NIST SP 800-171 Compliance
Department of Defense has started requiring NIST 800-171 compliance in all of its contracts. In fact, all research projects governed by a Department of Defense (DoD) contract must be in compliance with NIST 800-171 by December 2017. The requirements for protecting Controlled Unclassified Information (CUI) can be complex and difficult to implement.
NIST 800-171 Control Number | Control Family | Requirement | Recommendations | Assessed System Notes |
|---|---|---|---|---|
3.1.1 | Access Control | Maintain list of authorized users defining their identity and associated role and sync with system, application and data layers. Account requests must be authorