Test [SELECT FROM: Automated mechanisms implementing traffic management at managed interfaces]. SC-07(06) BOUNDARY PROTECTION | RESPONSE TO RECOGNIZED FAILURES [WITHDRAWN: Incorporated into SC-07(18).] SC-07(07) BOUNDARY PROTECTION | SPLIT TUNNELING FOR REMOTE DEVICES ASSESSMENT OBJECTIVE: Determine if: SC-07(07)_ODP safeguards to securely provision split tunneling are defined; SC-07(07) split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(07)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(07)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(07)-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities; automated mechanisms supporting/restricting non-remote connections]. SC-07(08) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS ASSESSMENT OBJECTIVE: Determine if: SC-07(08)_ODP[01] internal communications traffic to be routed to external networks is defined; SC-07(08)_ODP[02] external networks to which internal communications traffic is to be routed are defined; SC-07(08) is routed to through authenticated proxy servers at managed interfaces. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(08)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(08)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(08)-Test [SELECT FROM: Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces]. SC-07(09) BOUNDARY PROTECTION | RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFIC ASSESSMENT OBJECTIVE: Determine if: SC-07(09)(a)[01] outgoing communications traffic posing a threat to external systems is detected; SC-07(09)(a)[02] outgoing communications traffic posing a threat to external systems is denied; SC-07(09)(b) the identity of internal users associated with denied communications is audited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(09)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(09)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(09)-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities; automated mechanisms implementing detection and denial of threatening outgoing communications traffic; automated mechanisms implementing auditing of outgoing communications traffic]. SC-07(10) BOUNDARY PROTECTION | PREVENT EXFILTRATION ASSESSMENT OBJECTIVE: Determine if: SC-07(10)_ODP the frequency for conducting exfiltration tests is defined; SC-07(10)(a) the exfiltration of information is prevented; SC-07(10)(b) exfiltration tests are conducted . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(10)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(10)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(10)-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities; preventing unauthorized exfiltration of information across managed interfaces]. SC-07(11) BOUNDARY PROTECTION | RESTRICT INCOMING COMMUNICATIONS TRAFFIC ASSESSMENT OBJECTIVE: Determine if: SC-07(11)_ODP[01] authorized sources of incoming communications to be routed are defined; SC-07(11)_ODP[02] authorized destinations to which incoming communications from authorized sources may be routed are defined; SC-07(11) only incoming communications from are allowed to be routed to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(11)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(11)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(11)-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities with respect to source/destination address pairs]. SC-07(12) BOUNDARY PROTECTION | HOST-BASED PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-07(12)_ODP[01] host-based boundary protection mechanisms to be implemented are defined; SC-07(12)_ODP[02] system components where host-based boundary protection mechanisms are to be implemented are defined; SC-07(12) are implemented . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(12)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(12)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities; system users]. SC-07(12)-Test [SELECT FROM: Automated mechanisms implementing host-based boundary protection capabilities]. SC-07(13) BOUNDARY PROTECTION | ISOLATION OF SECURITY TOOLS, MECHANISMS, AND SUPPORT COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SC-07(13)_ODP information security tools, mechanisms, and support components to be isolated from other internal system components are defined; SC-07(13) are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(13)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; list of security tools and support components to be isolated from other internal system components; system audit records; system security plan; other relevant documents or records]. SC-07(13)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(13)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing isolation of information security tools, mechanisms, and support components]. SC-07(14) BOUNDARY PROTECTION | PROTECT AGAINST UNAUTHORIZED PHYSICAL CONNECTIONS ASSESSMENT OBJECTIVE: Determine if: SC-07(14)_ODP managed interfaces used to protect against unauthorized physical connections are defined; SC-07(14) are protected against unauthorized physical connections. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(14)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; facility communications and wiring diagram system security plan; other relevant documents or records]. SC-07(14)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(14)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing protection against unauthorized physical connections]. SC-07(15) BOUNDARY PROTECTION | NETWORKED PRIVILEGED ACCESSES ASSESSMENT OBJECTIVE: Determine if: SC-07(15)[01] networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control; SC-07(15)[02] networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(15)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; audit logs; system security plan; other relevant documents or records]. SC-07(15)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(15)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the routing of networked, privileged access through dedicated, managed interfaces]. SC-07(16) BOUNDARY PROTECTION | PREVENT DISCOVERY OF SYSTEM COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SC-07(16) the discovery of specific system components that represent a managed interface is prevented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(16)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(16)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(16)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the prevention of discovery of system components at managed interfaces]. SC-07(17) BOUNDARY PROTECTION | AUTOMATED ENFORCEMENT OF PROTOCOL FORMATS ASSESSMENT OBJECTIVE: Determine if: SC-07(17) adherence to protocol formats is enforced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(17)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(17)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(17)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing enforcement of adherence to protocol formats]. SC-07(18) BOUNDARY PROTECTION | FAIL SECURE ASSESSMENT OBJECTIVE: Determine if: SC-07(18) systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(18)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(18)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(18)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing secure failure]. SC-07(19) BOUNDARY PROTECTION | BLOCK COMMUNICATION FROM NON-ORGANIZATIONALLY CONFIGURED HOSTS ASSESSMENT OBJECTIVE: Determine if: SC-07(19)_ODP communication clients that are independently configured by end users and external service providers are defined; SC-07(19)[01] inbound communications traffic is blocked between that are independently configured by end users and external service providers; SC-07(19)[02] outbound communications traffic is blocked between that are independently configured by end users and external service providers. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(19)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; list of communication clients independently configured by end users and external service providers; system audit records; system security plan; other relevant documents or records]. SC-07(19)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(19)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the blocking of inbound and outbound communications traffic between communication clients independently configured by end users and external service providers]. SC-07(20) BOUNDARY PROTECTION | DYNAMIC ISOLATION AND SEGREGATION ASSESSMENT OBJECTIVE: Determine if: SC-07(20)_ODP system components to be dynamically isolated from other system components are defined; SC-07(20) the capability to dynamically isolate from other system components is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(20)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; list of system components to be dynamically isolated/segregated from other components of the system; system audit records; system security plan; other relevant documents or records]. SC-07(20)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(20)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the capability to dynamically isolate/segregate system components]. SC-07(21) BOUNDARY PROTECTION | ISOLATION OF SYSTEM COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SC-07(21)_ODP[01] system components to be isolated by boundary protection mechanisms are defined; SC-07(21)_ODP[02] missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined; SC-07(21) boundary protection mechanisms are employed to isolate supporting . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(21)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; enterprise architecture documentation; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(21)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. SC-07(21)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the capability to separate system components supporting organizational missions and/or business functions]. SC-07(22) BOUNDARY PROTECTION | SEPARATE SUBNETS FOR CONNECTING TO DIFFERENT SECURITY DOMAINS ASSESSMENT OBJECTIVE: Determine if: SC-07(22) separate network addresses are implemented to connect to systems in different security domains. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(22)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(22)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(22)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing separate network addresses/different subnets]. SC-07(23) BOUNDARY PROTECTION | DISABLE SENDER FEEDBACK ON PROTOCOL VALIDATION FAILURE ASSESSMENT OBJECTIVE: Determine if: SC-07(23) feedback to senders is disabled on protocol format validation failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(23)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(23)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(23)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the disabling of feedback to senders on protocol format validation failure]. SC-07(24) BOUNDARY PROTECTION | PERSONALLY IDENTIFIABLE INFORMATION ASSESSMENT OBJECTIVE: Determine if: SC-07(24)_ODP processing rules for systems that process personally identifiable information are defined; SC-07(24)(a) are applied to data elements of personally identifiable information on systems that process personally identifiable information; SC-07(24)(b)[01] permitted processing is monitored at the external interfaces to the systems that process personally identifiable information; SC-07(24)(b)[02] permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information; SC-07(24)(c) each processing exception is documented for systems that process personally identifiable information; SC-07(24)(d)[01] exceptions for systems that process personally identifiable information are reviewed; SC-07(24)(d)[02] exceptions for systems that process personally identifiable information that are no longer supported are removed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(24)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; personally identifiable information processing policies; list of key internal boundaries of the system; system design documentation; system configuration settings and associated documentation; enterprise security and privacy architecture documentation; system audit records; system security plan; privacy plan; personally identifiable information inventory documentation; data mapping documentation; other relevant documents or records]. SC-07(24)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(24)-Test [SELECT FROM: Automated mechanisms implementing boundary protection capabilities]. SC-07(25) BOUNDARY PROTECTION | UNCLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS ASSESSMENT OBJECTIVE: Determine if: SC-07(25)_ODP[01] the unclassified national security system prohibited from directly connecting to an external network is defined; SC-07(25)_ODP[02] the boundary protection device required for a direct connection to an external network is defined; SC-07(25) the direct connection of to an external network without the use of is prohibited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(25)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(25)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(25)-Test [SELECT FROM: Automated mechanisms prohibiting the direct connection of unclassified national security systems to an external network]. SC-07(26) BOUNDARY PROTECTION | CLASSIFIED NATIONAL SECURITY SYSTEM CONNECTIONS ASSESSMENT OBJECTIVE: Determine if: SC-07(26)_ODP the boundary protection device required for a direct connection to an external network is defined; SC-07(26) the direct connection of classified national security system to an external network without the use of a is prohibited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(26)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(26)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(26)-Test [SELECT FROM: Automated mechanisms prohibiting the direct connection of classified national security systems to an external network]. SC-07(27) BOUNDARY PROTECTION | UNCLASSIFIED NON-NATIONAL SECURITY SYSTEM CONNECTIONS ASSESSMENT OBJECTIVE: Determine if: SC-07(27)_ODP[01] the unclassified, non-national security system prohibited from directly connecting to an external network is defined; SC-07(27)_ODP[02] the boundary protection device required for a direct connection of unclassified, non-national security system to an external network is defined; SC-07(27) the direct connection of to an external network without the use of a is prohibited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(27)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(27)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(27)-Test [SELECT FROM: Automated mechanisms prohibiting the direct connection of unclassified, non-national security systems to an external network]. SC-07(28) BOUNDARY PROTECTION | CONNECTIONS TO PUBLIC NETWORKS ASSESSMENT OBJECTIVE: Determine if: SC-07(28)_ODP the system that is prohibited from directly connecting to a public network is defined; SC-07(28) the direct connection of the to a public network is prohibited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(28)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-07(28)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(28)-Test [SELECT FROM: Automated mechanisms prohibiting the direct connection of systems to an external network]. SC-07(29) BOUNDARY PROTECTION | SEPARATE SUBNETS TO ISOLATE FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: SC-07(29)_ODP[01] one of the following PARAMETER VALUES is selected: {physically; logically}; SC-07(29)_ODP[02] critical system components and functions to be isolated are defined; SC-07(29) subnetworks are separated to isolate . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-07(29)-Examine [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; criticality analysis; system audit records; system security plan; other relevant documents or records]. SC-07(29)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with boundary protection responsibilities]. SC-07(29)-Test [SELECT FROM: Automated mechanisms separating critical system components and functions]. SC-08 TRANSMISSION CONFIDENTIALITY AND INTEGRITY ASSESSMENT OBJECTIVE: Determine if: SC-08_ODP one or more of the following PARAMETER VALUES is/are selected: {confidentiality; integrity}; SC-08 the of transmitted information is/are protected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-08-Examine [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-08-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-08-Test [SELECT FROM: Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity]. SC-08(01) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-08(01)_ODP one or more of the following PARAMETER VALUES is/are selected: {prevent unauthorized disclosure of information; detect changes to information}; SC-08(01) cryptographic mechanisms are implemented to during transmission. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-08(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-08(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-08(01)-Test [SELECT FROM: Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity; automated mechanisms supporting and/or implementing alternative physical safeguards; organizational processes for defining and implementing alternative physical safeguards]. SC-08(02) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | PRE- AND POST-TRANSMISSION HANDLING ASSESSMENT OBJECTIVE: Determine if: SC-08(02)_ODP one or more of the following PARAMETER VALUES is/are selected: {confidentiality; integrity}; SC-08(02)[01] information is/are maintained during preparation for transmission; SC-08(02)[02] information is/are maintained during reception. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-08(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-08(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-08(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing transmission confidentiality and/or integrity]. SC-08(03) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION FOR MESSAGE EXTERNALS ASSESSMENT OBJECTIVE: Determine if: SC-08(03)_ODP alternative physical controls to protect message externals are defined; SC-08(03) cryptographic mechanisms are implemented to protect message externals unless otherwise protected by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-08(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-08(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-08(03)-Test [SELECT FROM: Cryptographic mechanisms supporting and/or implementing transmission confidentiality and/or integrity for message externals; automated mechanisms supporting and/or implementing alternative physical safeguards; organizational processes for defining and implementing alternative physical safeguards]. SC-08(04) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CONCEAL OR RANDOMIZE COMMUNICATIONS ASSESSMENT OBJECTIVE: Determine if: SC-08(04)_ODP alternative physical controls to protect against unauthorized disclosure of communication patterns are defined; SC-08(04) cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-08(04)-Examine [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-08(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-08(04)-Test [SELECT FROM: Cryptographic mechanisms supporting and/or implementing concealment or randomization of communication patterns; automated mechanisms supporting and/or implementing alternative physical safeguards; organizational processes for defining and implementing alternative physical safeguards]. SC-08(05) TRANSMISSION CONFIDENTIALITY AND INTEGRITY | PROTECTED DISTRIBUTION SYSTEM ASSESSMENT OBJECTIVE: Determine if: SC-08(05)_ODP[01] the protected distribution system is defined; SC-08(05)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {prevent unauthorized disclosure of information; detect changes to information}; SC-08(05) the is implemented to during transmission. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-08(05)-Examine [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-08(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-08(05)-Test [SELECT FROM: Cryptographic mechanisms supporting and/or implementing concealment or randomization of communication patterns; automated mechanisms supporting and/or implementing protected distribution systems]. SC-09 TRANSMISSION CONFIDENTIALITY [WITHDRAWN: Incorporated into SC-08.] SC-10 NETWORK DISCONNECT ASSESSMENT OBJECTIVE: Determine if: SC-10_ODP a time period of inactivity after which the system terminates a network connection associated with a communication session is defined; SC-10 the network connection associated with a communication session is terminated at the end of the session or after of inactivity. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-10-Examine [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; system design documentation; security plan; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-10-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-10-Test [SELECT FROM: Automated mechanisms supporting and/or implementing network disconnect capability]. SC-11 TRUSTED PATH ASSESSMENT OBJECTIVE: Determine if: SC-11_ODP[01] one of the following PARAMETER VALUES is selected: {physically; logically}; SC-11_ODP[02] security functions of the system are defined; SC-11a. a isolated trusted communication path is provided for communications between the user and the trusted components of the system; SC-11b. users are permitted to invoke the trusted communication path for communications between the user and the of the system, including authentication and re-authentication, at a minimum. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-11-Examine [SELECT FROM: System and communications protection policy; procedures addressing trusted communication paths; security plan; system design documentation; system configuration settings and associated documentation; assessment results from independent, testing organizations; system audit records; system security plan; other relevant documents or records]. SC-11-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-11-Test [SELECT FROM: Automated mechanisms supporting and/or implementing trusted communication paths]. SC-11(01) TRUSTED PATH | IRREFUTABLE COMMUNICATIONS PATH ASSESSMENT OBJECTIVE: Determine if: SC-11(01)_ODP security functions of the system are defined; SC-11(01)(a) a trusted communication path that is irrefutably distinguishable from other communication paths is provided; SC-11(01)(b) the trusted communication path for communications between the of the system and the user is initiated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-11(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing trusted communication paths; security plan; system design documentation; system configuration settings and associated documentation; assessment results from independent, testing organizations; system audit records; system security plan; other relevant documents or records]. SC-11(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-11(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing trusted communication paths]. SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT ASSESSMENT OBJECTIVE: Determine if: SC-12_ODP requirements for key generation, distribution, storage, access, and destruction are defined; SC-12[01] cryptographic keys are established when cryptography is employed within the system in accordance with ; SC-12[02] cryptographic keys are managed when cryptography is employed within the system in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-12-Examine [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment and management; system design documentation; cryptographic mechanisms; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-12-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for cryptographic key establishment and/or management]. SC-12-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cryptographic key establishment and management]. SC-12(01) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY ASSESSMENT OBJECTIVE: Determine if: SC-12(01) information availability is maintained in the event of the loss of cryptographic keys by users. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-12(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment, management, and recovery; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-12(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for cryptographic key establishment or management]. SC-12(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cryptographic key establishment and management]. SC-12(02) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | SYMMETRIC KEYS ASSESSMENT OBJECTIVE: Determine if: SC-12(02)_ODP one of the following PARAMETER VALUES is selected: {NIST FIPS-validated; NSA-approved}; SC-12(02)[01] symmetric cryptographic keys are produced using key management technology and processes; SC-12(02)[02] symmetric cryptographic keys are controlled using key management technology and processes; SC-12(02)[03] symmetric cryptographic keys are distributed using key management technology and processes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-12(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment and management; system design documentation; system configuration settings and associated documentation; system audit records; list of FIPS-validated cryptographic products; list of NSA-approved cryptographic products; system security plan; other relevant documents or records]. SC-12(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for cryptographic key establishment or management]. SC-12(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing symmetric cryptographic key establishment and management]. SC-12(03) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | ASYMMETRIC KEYS ASSESSMENT OBJECTIVE: Determine if: SC-12(03)_ODP one of the following PARAMETER VALUES is selected: {NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements}; SC-12(03)[01] asymmetric cryptographic keys are produced using ; SC-12(03)[02] asymmetric cryptographic keys are controlled using ; SC-12(03)[03] asymmetric cryptographic keys are distributed using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-12(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment and management; system design documentation; system configuration settings and associated documentation; system audit records; list of NSA-approved cryptographic products; list of approved PKI Class 3 and Class 4 certificates; system security plan; other relevant documents or records]. SC-12(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for cryptographic key establishment or management; organizational personnel with responsibilities for PKI certificates]. SC-12(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing asymmetric cryptographic key establishment and management]. SC-12(04) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES [WITHDRAWN: Incorporated into SC-12(03).] SC-12(05) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PKI CERTIFICATES / HARDWARE TOKENS [WITHDRAWN: Incorporated into SC-12(03).] SC-12(06) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | PHYSICAL CONTROL OF KEYS ASSESSMENT OBJECTIVE: Determine if: SC-12(06) physical control of cryptographic keys is maintained when stored information is encrypted by external service providers. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-12(06)-Examine [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment, management, and recovery; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-12(06)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for cryptographic key establishment or management]. SC-12(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cryptographic key establishment and management]. SC-13 CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-13_ODP[01] cryptographic uses are defined; SC-13_ODP[02] types of cryptography for each specified cryptographic use are defined; SC-13a. are identified; SC-13b. for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-13-Examine [SELECT FROM: System and communications protection policy; procedures addressing cryptographic protection; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit records; system security plan; other relevant documents or records]. SC-13-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for cryptographic protection]. SC-13-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cryptographic protection]. SC-13(01) CRYPTOGRAPHIC PROTECTION | FIPS-VALIDATED CRYPTOGRAPHY [WITHDRAWN: Incorporated into SC-13.] SC-13(02) CRYPTOGRAPHIC PROTECTION | NSA-APPROVED CRYPTOGRAPHY [WITHDRAWN: Incorporated into SC-13.] SC-13(03) CRYPTOGRAPHIC PROTECTION | INDIVIDUALS WITHOUT FORMAL ACCESS APPROVALS [WITHDRAWN: Incorporated into SC-13.] SC-13(04) CRYPTOGRAPHIC PROTECTION | DIGITAL SIGNATURES [WITHDRAWN: Incorporated into SC-13.] SC-14 PUBLIC ACCESS PROTECTIONS [WITHDRAWN: Incorporated into AC-02, AC-03, AC-05, AC-06, SI-03, SI-04, SI-05, SI-07, SI-10.] SC-15 COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS ASSESSMENT OBJECTIVE: Determine if: SC-15_ODP exceptions where remote activation is to be allowed are defined; SC-15a. remote activation of collaborative computing devices and applications is prohibited except ; SC-15b. an explicit indication of use is provided to users physically present at the devices. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-15-Examine [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-15-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing collaborative computing devices]. SC-15-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices; automated mechanisms providing an indication of use of collaborative computing devices]. SC-15(01) COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS | PHYSICAL OR LOGICAL DISCONNECT ASSESSMENT OBJECTIVE: Determine if: SC-15(01)_ODP one or more of the following PARAMETER VALUES is/are selected: {physical; logical}; SC-15(01) the disconnect of collaborative computing devices is/are provided in a manner that supports ease of use. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-15(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-15(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing collaborative computing devices]. SC-15(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the physical disconnect of collaborative computing devices]. SC-15(02) COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS | BLOCKING INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC [WITHDRAWN: Incorporated into SC-07.] SC-15(03) COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS | DISABLING AND REMOVAL IN SECURE WORK AREAS ASSESSMENT OBJECTIVE: Determine if: SC-15(03)_ODP[01] systems or system components from which collaborative computing devises are to be disabled or removed are defined; SC-15(03)_ODP[02] secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined; SC-15(03) collaborative computing devices and applications are disabled or removed from in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-15(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; list of secure work areas; systems or system components in secured work areas where collaborative computing devices are to be disabled or removed; system security plan; other relevant documents or records]. SC-15(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing collaborative computing devices]. SC-15(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the capability to disable collaborative computing devices]. SC-15(04) COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS | EXPLICITLY INDICATE CURRENT PARTICIPANTS ASSESSMENT OBJECTIVE: Determine if: SC-15(04)_ODP online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined; SC-15(04) an explicit indication of current participants in is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-15(04)-Examine [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; list of types of meetings and teleconferences requiring explicit indication of current participants; system security plan; other relevant documents or records]. SC-15(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing collaborative computing devices]. SC-15(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the capability to indicate participants on collaborative computing devices]. SC-16 TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES ASSESSMENT OBJECTIVE: Determine if: SC-16_ODP[01] security attributes to be associated with information exchanged are defined; SC-16_ODP[02] privacy attributes to be associated with information exchanged are defined; SC-16[01] are associated with information exchanged between systems; SC-16[02] are associated with information exchanged between system components; SC-16[03] are associated with information exchanged between systems; SC-16[04] are associated with information exchanged between system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-16-Examine [SELECT FROM: System and communications protection policy; procedures addressing the transmission of security and privacy attributes; access control policy and procedures; information flow control policy; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-16-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities]. SC-16-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the transmission of security and privacy attributes between systems]. SC-16(01) TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES | INTEGRITY VERIFICATION ASSESSMENT OBJECTIVE: Determine if: SC-16(01)[01] the integrity of transmitted security attributes is verified; SC-16(01)[02] the integrity of transmitted privacy attributes is verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-16(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the transmission of security and privacy attributes; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-16(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities]. SC-16(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing verification of the integrity of transmitted security and privacy attributes]. SC-16(02) TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES | ANTI-SPOOFING MECHANISMS ASSESSMENT OBJECTIVE: Determine if: SC-16(02) anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-16(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the transmission of security and privacy attributes; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-16(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-16(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing anti-spoofing mechanisms]. SC-16(03) TRANSMISSION OF SECURITY AND PRIVACY ATTRIBUTES | CRYPTOGRAPHIC BINDING ASSESSMENT OBJECTIVE: Determine if: SC-16(03)_ODP mechanisms or techniques to bind security and privacy attributes to transmitted information are defined; SC-16(03) are implemented to bind security and privacy attributes to transmitted information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-16(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the transmission of security and privacy attributes; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-16(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-16(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing anti-spoofing mechanisms]. SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES ASSESSMENT OBJECTIVE: Determine if: SC-17_ODP a certificate policy for issuing public key certificates is defined; SC-17a. public key certificates are issued under , or public key certificates are obtained from an approved service provider; SC-17b. only approved trust anchors are included in trust stores or certificate stores managed by the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-17-Examine [SELECT FROM: System and communications protection policy; procedures addressing public key infrastructure certificates; public key certificate policy or policies; public key issuing process; system security plan; other relevant documents or records]. SC-17-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for issuing public key certificates; service providers]. SC-17-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the management of public key infrastructure certificates]. SC-18 MOBILE CODE ASSESSMENT OBJECTIVE: Determine if: SC-18a.[01] acceptable mobile code is defined; SC-18a.[02] unacceptable mobile code is defined; SC-18a.[03] acceptable mobile code and mobile code technologies are defined; SC-18a.[04] unacceptable mobile code and mobile code technologies are defined; SC-18b.[01] the use of mobile code is authorized within the system; SC-18b.[02] the use of mobile code is monitored within the system; SC-18b.[03] the use of mobile code is controlled within the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-18-Examine [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code implementation policy and procedures; list of acceptable mobile code and mobile code technologies; list of unacceptable mobile code and mobile technologies; authorization records; system monitoring records; system audit records; system security plan; other relevant documents or records]. SC-18-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing mobile code]. SC-18-Test [SELECT FROM: Organizational process for authorizing, monitoring, and controlling mobile code; automated mechanisms supporting and/or implementing the management of mobile code; automated mechanisms supporting and/or implementing the monitoring of mobile code]. SC-18(01) MOBILE CODE | IDENTIFY UNACCEPTABLE CODE AND TAKE CORRECTIVE ACTIONS ASSESSMENT OBJECTIVE: Determine if: SC-18(01)_ODP[01] unacceptable mobile code is defined; SC-18(01)_ODP[02] corrective actions to be taken when unacceptable mobile code is identified are defined; SC-18(01)[01] is identified; SC-18(01)[02] are taken if unacceptable mobile code is identified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-18(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions; mobile code implementation policy and procedures; system design documentation; system configuration settings and associated documentation; list of unacceptable mobile code; list of corrective actions to be taken when unacceptable mobile code is identified; system monitoring records; system audit records; system security plan; other relevant documents or records]. SC-18(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing mobile code]. SC-18(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing mobile code detection, inspection, and corrective capabilities]. SC-18(02) MOBILE CODE | ACQUISITION, DEVELOPMENT, AND USE ASSESSMENT OBJECTIVE: Determine if: SC-18(02)_ODP mobile code requirements for the acquisition, development, and use of mobile code to be deployed in the system are defined; SC-18(02)[01] the acquisition of mobile code to be deployed in the system meets ; SC-18(02)[02] the development of mobile code to be deployed in the system meets ; SC-18(02)[03] the use of mobile code to be deployed in the system meets . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-18(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code requirements; mobile code usage restrictions; mobile code implementation policy and procedures; acquisition documentation; acquisition contracts for system, system component, or system service; system development life cycle documentation; system security plan; other relevant documents or records]. SC-18(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing mobile code; organizational personnel with acquisition and contracting responsibilities]. SC-18(02)-Test [SELECT FROM: Organizational processes for the acquisition, development, and use of mobile code]. SC-18(03) MOBILE CODE | PREVENT DOWNLOADING AND EXECUTION ASSESSMENT OBJECTIVE: Determine if: SC-18(03)_ODP unacceptable mobile code to be prevented from downloading and executing is defined; SC-18(03)[01] the download of is prevented; SC-18(03)[02] the execution of is prevented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-18(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions; mobile code implementation policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-18(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing mobile code]. SC-18(03)-Test [SELECT FROM: Automated mechanisms preventing download and execution of unacceptable mobile code]. SC-18(04) MOBILE CODE | PREVENT AUTOMATIC EXECUTION ASSESSMENT OBJECTIVE: Determine if: SC-18(04)_ODP[01] software applications in which the automatic execution of mobile code is to be prevented are defined; SC-18(04)_ODP[02] actions to be enforced by the system prior to executing mobile code are defined; SC-18(04)[01] the automatic execution of mobile code in is prevented; SC-18(04)[02] are enforced prior to executing mobile code. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-18(04)-Examine [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions; mobile code implementation policy and procedures; system design documentation; system configuration settings and associated documentation; list of software applications in which the automatic execution of mobile code must be prohibited; list of actions required before execution of mobile code; system security plan; other relevant documents or records]. SC-18(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing mobile code]. SC-18(04)-Test [SELECT FROM: Automated mechanisms preventing the automatic execution of unacceptable mobile code; automated mechanisms enforcing actions to be taken prior to the execution of the mobile code]. SC-18(05) MOBILE CODE | ALLOW EXECUTION ONLY IN CONFINED ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: SC-18(05) execution of permitted mobile code is allowed only in confined virtual machine environments. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-18(05)-Examine [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage allowances; mobile code usage restrictions; system design documentation; system configuration settings and associated documentation; list of confined virtual machine environments in which the execution of organizationally acceptable mobile code is allowed; system audit records; system security plan; other relevant documents or records]. SC-18(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel with responsibilities for managing mobile code]. SC-18(05)-Test [SELECT FROM: Automated mechanisms allowing the execution of permitted mobile code in confined virtual machine environments]. SC-19 VOICE OVER INTERNET PROTOCOL [WITHDRAWN. Technology-specific; addressed as any other technology or protocol.] SC-20 SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) ASSESSMENT OBJECTIVE: Determine if: SC-20a.[01] additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries; SC-20a.[02] integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries; SC-20b.[01] the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace; SC-20b.[02] the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-20-Examine [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution services (authoritative source); system design documentation; system configuration settings and associated documentation; system security plan; other relevant documents or records]. SC-20-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing DNS]. SC-20-Test [SELECT FROM: Automated mechanisms supporting and/or implementing secure name/address resolution services]. SC-20(01) SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | CHILD SUBSPACES [WITHDRAWN: Incorporated into SC-20.] SC-20(02) SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) | DATA ORIGIN AND INTEGRITY ASSESSMENT OBJECTIVE: Determine if: SC-20(02)[01] data origin artifacts are provided for internal name/address resolution queries; SC-20(02)[02] integrity protection artifacts are provided for internal name/address resolution queries. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-20(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution services (authoritative source); system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-20(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing DNS]. SC-20(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing data origin and integrity protection for internal name/address resolution service queries]. SC-21 SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) ASSESSMENT OBJECTIVE: Determine if: SC-21[01] data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources; SC-21[02] data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources; SC-21[03] data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources; SC-21[04] data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-21-Examine [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution services (recursive or caching resolver); system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-21-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing DNS]. SC-21-Test [SELECT FROM: Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services]. SC-21(01) SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) | DATA ORIGIN AND INTEGRITY [WITHDRAWN: Incorporated into SC-21.] SC-22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE ASSESSMENT OBJECTIVE: Determine if: SC-22[01] the systems that collectively provide name/address resolution services for an organization are fault-tolerant; SC-22[02] the systems that collectively provide name/address resolution services for an organization implement internal role separation; SC-22[03] the systems that collectively provide name/address resolution services for an organization implement external role separation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-22-Examine [SELECT FROM: System and communications protection policy; procedures addressing architecture and provisioning for name/address resolution services; access control policy and procedures; system design documentation; assessment results from independent testing organizations; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-22-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing DNS]. SC-22-Test [SELECT FROM: Automated mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation]. SC-23 SESSION AUTHENTICITY ASSESSMENT OBJECTIVE: Determine if: SC-23 the authenticity of communication sessions is protected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-23-Examine [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-23-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-23-Test [SELECT FROM: Automated mechanisms supporting and/or implementing session authenticity]. SC-23(01) SESSION AUTHENTICITY | INVALIDATE SESSION IDENTIFIERS AT LOGOUT ASSESSMENT OBJECTIVE: Determine if: SC-23(01) session identifiers are invalidated upon user logout or other session termination. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-23(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-23(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-23(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing session identifier invalidation upon session termination]. SC-23(02) SESSION AUTHENTICITY | USER-INITIATED LOGOUTS AND MESSAGE DISPLAYS [WITHDRAWN: Incorporated into AC-12(01).] SC-23(03) SESSION AUTHENTICITY | UNIQUE SYSTEM-GENERATED SESSION IDENTIFIERS ASSESSMENT OBJECTIVE: Determine if: SC-23(03)_ODP randomness requirements for generating a unique session identifier for each session are defined; SC-23(03)[01] a unique session identifier is generated for each session with ; SC-23(03)[02] only system-generated session identifiers are recognized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-23(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-23(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-23(03)-Test [SELECT FROM: Automated mechanisms supporting, implementing, generating, and monitoring unique session identifiers; automated mechanisms supporting and/or implementing randomness requirements]. SC-23(04) SESSION AUTHENTICITY | UNIQUE SESSION IDENTIFIERS WITH RANDOMIZATION [WITHDRAWN: Incorporated into SC-23(03).] SC-23(05) SESSION AUTHENTICITY | ALLOWED CERTIFICATE AUTHORITIES ASSESSMENT OBJECTIVE: Determine if: SC-23(05)_ODP certificate authorities to be allowed for verification of the establishment of protected sessions are defined; SC-23(05) only the use of for verification of the establishment of protected sessions is allowed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-23(05)-Examine [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; system design documentation; system configuration settings and associated documentation; list of certificate authorities allowed for verification of the establishment of protected sessions; system audit records; system security plan; other relevant documents or records]. SC-23(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-23(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the management of certificate authorities]. SC-24 FAIL IN KNOWN STATE ASSESSMENT OBJECTIVE: Determine if: SC-24_ODP[01] types of system failures for which the system components fail to a known state are defined; SC-24_ODP[02] known system state to which system components fail in the event of a system failure is defined; SC-24_ODP[03] system state information to be preserved in the event of a system failure is defined; SC-24 fail to a while preserving in failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-24-Examine [SELECT FROM: System and communications protection policy; procedures addressing system failure to known state; system design documentation; system configuration settings and associated documentation; list of failures requiring system to fail in a known state; state information to be preserved in system failure; system audit records; system security plan; other relevant documents or records]. SC-24-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-24-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the fail in known state capability; automated mechanisms preserving system state information in the event of a system failure]. SC-25 THIN NODES ASSESSMENT OBJECTIVE: Determine if: SC-25_ODP system components to be employed with minimal functionality and information storage are defined; SC-25[01] minimal functionality for is employed; SC-25[02] minimal information storage on is allocated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-25-Examine [SELECT FROM: System and communications protection policy; procedures addressing use of thin nodes; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-25-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-25-Test [SELECT FROM: Automated mechanisms supporting and/or implementing thin nodes]. SC-26 DECOYS ASSESSMENT OBJECTIVE: Determine if: SC-26[01] components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks; SC-26[02] components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks; SC-26[03] components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-26-Examine [SELECT FROM: System and communications protection policy; procedures addressing the use of decoys; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-26-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-26-Test [SELECT FROM: Automated mechanisms supporting and/or implementing decoys]. SC-26(01) DECOYS | DETECTION OF MALICIOUS CODE [WITHDRAWN: Incorporated into SC-35.] SC-27 PLATFORM-INDEPENDENT APPLICATIONS ASSESSMENT OBJECTIVE: Determine if: SC-27_ODP platform-independent applications to be included within organizational systems are defined; SC-27 are included within organizational systems. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-27-Examine [SELECT FROM: System and communications protection policy; procedures addressing platform-independent applications; system design documentation; system configuration settings and associated documentation; list of platform-independent applications; system audit records; system security plan; other relevant documents or records]. SC-27-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-27-Test [SELECT FROM: Automated mechanisms supporting and/or implementing platform-independent applications]. SC-28 PROTECTION OF INFORMATION AT REST ASSESSMENT OBJECTIVE: Determine if: SC-28_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {confidentiality; integrity}; SC-28_ODP[02] information at rest requiring protection is defined; SC-28 the of is/are protected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-28-Examine [SELECT FROM: System and communications protection policy; procedures addressing the protection of information at rest; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; list of information at rest requiring confidentiality and integrity protections; system security plan; other relevant documents or records]. SC-28-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-28-Test [SELECT FROM: Automated mechanisms supporting and/or implementing confidentiality and integrity protections for information at rest]. SC-28(01) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-28(01)_ODP[01] information requiring cryptographic protection is defined; SC-28(01)_ODP[02] system components or media requiring cryptographic protection is/are defined; SC-28(01)[01] cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ; SC-28(01)[02] cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-28(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the protection of information at rest; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit records; system security plan; other relevant documents or records]. SC-28(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer]. SC-28(01)-Test [SELECT FROM: Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest]. SC-28(02) PROTECTION OF INFORMATION AT REST | OFFLINE STORAGE ASSESSMENT OBJECTIVE: Determine if: SC-28(02)_ODP information to be removed from online storage and stored offline in a secure location is defined; SC-28(02)[01] is removed from online storage; SC-28(02)[02] is stored offline in a secure location. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-28(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the protection of information at rest; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; offline storage locations for information at rest; system audit records; system security plan; other relevant documents or records]. SC-28(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-28(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the removal of information from online storage; automated mechanisms supporting and/or implementing storage of information offline]. SC-28(03) PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC KEYS ASSESSMENT OBJECTIVE: Determine if: SC-28(03)_ODP[01] one of the following PARAMETER VALUES is selected: {; hardware-protected key store}; SC-28(03)_ODP[02] safeguards for protecting the storage of cryptographic keys are defined (if selected); SC-28(03) protected storage for cryptographic keys is provided using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-28(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the protection of information at rest; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit records; system security plan; other relevant documents or records]. SC-28(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities]. SC-28(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing hardware-based key store protection]. SC-29 HETEROGENEITY ASSESSMENT OBJECTIVE: Determine if: SC-29_ODP system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined; SC-29 a diverse set of information technologies is employed for in the implementation of the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-29-Examine [SELECT FROM: System and communications protection policy; system design documentation; system configuration settings and associated documentation; list of technologies deployed in the system; acquisition documentation; acquisition contracts for system components or services; system security plan; other relevant documents or records]. SC-29-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with system acquisition, development, and implementation responsibilities]. SC-29-Test [SELECT FROM: Automated mechanisms supporting and/or implementing employment of a diverse set of information technologies]. SC-29(01) HETEROGENEITY | VIRTUALIZATION TECHNIQUES ASSESSMENT OBJECTIVE: Determine if: SC-29(01)_ODP the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined; SC-29(01) virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-29(01)-Examine [SELECT FROM: System and communications protection policy; configuration management policy and procedures; system design documentation; system configuration settings and associated documentation; system architecture; list of operating systems and applications deployed using virtualization techniques; change control records; configuration management records; system audit records; system security plan; other relevant documents or records]. SC-29(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for implementing approved virtualization techniques to the system]. SC-29(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the employment of a diverse set of information technologies; automated mechanisms supporting and/or implementing virtualization techniques]. SC-30 CONCEALMENT AND MISDIRECTION ASSESSMENT OBJECTIVE: Determine if: SC-30_ODP[01] concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined; SC-30_ODP[02] systems for which concealment and misdirection techniques are to be employed are defined; SC-30_ODP[03] time periods to employ concealment and misdirection techniques for systems are defined; SC-30 are employed for for to confuse and mislead adversaries. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-30-Examine [SELECT FROM: System and communications protection policy; procedures addressing concealment and misdirection techniques for the system; system design documentation; system configuration settings and associated documentation; system architecture; list of concealment and misdirection techniques to be employed for organizational systems; system audit records; system security plan; other relevant documents or records]. SC-30-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with the responsibility to implement concealment and misdirection techniques for systems]. SC-30-Test [SELECT FROM: Automated mechanisms supporting and/or implementing concealment and misdirection techniques]. SC-30(01) CONCEALMENT AND MISDIRECTION | VIRTUALIZATION TECHNIQUES [WITHDRAWN: Incorporated into SC-29(01).] SC-30(02) CONCEALMENT AND MISDIRECTION | RANDOMNESS ASSESSMENT OBJECTIVE: Determine if: SC-30(02)_ODP techniques employed to introduce randomness into organizational operations and assets are defined; SC-30(02) are employed to introduce randomness into organizational operations and assets. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-30(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing concealment and misdirection techniques for the system; system design documentation; system configuration settings and associated documentation; system architecture; list of techniques to be employed to introduce randomness into organizational operations and assets; system audit records; system security plan; other relevant documents or records]. SC-30(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with the responsibility to implement concealment and misdirection techniques for systems]. SC-30(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing randomness as a concealment and misdirection technique]. SC-30(03) CONCEALMENT AND MISDIRECTION | CHANGE PROCESSING AND STORAGE LOCATIONS ASSESSMENT OBJECTIVE: Determine if: SC-30(03)_ODP[01] processing and/or storage locations to be changed are defined; SC-30(03)_ODP[02] one of the following PARAMETER VALUES is selected: {; random time intervals}; SC-30(03)_ODP[03] time frequency at which to change the location of processing and/or storage is defined (if selected); SC-30(03) the location of is changed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-30(03)-Examine [SELECT FROM: System and communications protection policy; configuration management policy and procedures; procedures addressing concealment and misdirection techniques for the system; list of processing/storage locations to be changed at organizational time intervals; change control records; configuration management records; system audit records; system security plan; other relevant documents or records]. SC-30(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with the responsibility to change processing and/or storage locations]. SC-30(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing changing processing and/or storage locations]. SC-30(04) CONCEALMENT AND MISDIRECTION | MISLEADING INFORMATION ASSESSMENT OBJECTIVE: Determine if: SC-30(04)_ODP system components for which realistic but misleading information about their security state or posture is employed are defined; SC-30(04) realistic but misleading information about the security state or posture of is employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-30(04)-Examine [SELECT FROM: System and communications protection policy; configuration management policy and procedures; procedures addressing concealment and misdirection techniques for the system; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-30(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with the responsibility to define and employ realistic but misleading information about the security posture of system components]. SC-30(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the employment of realistic but misleading information about the security posture of system components]. SC-30(05) CONCEALMENT AND MISDIRECTION | CONCEALMENT OF SYSTEM COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SC-30(05)_ODP[01] techniques to be employed to hide or conceal system components are defined; SC-30(05)_ODP[02] system components to be hidden or concealed using techniques (as defined in SC-30(05)_ODP[01]) are defined; SC-30(05) are employed to hide or conceal . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-30(05)-Examine [SELECT FROM: System and communications protection policy; configuration management policy and procedures; procedures addressing concealment and misdirection techniques for the system; system design documentation; system configuration settings and associated documentation; list of techniques employed to hide or conceal system components; list of system components to be hidden or concealed; system security plan; other relevant documents or records]. SC-30(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with the responsibility to conceal system components]. SC-30(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing techniques for the concealment of system components]. SC-31 COVERT CHANNEL ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SC-31_ODP one or more of the following PARAMETER VALUES is/are selected: {storage; timing}; SC-31a. a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert channels; SC-31b. the maximum bandwidth of those channels is estimated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-31-Examine [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; system design documentation; system configuration settings and associated documentation; covert channel analysis documentation; system audit records; system security plan; other relevant documents or records]. SC-31-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with covert channel analysis responsibilities; system developers/integrators]. SC-31-Test [SELECT FROM: Organizational process for conducting covert channel analysis; automated mechanisms supporting and/or implementing covert channel analysis; automated mechanisms supporting and/or implementing the capability to estimate the bandwidth of covert channels]. SC-31(01) COVERT CHANNEL ANALYSIS | TEST COVERT CHANNELS FOR EXPLOITABILITY ASSESSMENT OBJECTIVE: Determine if: SC-31(01) a subset of the identified covert channels is tested to determine the channels that are exploitable. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-31(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; system design documentation; system configuration settings and associated documentation; list of covert channels; covert channel analysis documentation; system audit records; system security plan; other relevant documents or records]. SC-31(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with covert channel analysis responsibilities]. SC-31(01)-Test [SELECT FROM: Organizational process for testing covert channels; automated mechanisms supporting and/or implementing the testing of covert channel analysis]. SC-31(02) COVERT CHANNEL ANALYSIS | MAXIMUM BANDWIDTH ASSESSMENT OBJECTIVE: Determine if: SC-31(02)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {storage; timing}; SC-31(02)_ODP[02] values for the maximum bandwidth for identified covert channels are defined; SC-31(02) the maximum bandwidth for identified covert channels is reduced to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-31(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; acquisition contracts for systems or services; acquisition documentation; system design documentation; system configuration settings and associated documentation; covert channel analysis documentation; system audit records; system security plan; other relevant documents or records]. SC-31(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with covert channel analysis responsibilities; system developers/integrators]. SC-31(02)-Test [SELECT FROM: Organizational process for conducting covert channel analysis; automated mechanisms supporting and/or implementing covert channel analysis; automated mechanisms supporting and/or implementing the capability to reduce the bandwidth of covert channels]. SC-31(03) COVERT CHANNEL ANALYSIS | MEASURE BANDWIDTH IN OPERATIONAL ENVIRONMENTS ASSESSMENT OBJECTIVE: Determine if: SC-31(03)_ODP subset of identified covert channels whose bandwidth is to be measured in the operational environment of the system is defined; SC-31(03) the bandwidth of is measured in the operational environment of the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-31(03)-Examine [SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; system design documentation; system configuration settings and associated documentation; covert channel analysis documentation; system audit records; system security plan; other relevant documents or records]. SC-31(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with covert channel analysis responsibilities; system developers/integrators]. SC-31(03)-Test [SELECT FROM: Organizational process for conducting covert channel analysis; automated mechanisms supporting and/or implementing covert channel analysis; automated mechanisms supporting and/or implementing the capability to measure the bandwidth of covert channels]. SC-32 SYSTEM PARTITIONING ASSESSMENT OBJECTIVE: Determine if: SC-32_ODP[01] system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined; SC-32_ODP[02] one of the following PARAMETER VALUES is selected: {physical; logical}; SC-32_ODP[03] circumstances for the physical or logical separation of components are defined; SC-32 the system is partitioned into residing in separate domains or environments based on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-32-Examine [SELECT FROM: System and communications protection policy; procedures addressing system partitioning; system design documentation; system configuration settings and associated documentation; system architecture; list of system physical domains (or environments); system facility diagrams; system network diagrams; system security plan; other relevant documents or records]. SC-32-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-32-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the physical separation of system components]. SC-32(01) SYSTEM PARTITIONING | SEPARATE PHYSICAL DOMAINS FOR PRIVILEGED FUNCTIONS ASSESSMENT OBJECTIVE: Determine if: SC-32(01) privileged functions are partitioned into separate physical domains. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-32-Examine [SELECT FROM: System and communications protection policy; procedures addressing system partitioning; system design documentation; system configuration settings and associated documentation; system architecture; list of system physical domains (or environments); system facility diagrams; system network diagrams; system security plan; other relevant documents or records]. SC-32-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-32-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the physical separation of system components]. SC-33 TRANSMISSION PREPARATION INTEGRITY [WITHDRAWN: Incorporated into SC-08.] SC-34 NON-MODIFIABLE EXECUTABLE PROGRAMS ASSESSMENT OBJECTIVE: Determine if: SC-34_ODP[01] system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined; SC-34_ODP[02] applications to be loaded and executed from hardware-enforced, read-only media are defined; SC-34a. the operating environment for is loaded and executed from hardware-enforced, read-only media; SC-34b. for are loaded and executed from hardware-enforced, read-only media. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-34-Examine [SELECT FROM: System and communications protection policy; procedures addressing non-modifiable executable programs; system design documentation; system configuration settings and associated documentation; system architecture; list of operating system components to be loaded from hardware-enforced, read-only media; list of applications to be loaded from hardware-enforced, read-only media; media used to load and execute the system operating environment; media used to load and execute system applications; system audit records; system security plan; other relevant documents or records]. SC-34-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-34-Test [SELECT FROM: Automated mechanisms supporting and/or implementing, loading, and executing the operating environment from hardware-enforced, read-only media; automated mechanisms supporting and/or implementing, loading, and executing applications from hardware-enforced, read-only media]. SC-34(01) NON-MODIFIABLE EXECUTABLE PROGRAMS | NO WRITABLE STORAGE ASSESSMENT OBJECTIVE: Determine if: SC-34(01)_ODP system components to be employed with no writeable storage are defined; SC-34(01) are employed with no writeable storage that is persistent across component restart or power on/off. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-34(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing non-modifiable executable programs; system design documentation; system configuration settings and associated documentation; system architecture; list of system components to be employed without writeable storage capabilities; system audit records; system security plan; other relevant documents or records]. SC-34(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-34(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the employment of components with no writeable storage; automated mechanisms supporting and/or implementing persistent non-writeable storage across component restart and power on/off]. SC-34(02) NON-MODIFIABLE EXECUTABLE PROGRAMS | INTEGRITY PROTECTION ON READ-ONLY MEDIA ASSESSMENT OBJECTIVE: Determine if: SC-34(02)[01] the integrity of information is protected prior to storage on read-only media; SC-34(02)[02] the media is controlled after such information has been recorded onto the media; POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-34(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing non-modifiable executable programs; system design documentation; system configuration settings and associated documentation; system architecture; system audit records; system security plan; other relevant documents or records]. SC-34(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-34(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the capability to protect information integrity on read-only media prior to storage and after information has been recorded onto the media]. SC-34(03) NON-MODIFIABLE EXECUTABLE PROGRAMS | HARDWARE-BASED PROTECTION [WITHDRAWN: Moved to SC-51.] SC-35 EXTERNAL MALICIOUS CODE IDENTIFICATION ASSESSMENT OBJECTIVE: Determine if: SC-35 system components that proactively seek to identify network-based malicious code or malicious websites are included. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-35-Examine [SELECT FROM: System and communications protection policy; procedures addressing external malicious code identification; system design documentation; system configuration settings and associated documentation; system components deployed to identify malicious websites and/or web-based malicious code; system audit records; system security plan; other relevant documents or records]. SC-35-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-35-Test [SELECT FROM: Automated mechanisms supporting and/or implementing external malicious code identification]. SC-36 DISTRIBUTED PROCESSING AND STORAGE ASSESSMENT OBJECTIVE: Determine if: SC-36_ODP[01] processing components to be distributed across multiple locations/domains are defined; SC-36_ODP[02] one of the following PARAMETER VALUES is selected: {physical locations; logical domains}; SC-36_ODP[03] storage components to be distributed across multiple locations/domains are defined; SC-36_ODP[04] one of the following PARAMETER VALUES is selected: {physical locations; logical domains}; SC-36[01] are distributed across ; SC-36[02] are distributed across . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-36-Examine [SELECT FROM: System and communications protection policy; contingency planning policy and procedures; contingency plan; system design documentation; system configuration settings and associated documentation; system architecture; list of system physical locations (or environments) with distributed processing and storage; system facility diagrams; processing site agreements; storage site agreements; system security plan; other relevant documents or records]. SC-36-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel with contingency planning and plan implementation responsibilities; system developers/integrators]. SC-36-Test [SELECT FROM: Organizational processes for distributed processing and storage across multiple physical locations; automated mechanisms supporting and/or implementing the capability to distribute processing and storage across multiple physical locations]. SC-36(01) DISTRIBUTED PROCESSING AND STORAGE | POLLING TECHNIQUES ASSESSMENT OBJECTIVE: Determine if: SC-36(01)_ODP[01] distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises are defined; SC-36(01)_ODP[02] actions to be taken in response to identified faults, errors, or compromise are defined; SC-36(01)(a) polling techniques are employed to identify potential faults, errors, or compromises to ; SC-36(01)(b) are taken in response to identified faults, errors, or compromise. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-36(01)-Examine [SELECT FROM: System and communications protection policy; system design documentation; system configuration settings and associated documentation; system architecture; list of distributed processing and storage components subject to polling; system polling techniques and associated documentation or records; system audit records; system security plan; other relevant documents or records]. SC-36(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-36(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing polling techniques]. SC-36(02) DISTRIBUTED PROCESSING AND STORAGE | SYNCHRONIZATION ASSESSMENT OBJECTIVE: Determine if: SC-36(02)_ODP duplicate systems or system components to be synchronized are defined; SC-36(02) are synchronized. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-36(02)-Examine [SELECT FROM: System and communications protection policy; system design documentation; system configuration settings and associated documentation; system architecture; list of distributed processing and storage components subject to polling; system polling techniques and associated documentation or records; system audit records; system security plan; other relevant documents or records]. SC-36(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-36(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing duplicate system or system component synchronization]. SC-37 OUT-OF-BAND CHANNELS ASSESSMENT OBJECTIVE: Determine if: SC-37_ODP[01] out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components, or devices to individuals or the system are defined; SC-37_ODP[02] information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined; SC-37_ODP[03] individuals or systems to which physical delivery or electronic transmission of information, system components, or devices is to be achieved via the employment of out-of-band channels are defined; SC-37 are employed for the physical delivery or electronic transmission of to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-37-Examine [SELECT FROM: System and communications protection policy; procedures addressing the use of out-of-band channels; access control policy and procedures; identification and authentication policy and procedures; system design documentation; system architecture; system configuration settings and associated documentation; list of out-of-band channels; types of information, system components, or devices requiring the use of out-of-band channels for physical delivery or electronic transmission to authorized individuals or systems; physical delivery records; electronic transmission records; system audit records; system security plan; other relevant documents or records]. SC-37-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, operating, and/or using out-of-band channels; system developers/integrators]. SC-37-Test [SELECT FROM: Organizational processes for the use of out-of-band channels; automated mechanisms supporting and/or implementing the use of out-of-band channels]. SC-37(01) OUT-OF-BAND CHANNELS | ENSURE DELIVERY AND TRANSMISSION ASSESSMENT OBJECTIVE: Determine if: SC-37(01)_ODP[01] controls to be employed to ensure that only designated individuals or systems receive specific information, system components, or devices are defined; SC-37(01)_ODP[02] individuals or systems designated to receive specific information, system components, or devices are defined; SC-37(01)_ODP[03] information, system components, or devices that only individuals or systems are designated to receive are defined; SC-37(01) are employed to ensure that only receive . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-37(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing the use of out-of-band channels; access control policy and procedures; identification and authentication policy and procedures; system design documentation; system architecture; system configuration settings and associated documentation; list of security safeguards to be employed to ensure that designated individuals or systems receive organization-defined information, system components, or devices; list of security safeguards for delivering designated information, system components, or devices to designated individuals or systems; list of information, system components, or devices to be delivered to designated individuals or systems; system audit records; system security plan; other relevant documents or records]. SC-37(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, operating, and/or using out-of-band channels; system developers/integrators]. SC-37(01)-Test [SELECT FROM: Organizational processes for the use of out-of-band channels; automated mechanisms supporting and/or implementing the use of out-of-band channels; automated mechanisms supporting/implementing safeguards to ensure delivery of designated information, system components, or devices]. SC-38 OPERATIONS SECURITY ASSESSMENT OBJECTIVE: Determine if: SC-38_ODP operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined; SC-38 are employed to protect key organizational information throughout the system development life cycle. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-38-Examine [SELECT FROM: System and communications protection policy; procedures addressing operations security; security plan; list of operations security safeguards; security control assessments; risk assessments; threat and vulnerability assessments; plans of action and milestones; system development life cycle documentation; system security plan; other relevant documents or records]. SC-38-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-38-Test [SELECT FROM: Organizational processes for protecting organizational information throughout the system development life cycle; automated mechanisms supporting and/or implementing safeguards to protect organizational information throughout the system development life cycle]. SC-39 PROCESS ISOLATION ASSESSMENT OBJECTIVE: Determine if: SC-39 a separate execution domain is maintained for each executing system process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-39-Examine [SELECT FROM: System design documentation; system architecture; independent verification and validation documentation; testing and evaluation documentation; other relevant documents or records]. SC-39-Interview [SELECT FROM: System developers/integrators; system security architect]. SC-39-Test [SELECT FROM: Automated mechanisms supporting and/or implementing separate execution domains for each executing process]. SC-39(01) PROCESS ISOLATION | HARDWARE SEPARATION ASSESSMENT OBJECTIVE: Determine if: SC-39(01) hardware separation is implemented to facilitate process isolation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-39(01)-Examine [SELECT FROM: System and communications protection policy; system design documentation; system configuration settings and associated documentation; system architecture; system documentation for hardware separation mechanisms; system documentation from vendors, manufacturers, or developers; independent verification and validation documentation; system security plan; other relevant documents or records]. SC-39(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-39(01)-Test [SELECT FROM: System capability implementing underlying hardware separation mechanisms for process separation]. SC-39(02) PROCESS ISOLATION | SEPARATE EXECUTION DOMAIN PER THREAD ASSESSMENT OBJECTIVE: Determine if: SC-39(02)_ODP multi-thread processing for which a separate execution domain is to be maintained for each thread is defined; SC-39(02) a separate execution domain is maintained for each thread in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-39(02)-Examine [SELECT FROM: System and communications protection policy; system design documentation; system configuration settings and associated documentation; system architecture; list of system execution domains for each thread in multi-threaded processing; system documentation for multi-threaded processing; system documentation from vendors, manufacturers, or developers; independent verification and validation documentation; system security plan; other relevant documents or records]. SC-39(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-39(02)-Test [SELECT FROM: System capability implementing a separate execution domain for each thread in multi-threaded processing]. SC-40 WIRELESS LINK PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-40_ODP[01] external wireless links to be protected from particular types of signal parameter attacks are defined; SC-40_ODP[02] types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined; SC-40_ODP[03] internal wireless links to be protected from particular types of signal parameter attacks are defined; SC-40_ODP[04] types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined; SC-40[01] external are protected from . SC-40[02] internal are protected from . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-40-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing wireless link protection; system design documentation; wireless network diagrams; system configuration settings and associated documentation; system architecture; list of internal and external wireless links; list of signal parameter attacks or references to sources for attacks; system audit records; system security plan; other relevant documents or records]. SC-40-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, and/or maintaining internal and external wireless links]. SC-40-Test [SELECT FROM: Automated mechanisms supporting and/or implementing protection of wireless links]. SC-40(01) WIRELESS LINK PROTECTION | ELECTROMAGNETIC INTERFERENCE ASSESSMENT OBJECTIVE: Determine if: SC-40(01)_ODP level of protection to be employed against the effects of intentional electromagnetic interference is defined; SC-40(01) cryptographic mechanisms that achieve against the effects of intentional electromagnetic interference are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-40(01)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing wireless link protection; system design documentation; wireless network diagrams; system configuration settings and associated documentation; system architecture; system communications hardware and software; security categorization results; system audit records; system security plan; other relevant documents or records]. SC-40(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, and/or maintaining internal and external wireless links]. SC-40(01)-Test [SELECT FROM: Cryptographic mechanisms enforcing protections against effects of intentional electromagnetic interference]. SC-40(02) WIRELESS LINK PROTECTION | REDUCE DETECTION POTENTIAL ASSESSMENT OBJECTIVE: Determine if: SC-40(02)_ODP the level of reduction to be achieved to reduce the detection potential of wireless links is defined; SC-40(02) cryptographic mechanisms to reduce the detection potential of wireless links to are implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-40(02)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing wireless link protection; system design documentation; wireless network diagrams; system configuration settings and associated documentation; system architecture; system communications hardware and software; security categorization results; system audit records; system security plan; other relevant documents or records]. SC-40(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, and/or maintaining internal and external wireless links]. SC-40(02)-Test [SELECT FROM: Cryptographic mechanisms enforcing protections to reduce the detection of wireless links]. SC-40(03) WIRELESS LINK PROTECTION | IMITATIVE OR MANIPULATIVE COMMUNICATIONS DECEPTION ASSESSMENT OBJECTIVE: Determine if: SC-40(03) cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-40(03)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing system design documentation; wireless network diagrams; system configuration settings and associated documentation; system architecture; system communications hardware and software; system audit records; system security plan; other relevant documents or records]. SC-40(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, and/or maintaining internal and external wireless links]. SC-40(03)-Test [SELECT FROM: Cryptographic mechanisms enforcing wireless link protections against imitative or manipulative communications deception]. SC-40(04) WIRELESS LINK PROTECTION | SIGNAL PARAMETER IDENTIFICATION ASSESSMENT OBJECTIVE: Determine if: SC-40(04)_ODP wireless transmitters for which cryptographic mechanisms are to be implemented are defined; SC-40(04) cryptographic mechanisms are implemented to prevent the identification of by using the transmitter signal parameters. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-40(04)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing system design documentation; wireless network diagrams; system configuration settings and associated documentation; system architecture; system communications hardware and software; system audit records; system security plan; other relevant documents or records]. SC-40(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel authorizing, installing, configuring, and/or maintaining internal and external wireless links]. SC-40(04)-Test [SELECT FROM: Cryptographic mechanisms preventing the identification of wireless transmitters]. SC-41 PORT AND I/O DEVICE ACCESS ASSESSMENT OBJECTIVE: Determine if: SC-41_ODP[01] connection ports or input/output devices to be disabled or removed are defined; SC-41_ODP[02] one of the following PARAMETER VALUES is selected: {physically; logically}; SC-41_ODP[03] systems or system components with connection ports or input/output devices to be disabled or removed are defined; SC-41 are disabled or removed on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-41-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing port and input/output device access; system design documentation; system configuration settings and associated documentation; system architecture; systems or system components; list of connection ports or input/output devices to be physically disabled or removed on systems or system components; system security plan; other relevant documents or records]. SC-41-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-41-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the disabling of connection ports or input/output devices]. SC-42 SENSOR CAPABILITY AND DATA ASSESSMENT OBJECTIVE: Determine if: SC-42_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {the use of devices possessingin; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions:}; SC-42_ODP[02] environmental sensing capabilities in devices are defined (if selected); SC-42_ODP[03] facilities, areas, or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined (if selected); SC-42_ODP[04] exceptions where remote activation of sensors is allowed are defined (if selected); SC-42_ODP[05] group of users to whom an explicit indication of sensor use is to be provided is defined; SC-42a. is/are prohibited; SC-42b. an explicit indication of sensor use is provided to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-42-Examine [SELECT FROM: System and communications protection policy; procedures addressing sensor capabilities and data collection; access control policy and procedures; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-42-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for sensor capabilities]. SC-42-Test [SELECT FROM: Automated mechanisms implementing access controls for the remote activation of system sensor capabilities; automated mechanisms implementing the capability to indicate sensor use]. SC-42(01) SENSOR CAPABILITY AND DATA | REPORTING TO AUTHORIZED INDIVIDUALS OR ROLES ASSESSMENT OBJECTIVE: Determine if: SC-42(01)_ODP sensors to be used to collect data or information are defined; SC-42(01) the system is configured so that data or information collected by the is only reported to authorized individuals or roles. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-42(01)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; procedures addressing sensor capability and data collection; personally identifiable information processing policy; system design documentation; system configuration settings and associated documentation; system architecture; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-42(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for the sensor capabilities]. SC-42(01)-Test [SELECT FROM: Automated mechanisms restricting the reporting of sensor information to those authorized; sensor data collection and reporting capabilities for the system]. SC-42(02) SENSOR CAPABILITY AND DATA | AUTHORIZED USE ASSESSMENT OBJECTIVE: Determine if: SC-42(02)_ODP[01] measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined; SC-42(02)_ODP[02] sensors to be used to collect data or information are defined; SC-42(02) are employed so that data or information collected by is only used for authorized purposes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-42(02)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; personally identifiable information processing policy; sensor capability and data collection; system design documentation; system configuration settings and associated documentation; system architecture; list of measures to be employed to that the ensure data or information collected by sensors is only used for authorized purposes; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-42(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for sensor capabilities]. SC-42(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing measures to ensure sensor information is only used for authorized purposes; sensor information collection capability for the system]. SC-42(03) SENSOR CAPABILITY AND DATA | PROHIBIT USE OF DEVICES [WITHDRAWN: Incorporated into SC-42.] SC-42(04) SENSOR CAPABILITY AND DATA | NOTICE OF COLLECTION ASSESSMENT OBJECTIVE: Determine if: SC-42(04)_ODP[01] measures to facilitate an individual’s awareness that personally identifiable information is being collected are defined; SC-42(04)_ODP[02] sensors that collect personally identifiable information are defined; SC-42(04) are employed to facilitate an individual’s awareness that personally identifiable information is being collected by POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-42(04)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; personally identifiable information processing policy; sensor capability and data collection policy and procedures; system design documentation; system configuration settings and associated documentation; privacy risk assessment documentation; privacy impact assessments; system architecture; list of measures to be employed to ensure that individuals are aware that personally identifiable information is being collected by sensors; examples of notifications provided to individuals that personally identifiable information is being collected by sensors; system audit records; system security plan; privacy plan; other relevant documents or records]. SC-42(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for sensor capabilities]. SC-42(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing measures to facilitate an individual’s awareness that personally identifiable information is being collected by sensors; sensor information collection capabilities for the system]. SC-42(05) SENSOR CAPABILITY AND DATA | COLLECTION MINIMIZATION ASSESSMENT OBJECTIVE: Determine if: SC-42(05)_ODP the sensors that are configured to minimize the collection of unneeded information about individuals are defined; SC-42(05) the configured to minimize the collection of information about individuals that is not needed are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-42(05)-Examine [SELECT FROM: System and communications protection policy; access control policy and procedures; personally identifiable information processing policy; sensor capability and data collection policy and procedures; system design documentation; system configuration settings and associated documentation; privacy risk assessment documentation; privacy impact assessments; system architecture; list of information being collected by sensors; list of sensor configurations that minimize the collection of personally identifiable information (e.g., obscure human features); system audit records; system security plan; privacy plan; other relevant documents or records]. SC-42(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for sensor capabilities]. SC-42(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing measures to facilitate the review of information that is being collected by sensors; sensor information collection capabilities for the system]. SC-43 USAGE RESTRICTIONS ASSESSMENT OBJECTIVE: Determine if: SC-43_ODP the components for which usage restrictions and implementation guidance are to be established are defined; SC-43a. usage restrictions and implementation guidelines are established for ; SC-43b.[01] the use of is authorized within the system; SC-43b.[02] the use of is monitored within the system; SC-43b.[03] the use of is controlled within the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-43-Examine [SELECT FROM: System and communications protection policy; usage restrictions; procedures addressing usage restrictions; implementation policy and procedures; authorization records; system monitoring records; system audit records; system security plan; other relevant documents or records]. SC-43-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-43-Test [SELECT FROM: Organizational processes for authorizing, monitoring, and controlling the use of components with usage restrictions; Automated mechanisms supporting and/or implementing, authorizing, monitoring, and controlling the use of components with usage restrictions]. SC-44 DETONATION CHAMBERS ASSESSMENT OBJECTIVE: Determine if: SC-44_ODP the system, system component, or location where a detonation chamber capability is to be employed is defined; SC-44 a detonation chamber capability is employed within the . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-44-Examine [SELECT FROM: System and communications protection policy; procedures addressing detonation chambers; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-44-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-44-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the detonation chamber capability]. SC-45 SYSTEM TIME SYNCHRONIZATION ASSESSMENT OBJECTIVE: Determine if: SC-45 system clocks are synchronized within and between systems and system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-45-Examine [SELECT FROM: System and communications protection policy; procedures addressing time synchronization; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-45-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-45-Test [SELECT FROM: Automated mechanisms supporting and/or implementing system time synchronization]. SC-45(01) SYSTEM TIME SYNCHRONIZATION | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE ASSESSMENT OBJECTIVE: Determine if: SC-45(01)_ODP[01] the frequency at which to compare the internal system clocks with the authoritative time source is defined; SC-45(01)_ODP[02] the authoritative time source to which internal system clocks are to be compared is defined; SC-45(01)_ODP[03] the time period to compare the internal system clocks with the authoritative time source is defined; SC-45(01)(a) the internal system clocks are compared with ; SC-45(01)(b) the internal system clocks are synchronized with the authoritative time source when the time difference is greater than . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-45(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing time synchronization; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-45(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-45(01)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing system time synchronization]. SC-45(02) SYSTEM TIME SYNCHRONIZATION | SECONDARY AUTHORITATIVE TIME SOURCE ASSESSMENT OBJECTIVE: Determine if: SC-45(02)(a) a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source; SC-45(02)(b) the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-45(02)-Examine [SELECT FROM: System and communications protection policy; procedures addressing time synchronization; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-45(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-45(02)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing system time synchronization with secondary authoritative time sources]. SC-46 CROSS DOMAIN POLICY ENFORCEMENT ASSESSMENT OBJECTIVE: Determine if: SC-46_ODP one of the following PARAMETER VALUES is selected: {physically; logically}; SC-46 a policy enforcement mechanism is implemented between the physical and/or network interfaces for the connecting security domains. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-46-Examine [SELECT FROM: System and communications protection policy; procedures addressing cross-domain policy enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-46-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-46-Test [SELECT FROM: Automated mechanisms supporting and/or implementing cross-domain policy enforcement]. SC-47 ALTERNATE COMMUNICATIONS PATHS ASSESSMENT OBJECTIVE: Determine if: SC-47_ODP alternate communication paths for system operations and operational command and control are defined; SC-47 are established for system operations and operational command and control. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-47-Examine [SELECT FROM: System and communications protection policy; procedures addressing communication paths; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-47-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. SC-47-Test [SELECT FROM: Automated mechanisms supporting and/or implementing alternate communication paths for system operations]. SC-48 SENSOR RELOCATION ASSESSMENT OBJECTIVE: Determine if: SC-48_ODP[01] sensors and monitoring capabilities to be relocated are defined; SC-48_ODP[02] locations to where sensors and monitoring capabilities are to be relocated are defined; SC-48_ODP[03] conditions or circumstances for relocating sensors and monitoring capabilities are defined; SC-48 are relocated to under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-48-Examine [SELECT FROM: System and communications protection policy; procedures addressing sensor and monitoring capability relocation; list of sensors/monitoring capabilities to be relocated; change control records; configuration management records; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-48-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-48-Test [SELECT FROM: Automated mechanisms supporting and/or implementing sensor relocation]. SC-48(01) SENSOR RELOCATION | DYNAMIC RELOCATION OF SENSORS OR MONITORING CAPABILITIES ASSESSMENT OBJECTIVE: Determine if: SC-48(01)_ODP[01] sensors and monitoring capabilities to be dynamically relocated are defined; SC-48(01)_ODP[02] locations to where sensors and monitoring capabilities are to be dynamically relocated are defined; SC-48(01)_ODP[03] conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined; SC-48(01) are dynamically relocated to under . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-48(01)-Examine [SELECT FROM: System and communications protection policy; procedures addressing sensor and monitoring capability relocation; list of sensors/monitoring capabilities to be relocated; change control records; configuration management records; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-48(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-48(01)-Test [SELECT FROM: SELECT FROM: Automated mechanisms supporting and/or implementing sensor relocation]. SC-49 HARDWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT ASSESSMENT OBJECTIVE: Determine if: SC-49_ODP security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined; SC-49 hardware-enforced separation and policy enforcement mechanisms are implemented between . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-49-Examine [SELECT FROM: System and communications protection policy; procedures addressing cross-domain policy enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-49-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-49-Test [SELECT FROM: Automated mechanisms supporting and/or implementing hardware-enforced security domain separation and policy enforcement]. SC-50 SOFTWARE-ENFORCED SEPARATION AND POLICY ENFORCEMENT ASSESSMENT OBJECTIVE: Determine if: SC-50_ODP security domains requiring software-enforced separation and policy enforcement mechanisms are defined; SC-50 software-enforced separation and policy enforcement mechanisms are implemented between . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-50-Examine [SELECT FROM: System and communications protection policy; procedures addressing cross-domain policy enforcement; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SC-50-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system]. SC-50-Test [SELECT FROM: Automated mechanisms supporting and/or implementing software-enforced separation and policy enforcement]. SC-51 HARDWARE-BASED PROTECTION ASSESSMENT OBJECTIVE: Determine if: SC-51_ODP[01] system firmware components requiring hardware-based write-protect are defined; SC-51_ODP[02] authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined; SC-51a. hardware-based write-protect for is employed; SC-51b.[01] specific procedures are implemented for to manually disable hardware write-protect for firmware modifications; SC-51b.[02] specific procedures are implemented for to re-enable the write-protect prior to returning to operational mode. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SC-51-Examine [SELECT FROM: System and communications protection policy; procedures addressing firmware modifications; system design documentation; system configuration settings and associated documentation; system architecture; system audit records; system security plan; other relevant documents or records]. SC-51-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; system developers/integrators]. SC-51-Test [SELECT FROM: Organizational processes for modifying system firmware; automated mechanisms supporting and/or implementing hardware-based write-protection for system firmware]. 4.19 System and Information Integrity SI-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: SI-01_ODP[01] personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined; SI-01_ODP[02] personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined; SI-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; SI-01_ODP[04] an official to manage the system and information integrity policy and procedures is defined; SI-01_ODP[05] the frequency at which the current system and information integrity policy is reviewed and updated is defined; SI-01_ODP[06] events that would require the current system and information integrity policy to be reviewed and updated are defined; SI-01_ODP[07] the frequency at which the current system and information integrity procedures are reviewed and updated is defined; SI-01_ODP[08] events that would require the system and information integrity procedures to be reviewed and updated are defined; SI-01a.[01] a system and information integrity policy is developed and documented; SI-01a.[02] the system and information integrity policy is disseminated to ; SI-01a.[03] system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented; SI-01a.[04] the system and information integrity procedures are disseminated to ; SI-01a.01(a)[01] the system and information integrity policy addresses purpose; SI-01a.01(a)[02] the system and information integrity policy addresses scope; SI-01a.01(a)[03] the system and information integrity policy addresses roles; SI-01a.01(a)[04] the system and information integrity policy addresses responsibilities; SI-01a.01(a)[05] the system and information integrity policy addresses management commitment; SI-01a.01(a)[06] the system and information integrity policy addresses coordination among organizational entities; SI-01a.01(a)[07] the system and information integrity policy addresses compliance; SI-01a.01(b) the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; SI-01b. the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; SI-01c.01[01] the current system and information integrity policy is reviewed and updated ; SI-01c.01[02] the current system and information integrity policy is reviewed and updated following ; SI-01c.02[01] the current system and information integrity procedures are reviewed and updated ; SI-01c.02[02] the current system and information integrity procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-01-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; system security plan; privacy plan; other relevant documents or records]. SI-01-Interview [SELECT FROM: Organizational personnel with system and information integrity responsibilities; organizational personnel with information security and privacy responsibilities]. SI-02 FLAW REMEDIATION ASSESSMENT OBJECTIVE: Determine if: SI-02_ODP time period within which to install security-relevant software updates after the release of the updates is defined; SI-02a.[01] system flaws are identified; SI-02a.[02] system flaws are reported; SI-02a.[03] system flaws are corrected; SI-02b.[01] software updates related to flaw remediation are tested for effectiveness before installation; SI-02b.[02] software updates related to flaw remediation are tested for potential side effects before installation; SI-02b.[03] firmware updates related to flaw remediation are tested for effectiveness before installation; SI-02b.[04] firmware updates related to flaw remediation are tested for potential side effects before installation; SI-02c.[01] security-relevant software updates are installed within of the release of the updates; SI-02c.[02] security-relevant firmware updates are installed within of the release of the updates; SI-02d. flaw remediation is incorporated into the organizational configuration management process. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-02-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; procedures addressing configuration management; list of flaws and vulnerabilities potentially affecting the system; list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws); test results from the installation of software and firmware updates to correct system flaws; installation/change control records for security-relevant software and firmware updates; system security plan; privacy plan; other relevant documents or records]. SI-02-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel responsible for installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation; organizational personnel with configuration management responsibilities]. SI-02-Test [SELECT FROM: Organizational processes for identifying, reporting, and correcting system flaws; organizational process for installing software and firmware updates; automated mechanisms supporting and/or implementing the reporting and correcting of system flaws; automated mechanisms supporting and/or implementing testing software and firmware updates]. SI-02(01) FLAW REMEDIATION | CENTRAL MANAGEMENT [WITHDRAWN: Incorporated into PL-09.] SI-02(02) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS ASSESSMENT OBJECTIVE: Determine if: SI-02(02)_ODP[01] automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined; SI-02(02)_ODP[02] the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined; SI-02(02) system components have applicable security-relevant software and firmware updates installed using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-02(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; automated mechanisms supporting centralized management of flaw remediation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-02(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation]. SI-02(02)-Test [SELECT FROM: Automated mechanisms used to determine the state of system components with regard to flaw remediation]. SI-02(03) FLAW REMEDIATION | TIME TO REMEDIATE FLAWS AND BENCHMARKS FOR CORRECTIVE ACTIONS ASSESSMENT OBJECTIVE: Determine if: SI-02(03)_ODP the benchmarks for taking corrective actions are defined; SI-02(03)(a) the time between flaw identification and flaw remediation is measured; SI-02(03)(b) for taking corrective actions have been established. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-02(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; system design documentation; system configuration settings and associated documentation; list of benchmarks for taking corrective action on identified flaws; records that provide timestamps of flaw identification and subsequent flaw remediation activities; system security plan; other relevant documents or records]. SI-02(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation]. SI-02(03)-Test [SELECT FROM: Organizational processes for identifying, reporting, and correcting system flaws; automated mechanisms used to measure the time between flaw identification and flaw remediation]. SI-02(04) FLAW REMEDIATION | AUTOMATED PATCH MANAGEMENT TOOLS ASSESSMENT OBJECTIVE: Determine if: SI-02(04)_ODP the system components requiring automated patch management tools to facilitate flaw remediation are defined; SI-02(04) automated patch management tools are employed to facilitate flaw remediation to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-02(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation and automatic software/firmware updates; system design documentation; system configuration settings and associated documentation; list of system flaws; records of recent security-relevant software and firmware updates that are automatically installed to system components; system audit records; system security plan; other relevant documents or records]. SI-02(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation]. SI-02(04)-Test [SELECT FROM: Automated patch management tools; automated mechanisms implementing automatic software/firmware updates; automated mechanisms facilitating flaw remediation to system components]. SI-02(05) FLAW REMEDIATION | AUTOMATIC SOFTWARE AND FIRMWARE UPDATES ASSESSMENT OBJECTIVE: Determine if: SI-02(05)_ODP[01] security-relevant software and firmware updates to be automatically installed to system components are defined; SI-02(05)_ODP[02] system components requiring security-relevant software updates to be automatically installed are defined; SI-02(05) are installed automatically to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-02(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation and automatic software/firmware updates; system design documentation; system configuration settings and associated documentation; records of recent security-relevant software and firmware updates automatically installed to system components; system audit records; system security plan; other relevant documents or records]. SI-02(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation]. SI-02(05)-Test [SELECT FROM: Automated mechanisms implementing automatic software/firmware updates]. SI-02(06) FLAW REMEDIATION | REMOVAL OF PREVIOUS VERSIONS OF SOFTWARE AND FIRMWARE ASSESSMENT OBJECTIVE: Determine if: SI-02(06)_ODP software and firmware components to be removed after updated versions have been installed are defined; SI-02(06) previous versions of are removed after updated versions have been installed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-02(06)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing flaw remediation; automated mechanisms supporting flaw remediation; system design documentation; system configuration settings and associated documentation; records of software and firmware component removals after updated versions are installed; system audit records; system security plan; other relevant documents or records]. SI-02(06)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for flaw remediation]. SI-02(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the removal of previous versions of software/firmware]. SI-03 MALICIOUS CODE PROTECTION ASSESSMENT OBJECTIVE: Determine if: SI-03_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {signature-based; non-signature-based}; SI-03_ODP[02] the frequency at which malicious code protection mechanisms perform scans is defined; SI-03_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {endpoint; network entry and exit points}; SI-03_ODP[04] one or more of the following PARAMETER VALUES is/are selected: {block malicious code; quarantine malicious code; take}; SI-03_ODP[05] action to be taken in response to malicious code detection are defined (if selected); SI-03_ODP[06] personnel or roles to be alerted when malicious code is detected is/are defined; SI-03a.[01] malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code; SI-03a.[02] malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code; SI-03b. malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures; SI-03c.01[01] malicious code protection mechanisms are configured to perform periodic scans of the system ; SI-03c.01[02] malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; SI-03c.02[01] malicious code protection mechanisms are configured to in response to malicious code detection; SI-03c.02[02] malicious code protection mechanisms are configured to send alerts to in response to malicious code detection; SI-03d. the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-03-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]. SI-03-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection; organizational personnel with configuration management responsibilities]. SI-03-Test [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational processes for addressing false positives and resulting potential impacts; automated mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms; automated mechanisms supporting and/or implementing malicious code scanning and subsequent actions]. SI-03(01) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT [WITHDRAWN: Incorporated into PL-09.] SI-03(02) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES [WITHDRAWN: Incorporated into SI-03.] SI-03(03) MALICIOUS CODE PROTECTION | NON-PRIVILEGED USERS [WITHDRAWN: Incorporated into AC-06(10).] SI-03(04) MALICIOUS CODE PROTECTION | UPDATES ONLY BY PRIVILEGED USERS ASSESSMENT OBJECTIVE: Determine if: SI-03(04) malicious code protection mechanisms are updated only when directed by a privileged user. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-03(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing malicious code protection; list of privileged users on system; system design documentation; malicious code protection mechanisms; records of malicious code protection updates; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-03(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection]. SI-03(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing malicious code protection capabilities]. SI-03(05) MALICIOUS CODE PROTECTION | PORTABLE STORAGE DEVICES [WITHDRAWN: Incorporated into MP-07.] SI-03(06) MALICIOUS CODE PROTECTION | TESTING AND VERIFICATION ASSESSMENT OBJECTIVE: Determine if: SI-03(06)_ODP the frequency at which to test malicious code protection mechanisms is defined; SI-03(06)(a) malicious code protection mechanisms are tested by introducing known benign code into the system; SI-03(06)(b)[01] the detection of (benign test) code occurs; SI-03(06)(b)[02] the associate incident reporting occurs. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-03(06)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing malicious code protection; system design documentation; system configuration settings and associated documentation; test cases; records providing evidence of test cases executed on malicious code protection mechanisms; system audit records; system security plan; other relevant documents or records]. SI-03(06)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection]. SI-03(06)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the testing and verification of malicious code protection capabilities]. SI-03(07) MALICIOUS CODE PROTECTION | NONSIGNATURE-BASED DETECTION [WITHDRAWN: Incorporated into SI-03.] SI-03(08) MALICIOUS CODE PROTECTION | DETECT UNAUTHORIZED COMMANDS ASSESSMENT OBJECTIVE: Determine if: SI-03(08)_ODP[01] system hardware components for which unauthorized operating system commands are to be detected through the kernel application programming interface are defined; SI-03(08)_ODP[02] unauthorized operating system commands to be detected are defined; SI-03(08)_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {issue a warning; audit the command execution; prevent the execution of the command}; SI-03(08)(a) are detected through the kernel application programming interface on ; SI-03(08)(b) is/are performed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-03(08)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing malicious code protection; system design documentation; malicious code protection mechanisms; warning messages sent upon the detection of unauthorized operating system command execution; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-03(08)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection]. SI-03(08)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing malicious code protection capabilities; automated mechanisms supporting and/or implementing the detection of unauthorized operating system commands through the kernel application programming interface]. SI-03(09) MALICIOUS CODE PROTECTION | AUTHENTICATE REMOTE COMMANDS [WITHDRAWN: Moved to AC-17(10).] SI-03(10) MALICIOUS CODE PROTECTION | MALICIOUS CODE ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SI-03(10)_ODP tools and techniques to be employed to analyze the characteristics and behavior of malicious code are defined; SI-03(10)(a) are employed to analyze the characteristics and behavior of malicious code; SI-03(10)(b)[01] the results from malicious code analysis are incorporated into organizational incident response processes; SI-03(10)(b)[02] the results from malicious code analysis are incorporated into organizational flaw remediation processes. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-03(10)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing malicious code protection; procedures addressing incident response; procedures addressing flaw remediation; system design documentation; malicious code protection mechanisms, tools, and techniques; system configuration settings and associated documentation; results from malicious code analyses; records of flaw remediation events resulting from malicious code analyses; system audit records; system security plan; other relevant documents or records]. SI-03(10)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection; organizational personnel responsible for flaw remediation; organizational personnel responsible for incident response/management]. SI-03(10)-Test [SELECT FROM: Organizational process for incident response; organizational process for flaw remediation; automated mechanisms supporting and/or implementing malicious code protection capabilities; tools and techniques for the analysis of malicious code characteristics and behavior]. SI-04 SYSTEM MONITORING ASSESSMENT OBJECTIVE: Determine if: SI-04_ODP[01] monitoring objectives to detect attacks and indicators of potential attacks on the system are defined; SI-04_ODP[02] techniques and methods used to identify unauthorized use of the system are defined; SI-04_ODP[03] system monitoring information to be provided to personnel or roles is defined; SI-04_ODP[04] personnel or roles to whom system monitoring information is to be provided is/are defined; SI-04_ODP[05] one or more of the following PARAMETER VALUES is/are selected: {as needed; }; SI-04_ODP[06] a frequency for providing system monitoring to personnel or roles is defined (if selected); SI-04a.01 the system is monitored to detect attacks and indicators of potential attacks in accordance with ; SI-04a.02[01] the system is monitored to detect unauthorized local connections; SI-04a.02[02] the system is monitored to detect unauthorized network connections; SI-04a.02[03] the system is monitored to detect unauthorized remote connections; SI-04b. unauthorized use of the system is identified through ; SI-04c.01 internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information; SI-04c.02 internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization; SI-04d.[01] detected events are analyzed; SI-04d.[02] detected anomalies are analyzed; SI-04e. the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; SI-04f. a legal opinion regarding system monitoring activities is obtained; SI-04g. is provided to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; continuous monitoring strategy; facility diagram/layout; system design documentation; system monitoring tools and techniques documentation; locations within the system where monitoring devices are deployed; system configuration settings and associated documentation; system security plan; other relevant documents or records]. SI-04-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system]. SI-04-Test [SELECT FROM: Organizational processes for system monitoring; automated mechanisms supporting and/or implementing system monitoring capabilities]. SI-04(01) SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM ASSESSMENT OBJECTIVE: Determine if: SI-04(01)[01] individual intrusion detection tools are connected to a system-wide intrusion detection system; SI-04(01)[02] individual intrusion detection tools are configured into a system-wide intrusion detection system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-04(01)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(01)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection capabilities]. SI-04(02) SYSTEM MONITORING | AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SI-04(02) automated tools and mechanisms are employed to support a near real-time analysis of events. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; privacy program plan; privacy impact assessment; privacy risk management documentation; other relevant documents or records]. SI-04(02)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for incident response/management]. SI-04(02)-Test [SELECT FROM: Organizational processes for the near real-time analysis of events; organizational processes for system monitoring; automated mechanisms supporting and/or implementing system monitoring; automated mechanisms/tools supporting and/or implementing an analysis of events]. SI-04(03) SYSTEM MONITORING | AUTOMATED TOOL AND MECHANISM INTEGRATION ASSESSMENT OBJECTIVE: Determine if: SI-04(03)[01] automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms; SI-04(03)[02] automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; access control policy and procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-04(03)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(03)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing the intrusion detection and system monitoring capability; automated mechanisms and tools supporting and/or implementing the access and flow control capabilities; automated mechanisms and tools supporting and/or implementing the integration of intrusion detection tools into the access and flow control mechanisms]. SI-04(04) SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC ASSESSMENT OBJECTIVE: Determine if: SI-04(04)_ODP[01] the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined; SI-04(04)_ODP[02] unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined; SI-04(04)_ODP[03] the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined; SI-04(04)_ODP[04] unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined; SI-04(04)(a)[01] criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined; SI-04(04)(a)[02] criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined; SI-04(04)(b)[01] inbound communications traffic is monitored for ; SI-04(04)(b)[02] outbound communications traffic is monitored for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system protocols; system audit records; system security plan; other relevant documents or records]. SI-04(04)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(04)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic]. SI-04(05) SYSTEM MONITORING | SYSTEM-GENERATED ALERTS ASSESSMENT OBJECTIVE: Determine if: SI-04(05)_ODP[01] personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined; SI-04(05)_ODP[02] compromise indicators are defined; SI-04(05) are alerted when system-generated occur. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system monitoring tools and techniques documentation; system configuration settings and associated documentation; list of personnel selected to receive alerts; documentation of alerts generated based on compromise indicators; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-04(05)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel on the system alert notification list; organizational personnel responsible for the intrusion detection system]. SI-04(05)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing alerts for compromise indicators]. SI-04(06) SYSTEM MONITORING | RESTRICT NON-PRIVILEGED USERS [WITHDRAWN: Incorporated into AC-06(10).] SI-04(07) SYSTEM MONITORING | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS ASSESSMENT OBJECTIVE: Determine if: SI-04(07)_ODP[01] incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined; SI-04(07)_ODP[02] least-disruptive actions to terminate suspicious events are defined; SI-04(07)(a) are notified of detected suspicious events; SI-04(07)(b) are taken upon the detection of suspicious events. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(07)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; alerts and notifications generated based on detected suspicious events; records of actions taken to terminate suspicious events; system audit records; system security plan; other relevant documents or records]. SI-04(07)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(07)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing notifications to incident response personnel; automated mechanisms supporting and/or implementing actions to terminate suspicious events]. SI-04(08) SYSTEM MONITORING | PROTECTION OF MONITORING INFORMATION [WITHDRAWN: Incorporated into SI-04.] SI-04(09) SYSTEM MONITORING | TESTING OF MONITORING TOOLS AND MECHANISMS ASSESSMENT OBJECTIVE: Determine if: SI-04(09)_ODP a frequency at which to test intrusion-monitoring tools and mechanisms is defined; SI-04(09) intrusion-monitoring tools and mechanisms are tested . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(09)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing the testing of system monitoring tools and techniques; documentation providing evidence of testing intrusion-monitoring tools; system security plan; other relevant documents or records]. SI-04(09)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(09)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the testing of intrusion-monitoring tools]. SI-04(10) SYSTEM MONITORING | VISIBILITY OF ENCRYPTED COMMUNICATIONS ASSESSMENT OBJECTIVE: Determine if: SI-04(10)_ODP[01] encrypted communications traffic visible to system monitoring tools and mechanisms is defined; SI-04(10)_ODP[02] system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined; SI-04(10) is visible to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(10)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system protocols; system security plan; other relevant documents or records]. SI-04(10)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(10)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the visibility of encrypted communications traffic to monitoring tools]. SI-04(11) SYSTEM MONITORING | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES ASSESSMENT OBJECTIVE: Determine if: SI-04(11)_ODP interior points within the system where communications traffic is to be analyzed are defined; SI-04(11)[01] outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies; SI-04(11)[02] outbound communications traffic at is analyzed to discover anomalies. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(11)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; network diagram; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(11)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(11)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the analysis of communications traffic]. SI-04(12) SYSTEM MONITORING | AUTOMATED ORGANIZATION-GENERATED ALERTS ASSESSMENT OBJECTIVE: Determine if: SI-04(12)_ODP[01] personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined; SI-04(12)_ODP[02] automated mechanisms used to alert personnel or roles are defined; SI-04(12)_ODP[03] activities that trigger alerts to personnel or are defined; SI-04(12) is/are alerted using when indicate inappropriate or unusual activities with security or privacy implications. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(12)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; list of inappropriate or unusual activities with security and privacy implications that trigger alerts; suspicious activity reports; alerts provided to security and privacy personnel; system monitoring logs or records; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-04(12)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; system developers; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(12)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing automated alerts to security personnel]. SI-04(13) SYSTEM MONITORING | ANALYZE TRAFFIC AND EVENT PATTERNS ASSESSMENT OBJECTIVE: Determine if: SI-04(13)(a)[01] communications traffic for the system is analyzed; SI-04(13)(a)[02] event patterns for the system are analyzed; SI-04(13)(b)[01] profiles representing common traffic are developed; SI-04(13)(b)[02] profiles representing event patterns are developed; SI-04(13)(c)[01] traffic profiles are used in tuning system-monitoring devices; SI-04(13)(c)[02] event profiles are used in tuning system-monitoring devices. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(13)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; list of profiles representing common traffic patterns and/or events; system protocols documentation; list of acceptable thresholds for false positives and false negatives; system security plan; other relevant documents or records]. SI-04(13)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(13)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the analysis of communications traffic and event patterns]. SI-04(14) SYSTEM MONITORING | WIRELESS INTRUSION DETECTION ASSESSMENT OBJECTIVE: Determine if: SI-04(14)[01] a wireless intrusion detection system is employed to identify rogue wireless devices; SI-04(14)[02] a wireless intrusion detection system is employed to detect attack attempts on the system; SI-04(14)[03] a wireless intrusion detection system is employed to detect potential compromises or breaches to the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(14)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system protocols; system audit records; system security plan; other relevant documents or records]. SI-04(14)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(14)-Test [SELECT FROM: Organizational processes for intrusion detection; automated mechanisms supporting and/or implementing a wireless intrusion detection capability]. SI-04(15) SYSTEM MONITORING | WIRELESS TO WIRELINE COMMUNICATIONS ASSESSMENT OBJECTIVE: Determine if: SI-04(15) an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(15)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system protocols documentation; system audit records; system security plan; other relevant documents or records]. SI-04(15)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(15)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing a wireless intrusion detection capability]. SI-04(16) SYSTEM MONITORING | CORRELATE MONITORING INFORMATION ASSESSMENT OBJECTIVE: Determine if: SI-04(16) information from monitoring tools and mechanisms employed throughout the system is correlated. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(16)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; event correlation logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(16)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(16)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the correlation of information from monitoring tools]. SI-04(17) SYSTEM MONITORING | INTEGRATED SITUATIONAL AWARENESS ASSESSMENT OBJECTIVE: Determine if: SI-04(17)[01] information from monitoring physical activities is correlated to achieve integrated, organization-wide situational awareness SI-04(17)[02] information from monitoring cyber activities is correlated to achieve integrated, organization-wide situational awareness; SI-04(17)[03] information from monitoring supply chain activities is correlated to achieve integrated, organization-wide situational awareness. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(17)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; event correlation logs or records resulting from physical, cyber, and supply chain activities; system audit records; system security plan; supply chain risk management plan; other relevant documents or records]. SI-04(17)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(17)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing the correlation of information from monitoring tools]. SI-04(18) SYSTEM MONITORING | ANALYZE TRAFFIC AND COVERT EXFILTRATION ASSESSMENT OBJECTIVE: Determine if: SI-04(18)_ODP interior points within the system where communications traffic is to be analyzed are defined; SI-04(18)[01] outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information. SI-04(18)[02] outbound communications traffic is analyzed at to detect covert exfiltration of information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(18)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; network diagram; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(18)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; organizational personnel responsible for the intrusion detection system]. SI-04(18)-Test [SELECT FROM: Organizational processes for intrusion detection and system monitoring; automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities; automated mechanisms supporting and/or implementing an analysis of outbound communications traffic]. SI-04(19) SYSTEM MONITORING | RISK FOR INDIVIDUALS ASSESSMENT OBJECTIVE: Determine if: SI-04(19)_ODP[01] additional monitoring of individuals who have been identified as posing an increased level of risk is defined; SI-04(19)_ODP[02] sources that identify individuals who pose an increased level of risk are defined; SI-04(19) is implemented on individuals who have been identified by as posing an increased level of risk. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(19)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-04(19)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security and privacy responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system; legal counsel; human resource officials; organizational personnel with personnel security responsibilities]. SI-04(19)-Test [SELECT FROM: Organizational processes for system monitoring; automated mechanisms supporting and/or implementing a system monitoring capability]. SI-04(20) SYSTEM MONITORING | PRIVILEGED USERS ASSESSMENT OBJECTIVE: Determine if: SI-04(20)_ODP additional monitoring of privileged users is defined; SI-04(20) of privileged users is implemented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(20)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(20)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system]. SI-04(20)-Test [SELECT FROM: Organizational processes for system monitoring; automated mechanisms supporting and/or implementing a system monitoring capability]. SI-04(21) SYSTEM MONITORING | PROBATIONARY PERIODS ASSESSMENT OBJECTIVE: Determine if: SI-04(21)_ODP[01] additional monitoring to be implemented on individuals during probationary periods is defined; SI-04(21)_ODP[02] the probationary period of individuals is defined; SI-04(21) of individuals is implemented during . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(21)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(21)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system]. SI-04(21)-Test [SELECT FROM: Organizational processes for system monitoring; automated mechanisms supporting and/or implementing a system monitoring capability]. SI-04(22) SYSTEM MONITORING | UNAUTHORIZED NETWORK SERVICES ASSESSMENT OBJECTIVE: Determine if: SI-04(22)_ODP[01] authorization or approval processes for network services are defined; SI-04(22)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {audit; alert}; SI-04(22)_ODP[03] personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected); SI-04(22)(a) network services that have not been authorized or approved by are detected; SI-04(22)(b) is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(22)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; documented authorization/approval of network services; notifications or alerts of unauthorized network services; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(22)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring the system]. SI-04(22)-Test [SELECT FROM: Organizational processes for system monitoring; automated mechanisms supporting and/or implementing a system monitoring capability; automated mechanisms for auditing network services; automated mechanisms for providing alerts]. SI-04(23) SYSTEM MONITORING | HOST-BASED DEVICES ASSESSMENT OBJECTIVE: Determine if: SI-04(23)_ODP[01] host-based monitoring mechanisms to be implemented on system components are defined; SI-04(23)_ODP[02] system components where host-based monitoring is to be implemented are defined; SI-04(23) are implemented on . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(23)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring tools and techniques; system design documentation; host-based monitoring mechanisms; system monitoring tools and techniques documentation; system configuration settings and associated documentation; list of system components requiring host-based monitoring; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(23)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring system hosts]. SI-04(23)-Test [SELECT FROM: Organizational processes for system monitoring; automated mechanisms supporting and/or implementing host-based monitoring capability]. SI-04(24) SYSTEM MONITORING | INDICATORS OF COMPROMISE ASSESSMENT OBJECTIVE: Determine if: SI-04(24)_ODP[01] sources that provide indicators of compromise are defined; SI-04(24)_ODP[02] personnel or roles to whom indicators of compromise are to be distributed is/are defined; SI-04(24)[01] indicators of compromise provided by are discovered; SI-04(24)[02] indicators of compromise provided by are collected; SI-04(24)[03] indicators of compromise provided by are distributed to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(24)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system audit records; system security plan; other relevant documents or records]. SI-04(24)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring system hosts]. SI-04(24)-Test [SELECT FROM: Organizational processes for system monitoring; organizational processes for the discovery, collection, distribution, and use of indicators of compromise; automated mechanisms supporting and/or implementing a system monitoring capability; automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise]. SI-04(25) SYSTEM MONITORING | OPTIMIZE NETWORK TRAFFIC ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SI-04(25)[01] visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices; SI-04(25)[02] visibility into network traffic at internal system interfaces is provided to optimize the effectiveness of monitoring devices. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-04(25)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system monitoring; system design documentation; system monitoring tools and techniques documentation; system configuration settings and associated documentation; system monitoring logs or records; system architecture; system audit records; network traffic reports; system security plan; other relevant documents or records]. SI-04(25)-Interview [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developer; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for monitoring system hosts]. SI-04(25)-Test [SELECT FROM: Organizational processes for system monitoring; organizational processes for the discovery, collection, distribution, and use of indicators of compromise; automated mechanisms supporting and/or implementing a system monitoring capability; automated mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise]. SI-05 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES ASSESSMENT OBJECTIVE: Determine if: SI-05_ODP[01] external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined; SI-05_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {; ; }; SI-05_ODP[03] personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected); SI-05_ODP[04] elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected); SI-05_ODP[05] external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected); SI-05a. system security alerts, advisories, and directives are received from on an ongoing basis; SI-05b. internal security alerts, advisories, and directives are generated as deemed necessary; SI-05c. security alerts, advisories, and directives are disseminated to ; SI-05d. security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-05-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing security alerts, advisories, and directives; records of security alerts and advisories; system security plan; other relevant documents or records]. SI-05-Interview [SELECT FROM: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, and using the system; organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated; system/network administrators; organizational personnel with information security responsibilities]. SI-05-Test [SELECT FROM: Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives; automated mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives; automated mechanisms supporting and/or implementing security directives]. SI-05(01) SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTS AND ADVISORIES ASSESSMENT OBJECTIVE: Determine if: SI-05(01)_ODP automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined; SI-05(01) are used to broadcast security alert and advisory information throughout the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-05(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing security alerts, advisories, and directives; system design documentation; system configuration settings and associated documentation; automated mechanisms supporting the distribution of security alert and advisory information; records of security alerts and advisories; system audit records; system security plan; other relevant documents or records]. SI-05(01)-Interview [SELECT FROM: Organizational personnel with security alert and advisory responsibilities; organizational personnel implementing, operating, maintaining, and using the system; organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated; system/network administrators; organizational personnel with information security responsibilities]. SI-05(01)-Test [SELECT FROM: Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories; automated mechanisms supporting and/or implementing the dissemination of security alerts and advisories]. SI-06 SECURITY AND PRIVACY FUNCTION VERIFICATION ASSESSMENT OBJECTIVE: Determine if: SI-06_ODP[01] security functions to be verified for correct operation are defined; SI-06_ODP[02] privacy functions to be verified for correct operation are defined; SI-06_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {; upon command by user with appropriate privilege; }; SI-06_ODP[04] system transitional states requiring the verification of security and privacy functions are defined; (if selected) SI-06_ODP[05] frequency at which to verify the correct operation of security and privacy functions is defined; (if selected) SI-06_ODP[06] personnel or roles to be alerted of failed security and privacy verification tests is/are defined; SI-06_ODP[07] one or more of the following PARAMETER VALUES is/are selected: {shut the system down; restart the system; }; SI-06_ODP[08] alternative action(s) to be performed when anomalies are discovered are defined (if selected); SI-06a.[01] are verified to be operating correctly; SI-06a.[02] are verified to be operating correctly; SI-06b.[01] are verified ; SI-06b.[02] are verified ; SI-06c.[01] is/are alerted to failed security verification tests; SI-06c.[02] is/are alerted to failed privacy verification tests; SI-06d. is/are initiated when anomalies are discovered. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-06-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing security and privacy function verification; system design documentation; system configuration settings and associated documentation; alerts/notifications of failed security verification tests; list of system transition states requiring security functionality verification; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-06-Interview [SELECT FROM: Organizational personnel with security and privacy function verification responsibilities; organizational personnel implementing, operating, and maintaining the system; system/network administrators; organizational personnel with information security and privacy responsibilities; system developer]. SI-06-Test [SELECT FROM: Organizational processes for security and privacy function verification; automated mechanisms supporting and/or implementing the security and privacy function verification capability]. SI-06(01) SECURITY AND PRIVACY FUNCTION VERIFICATION | NOTIFICATION OF FAILED SECURITY TESTS [WITHDRAWN: Incorporated into SI-06.] SI-06(02) SECURITY AND PRIVACY FUNCTION VERIFICATION | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING ASSESSMENT OBJECTIVE: Determine if: SI-06(02)[01] automated mechanisms are implemented to support the management of distributed security function testing; SI-06(02)[02] automated mechanisms are implemented to support the management of distributed privacy function testing. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-06(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing security and privacy function verification; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-06(02)-Interview [SELECT FROM: Organizational personnel with security and privacy function verification responsibilities; organizational personnel implementing, operating, and maintaining the system; system/network administrators; organizational personnel with information security and privacy responsibilities]. SI-06(02)-Test [SELECT FROM: Organizational processes for security and privacy function verification; automated mechanisms supporting and/or implementing the management of distributed security and privacy testing]. SI-06(03) SECURITY AND PRIVACY FUNCTION VERIFICATION | REPORT VERIFICATION RESULTS ASSESSMENT OBJECTIVE: Determine if: SI-06(03)_ODP personnel or roles designated to receive the results of security and privacy function verification is/are defined; SI-06(03)[01] the results of security function verification are reported to ; SI-06(03)[02] the results of privacy function verification are reported to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-06(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing security and privacy function verification; system design documentation; system configuration settings and associated documentation; reports of security and privacy function verification results; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-06(03)-Interview [SELECT FROM: Organizational personnel with security and privacy function verification responsibilities; organizational personnel who are recipients of security and privacy function verification reports; organizational personnel with information security and privacy responsibilities]. SI-06(03)-Test [SELECT FROM: Organizational processes for reporting security and privacy function verification results; automated mechanisms supporting and/or implementing the reporting of security and privacy function verification results]. SI-07 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY ASSESSMENT OBJECTIVE: Determine if: SI-07_ODP[01] software requiring integrity verification tools to be employed to detect unauthorized changes is defined; SI-07_ODP[02] firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined; SI-07_ODP[03] information requiring integrity verification tools to be employed to detect unauthorized changes is defined; SI-07_ODP[04] actions to be taken when unauthorized changes to software are detected are defined; SI-07_ODP[05] actions to be taken when unauthorized changes to firmware are detected are defined; SI-07_ODP[06] actions to be taken when unauthorized changes to information are detected are defined; SI-07a.[01] integrity verification tools are employed to detect unauthorized changes to ; SI-07a.[02] integrity verification tools are employed to detect unauthorized changes to ; SI-07a.[03] integrity verification tools are employed to detect unauthorized changes to ; SI-07b.[01] are taken when unauthorized changes to the software, firmware, and information are detected; SI-07b.[02] are taken when unauthorized changes to the software, firmware, and information are detected; SI-07b.[03] are taken when unauthorized changes to the software, firmware, and information are detected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; personally identifiable information processing policy; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-07-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security and privacy responsibilities; system/network administrators]. SI-07-Test [SELECT FROM: Software, firmware, and information integrity verification tools]. SI-07(01) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS ASSESSMENT OBJECTIVE: Determine if: SI-07(01)_ODP[01] software on which an integrity check is to be performed is defined; SI-07(01)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {at startup; ; }; SI-07(01)_ODP[03] transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected); SI-07(01)_ODP[04] frequency with which to perform an integrity check (on software) is defined (if selected); SI-07(01)_ODP[05] firmware on which an integrity check is to be performed is defined; SI-07(01)_ODP[06] one or more of the following PARAMETER VALUES is/are selected: {at startup; ; }; SI-07(01)_ODP[07] transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected); SI-07(01)_ODP[08] frequency with which to perform an integrity check (on firmware) is defined (if selected); SI-07(01)_ODP[09] information on which an integrity check is to be performed is defined; SI-07(01)_ODP[10] one or more of the following PARAMETER VALUES is/are selected: {at startup; ; }; SI-07(01)_ODP[11] transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected); SI-07(01)_ODP[12] frequency with which to perform an integrity check (of information) is defined (if selected); SI-07(01)[01] an integrity check of is performed ; SI-07(01)[02] an integrity check of is performed ; SI-07(01)[03] an integrity check of is performed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity testing; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; system security plan; other relevant documents or records]. SI-07(01)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(01)-Test [SELECT FROM: Software, firmware, and information integrity verification tools]. SI-07(02) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS ASSESSMENT OBJECTIVE: Determine if: SI-07(02)_ODP personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined; SI-07(02) automated tools that provide notification to upon discovering discrepancies during integrity verification are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; personally identifiable information processing policy; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; automated tools supporting alerts and notifications for integrity discrepancies; notifications provided upon discovering discrepancies during integrity verifications; system audit records; system security plan; privacy plan; other relevant documents or records]. SI-07(02)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security and privacy responsibilities; system administrators; software developers]. SI-07(02)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms providing integrity discrepancy notifications]. SI-07(03) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CENTRALLY MANAGED INTEGRITY TOOLS ASSESSMENT OBJECTIVE: Determine if: SI-07(03) centrally managed integrity verification tools are employed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; system security plan; other relevant documents or records]. SI-07(03)-Interview [SELECT FROM: Organizational personnel responsible for the central management of integrity verification tools; organizational personnel with information security responsibilities]. SI-07(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the central management of integrity verification tools]. SI-07(04) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | TAMPER-EVIDENT PACKAGING [WITHDRAWN: Incorporated into SR-09.] SI-07(05) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS ASSESSMENT OBJECTIVE: Determine if: SI-07(05)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {shut down the system; restart the system; implement}; SI-07(05)_ODP[02] controls to be implemented automatically when integrity violations are discovered are defined (if selected); SI-07(05) are automatically performed when integrity violations are discovered. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; records of integrity checks and responses to integrity violations; audit records; system security plan; other relevant documents or records]. SI-07(05)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(05)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms providing an automated response to integrity violations; automated mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered]. SI-07(06) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CRYPTOGRAPHIC PROTECTION ASSESSMENT OBJECTIVE: Determine if: SI-07(06)[01] cryptographic mechanisms are implemented to detect unauthorized changes to software; SI-07(06)[02] cryptographic mechanisms are implemented to detect unauthorized changes to firmware; SI-07(06)[03] cryptographic mechanisms are implemented to detect unauthorized changes to information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(06)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated documentation; records of detected unauthorized changes to software, firmware, and information; system audit records; system security plan; other relevant documents or records]. SI-07(06)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(06)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; cryptographic mechanisms implementing software, firmware, and information integrity]. SI-07(07) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OF DETECTION AND RESPONSE ASSESSMENT OBJECTIVE: Determine if: SI-07(07)_ODP security-relevant changes to the system are defined; SI-07(07) the detection of are incorporated into the organizational incident response capability. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(07)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; procedures addressing incident response; system design documentation; system configuration settings and associated documentation; incident response records; audit records; system security plan; other relevant documents or records]. SI-07(07)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; organizational personnel with incident response responsibilities]. SI-07(07)-Test [SELECT FROM: Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability; software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability]. SI-07(08) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUDITING CAPABILITY FOR SIGNIFICANT EVENTS ASSESSMENT OBJECTIVE: Determine if: SI-07(08)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {generate an audit record; alert current user; alert; }; SI-07(08)_ODP[02] personnel or roles to be alerted upon the detection of a potential integrity violation is/are defined (if selected); SI-07(08)_ODP[03] other actions to be taken upon the detection of a potential integrity violation are defined (if selected); SI-07(08)[01] the capability to audit an event upon the detection of a potential integrity violation is provided; SI-07(08)[02] is/are initiated upon the detection of a potential integrity violation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(08)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity scans; incident response records; list of security-relevant changes to the system; automated tools supporting alerts and notifications if unauthorized security changes are detected; system audit records; system security plan; other relevant documents or records]. SI-07(08)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(08)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing the capability to audit potential integrity violations; automated mechanisms supporting and/or implementing alerts about potential integrity violations]. SI-07(09) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | VERIFY BOOT PROCESS ASSESSMENT OBJECTIVE: Determine if: SI-07(09)_ODP system components requiring integrity verification of the boot process are defined; SI-07(09) the integrity of the boot process of is verified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(09)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; documentation; records of integrity verification scans; system audit records; system security plan; other relevant documents or records]. SI-07(09)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system developer]. SI-07(09)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing integrity verification of the boot process]. SI-07(10) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | PROTECTION OF BOOT FIRMWARE ASSESSMENT OBJECTIVE: Determine if: SI-07(10)_ODP[01] mechanisms to be implemented to protect the integrity of boot firmware in system components are defined; SI-07(10)_ODP[02] system components requiring mechanisms to protect the integrity of boot firmware are defined; SI-07(10) are implemented to protect the integrity of boot firmware in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(10)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; integrity verification tools and associated documentation; records of integrity verification scans; system audit records; system security plan; other relevant documents or records]. SI-07(10)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(10)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing protection of the integrity of boot firmware; safeguards implementing protection of the integrity of boot firmware]. SI-07(11) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CONFINED ENVIRONMENTS WITH LIMITED PRIVILEGES [WITHDRAWN: Moved to CM-07(06).] SI-07(12) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION ASSESSMENT OBJECTIVE: Determine if: SI-07(12)_ODP user-installed software requiring integrity verification prior to execution is defined; SI-07(12) the integrity of is verified prior to execution. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(12)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; integrity verification records; system audit records; system security plan; other relevant documents or records]. SI-07(12)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities]. SI-07(12)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing verification of the integrity of user-installed software prior to execution]. SI-07(13) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE EXECUTION IN PROTECTED ENVIRONMENTS [WITHDRAWN: Moved to CM-07(07).] SI-07(14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | BINARY OR MACHINE EXECUTABLE CODE [WITHDRAWN: Moved to CM-07(08).] SI-07(15) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION ASSESSMENT OBJECTIVE: Determine if: SI-07(15)_ODP software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined; SI-07(15) cryptographic mechanisms are implemented to authenticate prior to installation. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(15)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software, firmware, and information integrity; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-07(15)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(15)-Test [SELECT FROM: Cryptographic mechanisms authenticating software and firmware prior to installation]. SI-07(16) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION ASSESSMENT OBJECTIVE: Determine if: SI-07(16)_ODP the maximum time period permitted for processes to execute without supervision is defined; SI-07(16) processes are prohibited from executing without supervision for more than . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(16)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-07(16)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(16)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing time limits on process execution without supervision]. SI-07(17) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | RUNTIME APPLICATION SELF-PROTECTION ASSESSMENT OBJECTIVE: Determine if: SI-07(17)_ODP controls to be implemented for application self-protection at runtime are defined; SI-07(17) are implemented for application self-protection at runtime. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-07(17)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; list of known vulnerabilities addressed by runtime instrumentation; system security plan; other relevant documents or records]. SI-07(17)-Interview [SELECT FROM: Organizational personnel responsible for software, firmware, and/or information integrity; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-07(17)-Test [SELECT FROM: Software, firmware, and information integrity verification tools; automated mechanisms supporting and/or implementing runtime application self-protection]. SI-08 SPAM PROTECTION ASSESSMENT OBJECTIVE: Determine if: SI-08a.[01] spam protection mechanisms are employed at system entry points to detect unsolicited messages; SI-08a.[02] spam protection mechanisms are employed at system exit points to detect unsolicited messages; SI-08a.[03] spam protection mechanisms are employed at system entry points to act on unsolicited messages; SI-08a.[04] spam protection mechanisms are employed at system exit points to act on unsolicited messages; SI-08b. spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-08-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; configuration management policies and procedures (CM-01); procedures addressing spam protection; spam protection mechanisms; records of spam protection updates; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-08-Interview [SELECT FROM: Organizational personnel responsible for spam protection; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-08-Test [SELECT FROM: Organizational processes for implementing spam protection; automated mechanisms supporting and/or implementing spam protection]. SI-08(01) SPAM PROTECTION | CENTRAL MANAGEMENT [WITHDRAWN: Incorporated into PL-09.] SI-08(02) SPAM PROTECTION | AUTOMATIC UPDATES ASSESSMENT OBJECTIVE: Determine if: SI-08(02)_ODP the frequency at which to automatically update spam protection mechanisms is defined; SI-08(02) spam protection mechanisms are automatically updated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-08(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing spam protection; spam protection mechanisms; records of spam protection updates; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-08(02)-Interview [SELECT FROM: Organizational personnel responsible for spam protection; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-08(02)-Test [SELECT FROM: Organizational processes for spam protection; automated mechanisms supporting and/or implementing automatic updates to spam protection mechanisms]. SI-08(03) SPAM PROTECTION | CONTINUOUS LEARNING CAPABILITY ASSESSMENT OBJECTIVE: Determine if: SI-08(03) spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-08(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing spam protection; spam protection mechanisms; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-08(03)-Interview [SELECT FROM: Organizational personnel responsible for spam protection; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-08(03)-Test [SELECT FROM: Organizational processes for spam protection; automated mechanisms supporting and/or implementing spam protection mechanisms with a learning capability]. SI-09 INFORMATION INPUT RESTRICTIONS [WITHDRAWN: Incorporated into AC-02, AC-03, AC-05, AC-06.] SI-10 INFORMATION INPUT VALIDATION ASSESSMENT OBJECTIVE: Determine if: SI-10_ODP information inputs to the system requiring validity checks are defined; SI-10 the validity of the are checked. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; access control policy and procedures; separation of duties policy and procedures; procedures addressing information input validation; documentation for automated tools and applications to verify the validity of information; list of information inputs requiring validity checks; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-10-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-10-Test [SELECT FROM: Automated mechanisms supporting and/or implementing validity checks on information inputs]. SI-10(01) INFORMATION INPUT VALIDATION | MANUAL OVERRIDE CAPABILITY ASSESSMENT OBJECTIVE: Determine if: SI-10(01)_ODP authorized individuals who can use the manual override capability are defined; SI-10(01)(a) a manual override capability for the validation of is provided; SI-10(01)(b) the use of the manual override capability is restricted to only ; SI-10(01)(c) the use of the manual override capability is audited. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; access control policy and procedures; separation of duties policy and procedures; procedures addressing information input validation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-10(01)-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-10(01)-Test [SELECT FROM: Organizational processes for the use of a manual override capability; automated mechanisms supporting and/or implementing a manual override capability for input validation; automated mechanisms supporting and/or implementing auditing of the use of a manual override capability]. SI-10(02) INFORMATION INPUT VALIDATION | REVIEW AND RESOLVE ERRORS ASSESSMENT OBJECTIVE: Determine if: SI-10(02)_ODP[01] the time period within which input validation errors are to be reviewed is defined; SI-10(02)_ODP[02] the time period within which input validation errors are to be resolved is defined; SI-10(02)[01] input validation errors are reviewed within ; SI-10(02)[02] input validation errors are resolved within . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing information input validation; system design documentation; system configuration settings and associated documentation; review records of information input validation errors and resulting resolutions; information input validation error logs or records; system audit records; system security plan; other relevant documents or records]. SI-10(02)-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators]. SI-10(02)-Test [SELECT FROM: Organizational processes for the review and resolution of input validation errors; automated mechanisms supporting and/or implementing the review and resolution of input validation errors]. SI-10(03) INFORMATION INPUT VALIDATION | PREDICTABLE BEHAVIOR ASSESSMENT OBJECTIVE: Determine if: SI-10(03)[01] the system behaves in a predictable manner when invalid inputs are received; SI-10(03)[02] the system behaves in a documented manner when invalid inputs are received. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing information input validation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-10(03)-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-10(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing predictable behavior when invalid inputs are received]. SI-10(04) INFORMATION INPUT VALIDATION | TIMING INTERACTIONS ASSESSMENT OBJECTIVE: Determine if: SI-10(04) timing interactions among system components are accounted for in determining appropriate responses for invalid inputs. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing information input validation; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-10(04)-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-10(04)-Test [SELECT FROM: Organizational processes for determining appropriate responses to invalid inputs; automated mechanisms supporting and/or implementing responses to invalid inputs]. SI-10(05) INFORMATION INPUT VALIDATION | RESTRICT INPUTS TO TRUSTED SOURCES AND APPROVED FORMATS ASSESSMENT OBJECTIVE: Determine if: SI-10(05)_ODP[01] trusted sources to which the use of information inputs is to be restricted are defined; SI-10(05)_ODP[02] formats to which the use of information inputs is to be restricted are defined; SI-10(05) the use of information inputs is restricted to and/or . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing information input validation; system design documentation; system configuration settings and associated documentation; list of trusted sources for information inputs; list of acceptable formats for input restrictions; system audit records; system security plan; other relevant documents or records]. SI-10(05)-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-10(05)-Test [SELECT FROM: Organizational processes for restricting information inputs; automated mechanisms supporting and/or implementing restriction of information inputs]. SI-10(06) INFORMATION INPUT VALIDATION | INJECTION PREVENTION ASSESSMENT OBJECTIVE: Determine if: SI-10(06) untrusted data injections are prevented. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-10(06)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing information input validation; system design documentation; system configuration settings and associated documentation; list of trusted sources for information inputs; list of acceptable formats for input restrictions; system audit records; system security plan; other relevant documents or records]. SI-10(06)-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-10(06)-Test [SELECT FROM: Organizational processes for preventing untrusted data injections; automated mechanisms supporting and/or implementing injection prevention]. SI-11 ERROR HANDLING ASSESSMENT OBJECTIVE: Determine if: SI-11_ODP personnel or roles to whom error messages are to be revealed is/are defined; SI-11a. error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited; SI-11b. error messages are revealed only to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-11-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing system error handling; system design documentation; system configuration settings and associated documentation; documentation providing the structure and content of error messages; system audit records; system security plan; other relevant documents or records]. SI-11-Interview [SELECT FROM: Organizational personnel responsible for information input validation; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-11-Test [SELECT FROM: Organizational processes for error handling; automated mechanisms supporting and/or implementing error handling; automated mechanisms supporting and/or implementing the management of error messages]. SI-12 INFORMATION MANAGEMENT AND RETENTION ASSESSMENT OBJECTIVE: Determine if: SI-12[01] information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements; SI-12[02] information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements; SI-12[03] information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements; SI-12[04] information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-12-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; records retention and disposition policy; records retention and disposition procedures; federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention; media protection policy; media protection procedures; audit findings; system security plan; privacy plan; privacy program plan; personally identifiable information inventory; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-12-Interview [SELECT FROM: Organizational personnel with information and records management, retention, and disposition responsibilities; organizational personnel with information security and privacy responsibilities; network administrators]. SI-12-Test [SELECT FROM: Organizational processes for information management, retention, and disposition; automated mechanisms supporting and/or implementing information management, retention, and disposition]. SI-12(01) INFORMATION MANAGEMENT AND RETENTION | LIMIT PERSONALLY IDENTIFIABLE INFORMATION ELEMENTS ASSESSMENT OBJECTIVE: Determine if: SI-12(01)_ODP elements of personally identifiable information being processed in the information life cycle are defined; SI-12(01) personally identifiable information being processed in the information life cycle is limited to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-12(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; personally identifiable information processing procedures; records retention and disposition policy; records retention and disposition procedures; federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to limiting personally identifiable information elements; personally identifiable information inventory; system audit records; audit findings; system security plan; privacy plan; privacy program plan; privacy impact assessment; privacy risk assessment documentation; data mapping documentation; other relevant documents or records]. SI-12(01)-Interview [SELECT FROM: Organizational personnel with information and records management, retention, and disposition responsibilities; organizational personnel with security and privacy responsibilities; network administrators]. SI-12(01)-Test [SELECT FROM: Organizational processes for information management and retention (including limiting personally identifiable information processing); automated mechanisms supporting and/or implementing limits to personally identifiable information processing]. SI-12(02) INFORMATION MANAGEMENT AND RETENTION | MINIMIZE PERSONALLY IDENTIFIABLE INFORMATION IN TESTING, TRAINING, AND RESEARCH ASSESSMENT OBJECTIVE: Determine if: SI-12(02)_ODP[01] techniques used to minimize the use of personally identifiable information for research are defined; SI-12(02)_ODP[02] techniques used to minimize the use of personally identifiable information for testing are defined; SI-12(02)_ODP[03] techniques used to minimize the use of personally identifiable information for training are defined; SI-12(02)[01] are used to minimize the use of personally identifiable information for research; SI-12(02)[02] are used to minimize the use of personally identifiable information for testing; SI-12(02)[03] are used to minimize the use of personally identifiable information for training. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-12(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; personally identifiable information processing procedures; federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to minimizing the use of personally identifiable information in testing, training, and research; policy for the minimization of personally identifiable information used in testing, training, and research; procedures for the minimization of personally identifiable information used in testing, training, and research; documentation supporting minimization policy implementation (e.g., templates for testing, training, and research); data sets used for testing, training, and research; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-12(02)-Interview [SELECT FROM: Organizational personnel with information and records management, retention, and disposition responsibilities; organizational personnel with information security and privacy responsibilities; network administrators; system developers; personnel with IRB responsibilities]. SI-12(02)-Test [SELECT FROM: Organizational processes for the minimization of personally identifiable information used in testing, training, and research; automated mechanisms supporting and/or implementing the minimization of personally identifiable information used in testing, training, and research]. SI-12(03) INFORMATION MANAGEMENT AND RETENTION | INFORMATION DISPOSAL ASSESSMENT OBJECTIVE: Determine if: SI-12(03)_ODP[01] techniques used to dispose of information following the retention period are defined; SI-12(03)_ODP[02] techniques used to destroy information following the retention period are defined; SI-12(03)_ODP[03] techniques used to erase information following the retention period are defined; SI-12(03)[01] are used to dispose of information following the retention period; SI-12(03)[02] are used to destroy information following the retention period; SI-12(03)[03] are used to erase information following the retention period. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-12(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; personally identifiable information processing procedures; records retention and disposition policy; records retention and disposition procedures; laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information disposal; media protection policy; media protection procedures; system audit records; audit findings; information disposal records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-12(03)-Interview [SELECT FROM: Organizational personnel with information and records management, retention, and disposition responsibilities; organizational personnel with information security and privacy responsibilities; network administrators]. SI-12(03)-Test [SELECT FROM: Organizational processes for information disposition; automated mechanisms supporting and/or implementing information disposition]. SI-13 PREDICTABLE FAILURE PREVENTION ASSESSMENT OBJECTIVE: Determine if: SI-13_ODP[01] system components for which mean time to failure (MTTF) should be determined are defined; SI-13_ODP[02] mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined; SI-13a. mean time to failure (MTTF) is determined for in specific environments of operation; SI-13b. substitute system components and a means to exchange active and standby components are provided in accordance with . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-13-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing predictable failure prevention; system design documentation; system configuration settings and associated documentation; list of MTTF substitution criteria; system audit records; system security plan; other relevant documents or records]. SI-13-Interview [SELECT FROM: Organizational personnel responsible for MTTF determinations and activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities]. SI-13-Test [SELECT FROM: Organizational processes for managing MTTF]. SI-13(01) PREDICTABLE FAILURE PREVENTION | TRANSFERRING COMPONENT RESPONSIBILITIES ASSESSMENT OBJECTIVE: Determine if: SI-13(01)_ODP the fraction or percentage of mean time to failure within which to transfer the responsibilities of a system component to a substitute component is defined; SI-13(01) system components are taken out of service by transferring component responsibilities to substitute components no later than of mean time to failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-13(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing predictable failure prevention; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-13(01)-Interview [SELECT FROM: Organizational personnel responsible for MTTF activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities]. SI-13(01)-Test [SELECT FROM: Organizational processes for managing MTTF; automated mechanisms supporting and/or implementing the transfer of component responsibilities to substitute components]. SI-13(02) PREDICTABLE FAILURE PREVENTION | TIME LIMIT ON PROCESS EXECUTION WITHOUT SUPERVISION [WITHDRAWN: Incorporated into SI-07(16).] SI-13(03) PREDICTABLE FAILURE PREVENTION | MANUAL TRANSFER BETWEEN COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SI-13(03)_ODP the percentage of the mean time to failure for transfers to be manually initiated is defined: SI-13(03) transfers are initiated manually between active and standby system components when the use of the active component reaches of the mean time to failure. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-13(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing predictable failure prevention; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-13(03)-Interview [SELECT FROM: Organizational personnel responsible for MTTF activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities]. SI-13(03)-Test [SELECT FROM: Organizational processes for managing MTTF and conducting the manual transfer between active and standby components]. SI-13(04) PREDICTABLE FAILURE PREVENTION | STANDBY COMPONENT INSTALLATION AND NOTIFICATION ASSESSMENT OBJECTIVE: Determine if: SI-13(04)_ODP[01] time period for standby components to be installed is defined; SI-13(04)_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {activate; automatically shut down the system; }; SI-13(04)_ODP[03] alarm to be activated when system component failures are detected is defined (if selected); SI-13(04)_ODP[04] action to be taken when system component failures are detected is defined (if selected); SI-13(04)(a) the standby components are successfully and transparently installed within if system component failures are detected; SI-13(04)(b) are performed if system component failures are detected. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-13(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing predictable failure prevention; system design documentation; system configuration settings and associated documentation; list of actions to be taken once system component failure is detected; system audit records; system security plan; other relevant documents or records]. SI-13(04)-Interview [SELECT FROM: Organizational personnel responsible for MTTF activities; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities]. SI-13(04)-Test [SELECT FROM: Organizational processes for managing MTTF; automated mechanisms supporting and/or implementing the transparent installation of standby components; automated mechanisms supporting and/or implementing alarms or system shutdown if component failures are detected]. SI-13(05) PREDICTABLE FAILURE PREVENTION | FAILOVER CAPABILITY ASSESSMENT OBJECTIVE: Determine if: SI-13(05)_ODP[01] one of the following PARAMETER VALUES is selected: {real-time; near real-time}; SI-13(05)_ODP[02] a failover capability for the system has been defined; SI-13(05) is provided for the system. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-13(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing predictable failure prevention; system design documentation; system configuration settings and associated documentation; documentation describing the failover capability provided for the system; system audit records; system security plan; other relevant documents or records]. SI-13(05)-Interview [SELECT FROM: Organizational personnel responsible for the failover capability; organizational personnel with information security responsibilities; system/network administrators; organizational personnel with contingency planning responsibilities]. SI-13(05)-Test [SELECT FROM: Organizational processes for managing the failover capability; automated mechanisms supporting and/or implementing the failover capability]. SI-14 NON-PERSISTENCE ASSESSMENT OBJECTIVE: Determine if: SI-14_ODP[01] non-persistent system components and services to be implemented are defined; SI-14_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {upon end of session of use; }; SI-14_ODP[03] the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected); SI-14[01] non-persistent that are initiated in a known state; SI-14[02] non-persistent are terminated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-14-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing non-persistence for system components; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-14-Interview [SELECT FROM: Organizational personnel responsible for non-persistence; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-14-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the initiation and termination of non-persistent components]. SI-14(01) NON-PERSISTENCE | REFRESH FROM TRUSTED SOURCES ASSESSMENT OBJECTIVE: Determine if: SI-14(01)_ODP trusted sources to obtain software and data for system component and service refreshes are defined; SI-14(01) the software and data employed during system component and service refreshes are obtained from . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-14(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing non-persistence for system components; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-14(01)-Interview [SELECT FROM: Organizational personnel responsible for obtaining component and service refreshes from trusted sources; organizational personnel with information security responsibilities]. SI-14(01)-Test [SELECT FROM: Organizational processes for defining and obtaining component and service refreshes from trusted sources; automated mechanisms supporting and/or implementing component and service refreshes]. SI-14(02) NON-PERSISTENCE | NON-PERSISTENT INFORMATION ASSESSMENT OBJECTIVE: Determine if: SI-14(02)_ODP[01] one of the following PARAMETER VALUES is selected: {refresh; generateon demand}; SI-14(02)_ODP[02] the information to be refreshed is defined (if selected); SI-14(02)_ODP[03] the frequency at which to refresh information is defined (if selected); SI-14(02)_ODP[04] the information to be generated is defined (if selected); SI-14(02)(a) is performed; SI-14(02)(b) information is deleted when no longer needed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-14(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing non-persistence for system components; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-14(02)-Interview [SELECT FROM: Organizational personnel responsible for ensuring that information is and remains non-persistent; organizational personnel with information security responsibilities]. SI-14(02)-Test [SELECT FROM: Organizational processes for ensuring that information is and remains non-persistent; automated mechanisms supporting and/or implementing component and service refreshes]. SI-14(03) NON-PERSISTENCE | NON-PERSISTENT CONNECTIVITY ASSESSMENT OBJECTIVE: Determine if: SI-14(03)_ODP one of the following PARAMETER VALUES is selected: {completion of a request; a period of non-use}; SI-14(03)[01] connections to the system are established on demand; SI-14(03)[02] connections to the system are terminated after . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-14(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing non-persistence for system components; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-14(03)-Interview [SELECT FROM: Organizational personnel responsible for limiting persistent connections; organizational personnel with information security responsibilities]. SI-14(03)-Test [SELECT FROM: Organizational processes for limiting persistent connections; automated mechanisms supporting and/or implementing non-persistent connectivity]. SI-15 INFORMATION OUTPUT FILTERING ASSESSMENT OBJECTIVE: Determine if: SI-15_ODP software programs and/or applications whose information output requires validation are defined; SI-15 information output from is validated to ensure that the information is consistent with the expected content. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-15-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing information output filtering; system design documentation; system configuration settings and associated documentation; system audit records; system security plan; other relevant documents or records]. SI-15-Interview [SELECT FROM: Organizational personnel responsible for validating information output; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-15-Test [SELECT FROM: Organizational processes for validating information output; automated mechanisms supporting and/or implementing information output validation]. SI-16 MEMORY PROTECTION ASSESSMENT OBJECTIVE: Determine if: SI-16_ODP controls to be implemented to protect the system memory from unauthorized code execution are defined; SI-16 are implemented to protect the system memory from unauthorized code execution. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-16-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; procedures addressing memory protection for the system; system design documentation; system configuration settings and associated documentation; list of security safeguards protecting system memory from unauthorized code execution; system audit records; system security plan; other relevant documents or records]. SI-16-Interview [SELECT FROM: Organizational personnel responsible for memory protection; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-16-Test [SELECT FROM: Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution]. SI-17 FAIL-SAFE PROCEDURES ASSESSMENT OBJECTIVE: Determine if: SI-17_ODP[01] fail-safe procedures associated with failure conditions are defined; SI-17_ODP[02] a list of failure conditions requiring fail-safe procedures is defined; SI-17 are implemented when occur. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-17-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; documentation addressing fail-safe procedures for the system; system design documentation; system configuration settings and associated documentation; list of security safeguards protecting the system memory from unauthorized code execution; system audit records; system security plan; other relevant documents or records]. SI-17-Interview [SELECT FROM: Organizational personnel responsible for fail-safe procedures; organizational personnel with information security responsibilities; system/network administrators; system developer]. SI-17-Test [SELECT FROM: Organizational fail-safe procedures; automated mechanisms supporting and/or implementing fail-safe procedures]. SI-18 PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS ASSESSMENT OBJECTIVE: Determine if: SI-18_ODP[01] the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined; SI-18_ODP[02] the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined; SI-18_ODP[03] the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined; SI-18_ODP[04] the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined; SI-18a.[01] the accuracy of personally identifiable information across the information life cycle is checked ; SI-18a.[02] the relevance of personally identifiable information across the information life cycle is checked ; SI-18a.[03] the timeliness of personally identifiable information across the information life cycle is checked ; SI-18a.[04] the completeness of personally identifiable information across the information life cycle is checked ; SI-18(b) inaccurate or outdated personally identifiable information is corrected or deleted. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-18-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; documentation addressing personally identifiable information quality operations; quality reports; maintenance logs; system audit records; audit findings; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-18-Interview [SELECT FROM: Organizational personnel responsible for performing personally identifiable information quality inspections; organizational personnel with information security responsibilities; organizational personnel with privacy responsibilities]. SI-18-Test [SELECT FROM: Organizational processes for personally identifiable information quality inspection; automated mechanisms supporting and/or implementing personally identifiable information quality operations]. SI-18(01) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | AUTOMATION SUPPORT ASSESSMENT OBJECTIVE: Determine if: SI-18(01)_ODP automated mechanisms used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified are defined; SI-18(01) are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-18(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; documentation addressing personally identifiable information quality operations; quality reports; maintenance logs; system audit records; audit findings; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-18(01)-Interview [SELECT FROM: Organizational personnel responsible for performing personally identifiable information quality inspections; organizational personnel with information security and privacy responsibilities]. SI-18(01)-Test [SELECT FROM: Organizational processes for personally identifiable information quality inspection; automated mechanisms supporting and/or implementing personally identifiable information quality operations]. SI-18(02) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | DATA TAGS ASSESSMENT OBJECTIVE: Determine if: SI-18(02) data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-18(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; procedures addressing data tagging; personally identifiable information inventory; system audit records; audit findings; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-18(02)-Interview [SELECT FROM: Organizational personnel responsible for tagging data; organizational personnel with information security and privacy responsibilities]. SI-18(02)-Test [SELECT FROM: Data tagging mechanisms; automated mechanisms supporting and/or implementing data tagging]. SI-18(03) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | COLLECTION ASSESSMENT OBJECTIVE: Determine if: SI-18(03) personally identifiable information is collected directly from the individual. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-18(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; system configuration documentation; system audit records; user interface where personally identifiable information is collected; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-18(03)-Interview [SELECT FROM: Organizational personnel responsible for data collection; organizational personnel with information security and privacy responsibilities]. SI-18(03)-Test [SELECT FROM: Data collection mechanisms; automated mechanisms supporting and/or validating collection directly from the individual]. SI-18(04) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | INDIVIDUAL REQUESTS ASSESSMENT OBJECTIVE: Determine if: SI-18(04) personally identifiable information is corrected or deleted upon request by individuals or their designated representatives. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-18(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; system configuration; individual requests; records of correction or deletion actions performed; system audit records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-18(04)-Interview [SELECT FROM: Organizational personnel responsible for responding to individual requests for personally identifiable information correction or deletion; organizational personnel with information security and privacy responsibilities]. SI-18(04)-Test [SELECT FROM: Request mechanisms; automated mechanisms supporting and/or implementing individual requests for correction or deletion]. SI-18(05) PERSONALLY IDENTIFIABLE INFORMATION QUALITY OPERATIONS | NOTICE OF CORRECTION OR DELETION ASSESSMENT OBJECTIVE: Determine if: SI-18(05)_ODP recipients of personally identifiable information to be notified when the personally identifiable information has been corrected or deleted are defined; SI-18(05) and individuals are notified when the personally identifiable information has been corrected or deleted. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-18(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; system configuration; individual requests for corrections or deletions; notifications of correction or deletion action; system audit records; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-18(05)-Interview [SELECT FROM: Organizational personnel responsible for sending correction or deletion notices; organizational personnel with information security and privacy responsibilities]. SI-18(05)-Test [SELECT FROM: Organizational processes for notifications of correction or deletion; automated mechanisms supporting and/or implementing notifications of correction or deletion]. SI-19 DE-IDENTIFICATION ASSESSMENT OBJECTIVE: Determine if: SI-19_ODP[01] elements of personally identifiable information to be removed from datasets are defined; SI-19_ODP[02] the frequency at which to evaluate the effectiveness of de-identification is defined; SI-19a. are removed from datasets; SI-19b. the effectiveness of de-identification is evaluated . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration; datasets with personally identifiable information removed; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19-Interview [SELECT FROM: Organizational personnel responsible for identifying unnecessary identifiers; organizational personnel responsible for removing personally identifiable information from datasets; organizational personnel with information security and privacy responsibilities]. SI-19-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the removal of personally identifiable information elements]. SI-19(01) DE-IDENTIFICATION | COLLECTION ASSESSMENT OBJECTIVE: Determine if: SI-19(01) the dataset is de-identified upon collection by not collecting personally identifiable information. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(01)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; procedures for minimizing the collection of personally identifiable information; system configuration; data collection mechanisms; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(01)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(01)-Test [SELECT FROM: Automated mechanisms preventing the collection of personally identifiable information]. SI-19(02) DE-IDENTIFICATION | ARCHIVING ASSESSMENT OBJECTIVE: Determine if: SI-19(02) the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(02)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration documentation; data archiving mechanisms; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(02)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with dataset archival responsibilities; organizational personnel with information security and privacy responsibilities]. SI-19(02)-Test [SELECT FROM: Automated mechanisms prohibiting the archival of personally identifiable information elements]. SI-19(03) DE-IDENTIFICATION | RELEASE ASSESSMENT OBJECTIVE: Determine if: SI-19(03) personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(03)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; procedures for minimizing the release of personally identifiable information; system configuration; data release mechanisms; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(03)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(03)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the removal of personally identifiable information elements from a dataset]. SI-19(04) DE-IDENTIFICATION | REMOVAL, MASKING, ENCRYPTION, HASHING, OR REPLACEMENT OF DIRECT IDENTIFIERS ASSESSMENT OBJECTIVE: Determine if: SI-19(04) direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(04)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration; documentation of de-identified datasets; tools for the removal, masking, encryption, hashing or replacement of direct identifiers; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(04)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(04)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the removal, masking, encryption, hashing or replacement of direct identifiers]. SI-19(05) DE-IDENTIFICATION | STATISTICAL DISCLOSURE CONTROL ASSESSMENT OBJECTIVE: Determine if: SI-19(05)[01] numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis; SI-19(05)[02] contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis; SI-19(05)[03] statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(05)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration; de-identified datasets; statistical analysis report; tools for the control of statistical disclosure; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(05)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(05)-Test [SELECT FROM: Automated mechanisms supporting and/or implementing the control of statistical disclosure]. SI-19(06) DE-IDENTIFICATION | DIFFERENTIAL PRIVACY ASSESSMENT OBJECTIVE: Determine if: SI-19(06) the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(06)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration; de-identified datasets; differential privacy tools; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(06)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(06)-Test [SELECT FROM: Online query systems; automated mechanisms supporting and/or implementing differential privacy]. SI-19(07) DE-IDENTIFICATION | VALIDATED ALGORITHMS AND SOFTWARE ASSESSMENT OBJECTIVE: Determine if: SI-19(07)[01] de-identification is performed using validated algorithms; SI-19(07)[02] de-identification is performed using software that is validated to implement the algorithms. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(07)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration; de-identified datasets; algorithm and software validation tools; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(07)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(07)-Test [SELECT FROM: Validated algorithms and software]. SI-19(08) DE-IDENTIFICATION | MOTIVATED INTRUDER ASSESSMENT OBJECTIVE: Determine if: SI-19(08) a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-19(08)-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; de-identification procedures; system configuration; motivated intruder test procedures; de-identified datasets; system security plan; privacy plan; privacy impact assessment; privacy risk assessment documentation; other relevant documents or records]. SI-19(08)-Interview [SELECT FROM: Organizational personnel responsible for de-identifying the dataset; organizational personnel with information security and privacy responsibilities]. SI-19(08)-Test [SELECT FROM: Motivated intruder test]. SI-20 TAINTING ASSESSMENT OBJECTIVE: Determine if: SI-20_ODP the systems or system components with data or capabilities to be embedded are defined; SI-20 data or capabilities are embedded in to determine if organizational data has been exfiltrated or improperly removed from the organization. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-20-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; policy and procedures addressing the systems security engineering technique of deception; system security plan; privacy plan; other relevant documents or records]. SI-20-Interview [SELECT FROM: Organizational personnel responsible for detecting tainted data; organizational personnel with systems security engineering responsibilities; organizational personnel with information security and privacy responsibilities]. SI-20-Test [SELECT FROM: Automated mechanisms for post-breach detection; decoys, traps, lures, and methods for deceiving adversaries; detection and notification mechanisms]. SI-21 INFORMATION REFRESH ASSESSMENT OBJECTIVE: Determine if: SI-21_ODP[01] the information to be refreshed is defined; SI-21_ODP[02] the frequencies at which to refresh information are defined; SI-21 the is refreshed or is generated on demand and deleted when no longer needed. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-21-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; information refresh procedures; list of information to be refreshed; system security plan; privacy plan; other relevant documents or records]. SI-21-Interview [SELECT FROM: Organizational personnel responsible for refreshing information; organizational personnel with information security and privacy responsibilities; organizational personnel with systems security engineering responsibilities; system developers]. SI-21-Test [SELECT FROM: Mechanisms for information refresh; organizational processes for information refresh]. SI-22 INFORMATION DIVERSITY ASSESSMENT OBJECTIVE: Determine if: SI-22_ODP[01] alternative information sources for essential functions and services are defined; SI-22_ODP[02] essential functions and services that require alternative sources of information are defined; SI-22_ODP[03] systems or system components that require an alternative information source for the execution of essential functions or services are defined; SI-22a. for are identified; SI-22b. an alternative information source is used for the execution of essential functions or services on when the primary source of information is corrupted or unavailable. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-22-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; system design documentation; system configuration settings and associated documentation; list of information sources; system security plan; privacy plan; other relevant documents or records]. SI-22-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with systems security engineering responsibilities; system developers]. SI-22-Test [SELECT FROM: Automated methods and mechanisms to convert information from an analog to digital medium]. SI-23 INFORMATION FRAGMENTATION ASSESSMENT OBJECTIVE: Determine if: SI-23_ODP[01] circumstances that require information fragmentation are defined; SI-23_ODP[02] the information to be fragmented is defined; SI-23_ODP[03] systems or system components across which the fragmented information is to be distributed are defined; SI-23a. under , is fragmented; SI-23b. under , the fragmented information is distributed across . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SI-23-Examine [SELECT FROM: System and information integrity policy; system and information integrity procedures; personally identifiable information processing policy; procedures addressing software and information integrity; system design documentation; system configuration settings and associated documentation; procedures to identify information for fragmentation and distribution across systems/system components; list of distributed and fragmented information; list of circumstances requiring information fragmentation; enterprise architecture; system security architecture; system security plan; privacy plan; other relevant documents or records]. SI-23-Interview [SELECT FROM: Organizational personnel with information security and privacy responsibilities; organizational personnel with systems security engineering responsibilities; system developers; security architects]. SI-23-Test [SELECT FROM: Organizational processes to identify information for fragmentation and distribution across systems/system components; automated mechanisms supporting and/or implementing information fragmentation and distribution across systems/system components]. 4.20 Supply Chain Risk Management SR-01 POLICY AND PROCEDURES ASSESSMENT OBJECTIVE: Determine if: SR-01_ODP[01] personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined; SR-01_ODP[02] personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined; SR-01_ODP[03] one or more of the following PARAMETER VALUES is/are selected: {organization-level; mission/business process-level; system-level}; SR-01_ODP[04] an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined; SR-01_ODP[05] the frequency at which the current supply chain risk management policy is reviewed and updated is defined; SR-01_ODP[06] events that require the current supply chain risk management policy to be reviewed and updated are defined; SR-01_ODP[07] the frequency at which the current supply chain risk management procedure is reviewed and updated is defined; SR-01_ODP[08] events that require the supply chain risk management procedures to be reviewed and updated are defined; SR-01a.[01] a supply chain risk management policy is developed and documented; SR-01a.[02] the supply chain risk management policy is disseminated to ; SR-01a.[03] supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented; SR-01a.[04] the supply chain risk management procedures are disseminated to . SR-01a.01(a)[01] the supply chain risk management policy addresses purpose; SR-01a.01(a)[02] the supply chain risk management policy addresses scope; SR-01a.01(a)[03] supply chain risk management policy addresses roles; SR-01a.01(a)[04] the supply chain risk management policy addresses responsibilities; SR-01a.01(a)[05] the supply chain risk management policy addresses management commitment; SR-01a.01(a)[06] the supply chain risk management policy addresses coordination among organizational entities; SR-01a.01(a)[07] the supply chain risk management policy addresses compliance. SR-01a.01(b) the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; SR-01b. the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; SR-01c.01[01] the current supply chain risk management policy is reviewed and updated ; SR-01c.01[02] the current supply chain risk management policy is reviewed and updated following ; SR-01c.02[01] the current supply chain risk management procedures are reviewed and updated ; SR-01c.02[02] the current supply chain risk management procedures are reviewed and updated following . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-01-Examine [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; system security plan; privacy plan; other relevant documents or records]. SR-01-Interview [SELECT FROM: Organizational personnel with supply chain risk management responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with acquisition responsibilities; organizational personnel with enterprise risk management responsibilities]. SR-02 SUPPLY CHAIN RISK MANAGEMENT PLAN ASSESSMENT OBJECTIVE: Determine if: SR-02_ODP[01] systems, system components, or system services for which a supply chain risk management plan is developed are defined; SR-02_ODP[02] the frequency at which to review and update the supply chain risk management plan is defined; SR-02a.[01] a plan for managing supply chain risks is developed; SR-02a.[02] the supply chain risk management plan addresses risks associated with the research and development of ; SR-02a.[03] the supply chain risk management plan addresses risks associated with the design of ; SR-02a.[04] the supply chain risk management plan addresses risks associated with the manufacturing of ; SR-02a.[05] the supply chain risk management plan addresses risks associated with the acquisition of ; SR-02a.[06] the supply chain risk management plan addresses risks associated with the delivery of ; SR-02a.[07] the supply chain risk management plan addresses risks associated with the integration of ; SR-02a.[08] the supply chain risk management plan addresses risks associated with the operation of ;the supply chain risk management plan addresses risks associated with the maintenance of ; SR-02a.[09] the supply chain risk management plan addresses risks associated with the disposal of ; SR-02b. the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes; SR-02c.[01] the supply chain risk management plan is protected from unauthorized disclosure; SR-02c.[02] the supply chain risk management plan is protected from unauthorized modification. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-02-Examine [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management plan; system and services acquisition policy; system and services acquisition procedures; procedures addressing supply chain protection; procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification; system development life cycle procedures; procedures addressing the integration of information security and privacy requirements into the acquisition process; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; list of supply chain threats; list of safeguards to be taken against supply chain threats; system life cycle documentation; inter-organizational agreements and procedures; system security plan; privacy plan; privacy program plan; other relevant documents or records]. SR-02-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-02-Test [SELECT FROM: Organizational processes for defining and documenting the system development life cycle (SDLC); organizational processes for identifying SDLC roles and responsibilities; organizational processes for integrating supply chain risk management into the SDLC; automated mechanisms supporting and/or implementing the SDLC]. SR-02(01) SUPPLY CHAIN RISK MANAGEMENT PLAN | ESTABLISH SCRM TEAM ASSESSMENT OBJECTIVE: Determine if: SR-02(01)_ODP[01] the personnel, roles, and responsibilities of the supply chain risk management team are defined; SR-02(01)_ODP[02] supply chain risk management activities are defined; SR-02(01) a supply chain risk management team consisting of is established to lead and support . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-02(01)-Examine [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management team charter documentation; supply chain risk management strategy; supply chain risk management implementation plan; procedures addressing supply chain protection; system security plan; privacy plan; other relevant documents or records]. SR-02(01)-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with enterprise risk management responsibilities; legal counsel; organizational personnel with business continuity responsibilities]. SR-03 SUPPLY CHAIN CONTROLS AND PROCESSES ASSESSMENT OBJECTIVE: Determine if: SR-03_ODP[01] the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined; SR-03_ODP[02] supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined; SR-03_ODP[03] supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined; SR-03_ODP[04] one or more of the following PARAMETER VALUES is/are selected: {security and privacy plans; supply chain risk management plan; }; SR-03_ODP[05] the document identifying the selected and implemented supply chain processes and controls is defined (if selected); SR-03a.[01] a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ; SR-03a.[02] the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ; SR-03b. are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events; SR-03c. the selected and implemented supply chain processes and controls are documented in . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-03-Examine [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management strategy; supply chain risk management plan; systems and critical system components inventory documentation; system and services acquisition policy; system and services acquisition procedures; procedures addressing the integration of information security and privacy requirements into the acquisition process; solicitation documentation; acquisition documentation (including purchase orders); service level agreements; acquisition contracts for systems or services; risk register documentation; system security plan; privacy plan; other relevant documents or records]. SR-03-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-03-Test [SELECT FROM: Organizational processes for identifying and addressing supply chain element and process deficiencies]. SR-03(01) SUPPLY CHAIN CONTROLS AND PROCESSES | DIVERSE SUPPLY BASE ASSESSMENT OBJECTIVE: Determine if: SR-03(01)_ODP[01] system components with a diverse set of sources are defined; SR-03(01)_ODP[02] services with a diverse set of sources are defined; SR-03(01)[01] a diverse set of sources is employed for ; SR-03(01)[02] a diverse set of sources is employed for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-03(01)-Examine [SELECT FROM: Supply chain risk management policy and procedures; system and services acquisition policy; planning policy; procedures addressing supply chain protection; physical inventory of critical systems and system components; inventory of critical suppliers, service providers, developers, and contracts; inventory records of critical system components; list of security safeguards ensuring an adequate supply of critical system components; system security plan; other relevant documents or records]. SR-03(01)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. SR-03(01)-Test [SELECT FROM: Organizational processes for defining and employing security safeguards to ensure an adequate supply of critical system components; processes to identify critical suppliers; automated mechanisms supporting and/or implementing the security safeguards that ensure an adequate supply of critical system components]. SR-03(02) SUPPLY CHAIN CONTROLS AND PROCESSES | LIMITATION OF HARM ASSESSMENT OBJECTIVE: Determine if: SR-03(02)_ODP controls to limit harm from potential supply chain adversaries are defined; SR-03(02) are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-03(02)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; configuration management policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; procedures addressing the baseline configuration of the system; configuration management plan; system design documentation; system architecture and associated configuration documentation; solicitation documentation; acquisition documentation; acquisition contracts for the system, system component, or system service; threat assessments; vulnerability assessments; list of security safeguards to be taken to protect the organizational supply chain against potential supply chain threats; system security plan; other relevant documents or records]. SR-03(02)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-03(02)-Test [SELECT FROM: Organizational processes for defining and employing safeguards to limit harm from adversaries of the organizational supply chain; automated mechanisms supporting and/or implementing the definition and employment of safeguards to protect the organizational supply chain]. SR-03(03) SUPPLY CHAIN CONTROLS AND PROCESSES | SUB-TIER FLOW DOWN ASSESSMENT OBJECTIVE: Determine if: SR-03(03) the controls included in the contracts of prime contractors are also included in the contracts of subcontractors. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-03(03)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. SR-03(03)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-03(03)-Test [SELECT FROM: Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities]. SR-04 PROVENANCE ASSESSMENT OBJECTIVE: Determine if: SR-04_ODP systems, system components, and associated data that require valid provenance are defined; SR-04[01] valid provenance is documented for ; SR-04[02] valid provenance is monitored for ; SR-04[03] valid provenance is maintained for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-04-Examine [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management plan; documentation of critical systems, critical system components, and associated data; documentation showing the history of ownership, custody, and location of and changes to critical systems or critical system components; system architecture; inter-organizational agreements and procedures; contracts; system security plan; privacy plan; personally identifiable information processing policy; other relevant documents or records]. SR-04-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-04-Test [SELECT FROM: Organizational processes for identifying the provenance of critical systems and critical system components; automated mechanisms used to document, monitor, or maintain provenance]. SR-04(01) PROVENANCE | IDENTITY ASSESSMENT OBJECTIVE: Determine if: SR-04(01)_ODP supply chain elements, processes, and personnel associated with systems and critical system components that require unique identification are defined; SR-04(01)[01] unique identification of is established; SR-04(01)[02] unique identification of is maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-04(01)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; list of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and/or configurations; system security plan; other relevant documents or records]. SR-04(01)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities; organizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors]. SR-04(01)-Test [SELECT FROM: Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors; automated mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors]. SR-04(02) PROVENANCE | TRACK AND TRACE ASSESSMENT OBJECTIVE: Determine if: SR-04(02)_ODP systems and critical system components that require unique identification for tracking through the supply chain are defined; SR-04(02)[01] the unique identification of is established for tracking through the supply chain; SR-04(02)[02] the unique identification of is maintained for tracking through the supply chain. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-04(02)-Examine [SELECT FROM: Supply chain risk management policy and procedures; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; supply chain risk management plan; list of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and/or configurations; system security plan; other relevant documents or records]. SR-04(02)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities; organizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors]. SR-04(02)-Test [SELECT FROM: Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors; automated mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors]. SR-04(03) PROVENANCE | VALIDATE AS GENUINE AND NOT ALTERED ASSESSMENT OBJECTIVE: Determine if: SR-04(03)_ODP[01] controls to validate that the system or system component received is genuine are defined; SR-04(03)_ODP[02] controls to validate that the system or system component received has not been altered are defined; SR-04(03)[01] are employed to validate that the system or system component received is genuine; SR-04(03)[02] are employed to validate that the system or system component received has not been altered. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-04(03)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system; system design documentation; procedures addressing the integration of information security requirements into the acquisition process; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; evidentiary documentation (including applicable configurations) indicating that the system or system component is genuine and has not been altered; system security plan; other relevant documents or records]. SR-04(03)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-04(03)-Test [SELECT FROM: Organizational processes for defining and employing validation safeguards; automated mechanisms supporting and/or implementing the definition and employment of validation safeguards; automated mechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification]. SR-04(04) PROVENANCE | SUPPLY CHAIN INTEGRITY — PEDIGREE ASSESSMENT OBJECTIVE: Determine if: SR-04(04)_ODP[01] controls employed to ensure that the integrity of the system and system component are defined; SR-04(04)_ODP[02] an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined; SR-04(04)[01] are employed to ensure the integrity of the system and system components; SR-04(04)[02] is conducted to ensure the integrity of the system and system components. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-04(04)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; bill of materials for critical systems or system components; acquisition documentation; software identification tags; manufacturer declarations of platform attributes (e.g., serial numbers, hardware component inventory) and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself; system security plan; other relevant documents or records]. SR-04(04)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-04(04)-Test [SELECT FROM: Organizational processes for identifying pedigree information; organizational processes to determine and validate the integrity of the internal composition of critical systems and critical system components; automated mechanisms to determine and validate the integrity of the internal composition of critical systems and critical system components]. SR-05 ACQUISITION STRATEGIES, TOOLS, AND METHODS ASSESSMENT OBJECTIVE: Determine if: SR-05_ODP acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined; SR-05 are employed to protect against supply chain risks; are employed to identify supply chain risks; are employed to mitigate supply chain risks. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-05-Examine [SELECT FROM: Supply chain risk management policy; supply chain risk management procedures; supply chain risk management plan; system and services acquisition policy; system and services acquisition procedures; procedures addressing supply chain protection; procedures addressing the integration of information security and privacy requirements into the acquisition process; solicitation documentation; acquisition documentation (including purchase orders); service level agreements; acquisition contracts for systems, system components, or services; documentation of training, education, and awareness programs for personnel regarding supply chain risk; system security plan; privacy plan; other relevant documents or records]. SR-05-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-05-Test [SELECT FROM: Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods; automated mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods]. SR-05(01) ACQUISITION STRATEGIES, TOOLS, AND METHODS | ADEQUATE SUPPLY ASSESSMENT OBJECTIVE: Determine if: SR-05(01)_ODP[01] controls to ensure an adequate supply of critical system components are defined; SR-05(01)_ODP[02] critical system components of which an adequate supply is required are defined; SR-05(01) are employed to ensure an adequate supply of . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-05(01)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management strategy; supply chain risk management plan; contingency planning documents; inventory of critical systems and system components; determination of adequate supply; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; procedures addressing the integration of acquisition strategies, contract tools, and procurement methods into the acquisition process; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for systems or services; purchase orders/requisitions for the system, system component, or system service from suppliers; system security plan; other relevant documents or records]. SR-05(01)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-05(01)-Test [SELECT FROM: Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods; automated mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods]. SR-05(02) ACQUISITION STRATEGIES, TOOLS, AND METHODS | ASSESSMENTS PRIOR TO SELECTION, ACCEPTANCE, MODIFICATION, OR UPDATE ASSESSMENT OBJECTIVE: Determine if: SR-05(02)[01] the system, system component, or system service is assessed prior to selection; SR-05(02)[02] the system, system component, or system service is assessed prior to acceptance; SR-05(02)[03] the system, system component, or system service is assessed prior to modification; SR-05(02)[04] the system, system component, or system service is assessed prior to update. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-05(02)-Examine [SELECT FROM: System security plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; security test and evaluation results; vulnerability assessment results; penetration testing results; organizational risk assessment results; system security plan; other relevant documents or records]. SR-05(02)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. SR-05(02)-Test [SELECT FROM: Organizational processes for conducting assessments prior to selection, acceptance, or update; automated mechanisms supporting and/or implementing the conducting of assessments prior to selection, acceptance, or update]. SR-06 SUPPLIER ASSESSMENTS AND REVIEWS ASSESSMENT OBJECTIVE: Determine if: SR-06_ODP the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined; SR-06 the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-06-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management strategy; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing the integration of information security requirements into the acquisition process; records of supplier due diligence reviews; system security plan; other relevant documents or records]. SR-06-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. SR-06-Test [SELECT FROM: Organizational processes for conducting supplier reviews; automated mechanisms supporting and/or implementing supplier reviews]. SR-06(01) SUPPLIER ASSESSMENTS AND REVIEWS | TESTING AND ANALYSIS ASSESSMENT OBJECTIVE: Determine if: SR-06(01)_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {organizational analysis; independent third-party analysis; organizational testing; independent third-party testing}; SR-06(01)_ODP[02] supply chain elements, processes, and actors to be analyzed and tested are defined; SR-06(01) is/are employed on associated with the system, system component, or system service. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-06(01)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; evidence of organizational analysis, independent third-party analysis, organizational penetration testing, and/or independent third-party penetration testing; list of supply chain elements, processes, and actors (associated with the system, system component, or system service) subject to analysis and/or testing; system security plan; other relevant documents or records]. SR-06(01)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with responsibilities for analyzing and/or testing supply chain elements, processes, and actors]. SR-06(01)-Test [SELECT FROM: Organizational processes for defining and employing methods of analysis/testing of supply chain elements, processes, and actors; automated mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors]. SR-07 SUPPLY CHAIN OPERATIONS SECURITY ASSESSMENT OBJECTIVE: Determine if: SR-07_ODP Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined; SR-07 are employed to protect supply chain-related information for the system, system component, or system service. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-07-Examine [SELECT FROM: Supply chain risk management plan; supply chain risk management procedures; system and services acquisition policy; system and services acquisition procedures; procedures addressing supply chain protection; list of OPSEC controls to be employed; solicitation documentation; acquisition documentation; acquisition contracts for the system, system component, or system service; records of all-source intelligence analyses; system security plan; privacy plan; other relevant documents or records]. SR-07-Interview [SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with OPSEC responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-07-Test [SELECT FROM: Organizational processes for defining and employing OPSEC safeguards; automated mechanisms supporting and/or implementing the definition and employment of OPSEC safeguards]. SR-08 NOTIFICATION AGREEMENTS ASSESSMENT OBJECTIVE: Determine if: SR-08_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {notification of supply chain compromises; }; SR-08_ODP[02] information for which agreements and procedures are to be established are defined (if selected); SR-08 agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-08-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. SR-08-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-08-Test [SELECT FROM: Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities]. SR-09 TAMPER RESISTANCE AND DETECTION ASSESSMENT OBJECTIVE: Determine if: SR-09 a tamper protection program is implemented for the system, system component, or system service. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-09-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing supply chain protection; procedures addressing tamper resistance and detection; tamper protection program documentation; tamper protection tools and techniques documentation; tamper resistance and detection tools and techniques documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system security plan; other relevant documents or records]. SR-09-Interview [SELECT FROM: Organizational personnel with tamper protection program responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-09-Test [SELECT FROM: Organizational processes for the implementation of the tamper protection program; automated mechanisms supporting and/or implementing the tamper protection program]. SR-09(01) TAMPER RESISTANCE AND DETECTION | MULTIPLE STAGES OF SYSTEM DEVELOPMENT LIFE CYCLE ASSESSMENT OBJECTIVE: Determine if: SR-09(01)[01] anti-tamper technologies are employed throughout the system development life cycle; SR-09(01)[02] anti-tamper tools are employed throughout the system development life cycle; SR-09(01)[03] anti-tamper techniques are employed throughout the system development life cycle. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-09(01)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; procedures addressing tamper resistance and detection; tamper protection program documentation; tamper protection tools and techniques documentation; tamper resistance and detection tools (technologies) and techniques documentation; system development life cycle documentation; procedures addressing supply chain protection; system development life cycle procedures; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. SR-09(01)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with SDLC responsibilities]. SR-09(01)-Test [SELECT FROM: Organizational processes for employing anti-tamper technologies; automated mechanisms supporting and/or implementing anti-tamper technologies]. SR-10 INSPECTION OF SYSTEMS OR COMPONENTS ASSESSMENT OBJECTIVE: Determine if: SR-10_ODP[01] systems or system components that require inspection are defined; SR-10_ODP[02] one or more of the following PARAMETER VALUES is/are selected: {at random; at; upon}; SR-10_ODP[03] frequency at which to inspect systems or system components is defined (if selected); SR-10_ODP[04] indications of the need for an inspection of systems or system components are defined (if selected); SR-10 are inspected to detect tampering. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-10-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; records of random inspections; inspection reports/results; assessment reports/results; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. SR-10-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-10-Test [SELECT FROM: Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities; organizational processes to inspect for tampering]. SR-11 COMPONENT AUTHENTICITY ASSESSMENT OBJECTIVE: Determine if: SR-11_ODP[01] one or more of the following PARAMETER VALUES is/are selected: {source of counterfeit component; ; }; SR-11_ODP[02] external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected); SR-11_ODP[03] personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected); SR-11a.[01] an anti-counterfeit policy is developed and implemented; SR-11a.[02] anti-counterfeit procedures are developed and implemented; SR-11a.[03] the anti-counterfeit procedures include the means to detect counterfeit components entering the system; SR-11a.[04] the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system; SR-11b. counterfeit system components are reported to . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-11-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; anti-counterfeit plan; anti-counterfeit policy and procedures; media disposal policy; media protection policy; incident response policy; reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; inter-organizational agreements and procedures; records of reported counterfeit system components; system security plan; other relevant documents or records]. SR-11-Interview [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting]. SR-11-Test [SELECT FROM: Organizational processes for counterfeit prevention, detection, and reporting; automated mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting]. SR-11(01) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT TRAINING ASSESSMENT OBJECTIVE: Determine if: SR-11(01)_ODP personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined; SR-11(01) are trained to detect counterfeit system components (including hardware, software, and firmware). POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-11(01)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; system and services acquisition policy; anti-counterfeit plan; anti-counterfeit policy and procedures; media disposal policy; media protection policy; incident response policy; training materials addressing counterfeit system components; training records on the detection and prevention of counterfeit components entering the system; system security plan; other relevant documents or records]. SR-11(01)-Interview [SELECT FROM: Organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training]. SR-11(01)-Test [SELECT FROM: Organizational processes for anti-counterfeit training]. SR-11(02) COMPONENT AUTHENTICITY | CONFIGURATION CONTROL FOR COMPONENT SERVICE AND REPAIR ASSESSMENT OBJECTIVE: Determine if: SR-11(02)_ODP system components requiring configuration control are defined; SR-11(02)[01] configuration control over awaiting service or repair is maintained; SR-11(02)[02] configuration control over serviced or repaired awaiting return to service is maintained. POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-11(02)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; configuration control procedures; acquisition documentation; service level agreements; acquisition contracts for the system component; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. SR-11(02)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. SR-11(02)-Test [SELECT FROM: Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities; organizational configuration control processes]. SR-11(03) COMPONENT AUTHENTICITY | ANTI-COUNTERFEIT SCANNING ASSESSMENT OBJECTIVE: Determine if: SR-11(03)_ODP the frequency at which to scan for counterfeit system components is defined; SR-11(03) scanning for counterfeit system components is conducted . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-11(03)-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; anti-counterfeit policy and procedures; system design documentation; system configuration settings and associated documentation; scanning tools and associated documentation; scanning results; procedures addressing supply chain protection; acquisition documentation; inter-organizational agreements and procedures; system security plan; other relevant documents or records]. SR-11(03)-Interview [SELECT FROM: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities; organizational personnel with responsibilities for anti-counterfeit policies and procedures; organizational personnel with responsibility for anti-counterfeit scanning]. SR-11(03)-Test [SELECT FROM: Organizational processes for scanning for counterfeit system components; automated mechanisms supporting and/or implementing anti-counterfeit scanning]. SR-12 COMPONENT DISPOSAL ASSESSMENT OBJECTIVE: Determine if: SR-12_ODP[01] data, documentation, tools, or system components to be disposed of are defined; SR-12_ODP[02] techniques and methods for disposing of data, documentation, tools, or system components are defined; SR-12 are disposed of using . POTENTIAL ASSESSMENT METHODS AND OBJECTS: SR-12-Examine [SELECT FROM: Supply chain risk management policy and procedures; supply chain risk management plan; disposal procedures addressing supply chain protection; media disposal policy; media protection policy; disposal records for system components; documentation of the system components identified for disposal; documentation of the disposal techniques and methods employed for system components; system security plan; other relevant documents or records]. SR-12-Interview [SELECT FROM: Organizational personnel with system component disposal responsibilities; organizational personnel with information security responsibilities; organizational personnel with supply chain protection responsibilities]. SR-12-Test [SELECT FROM: Organizational techniques and methods for system component disposal; automated mechanisms supporting and/or implementing system component disposal].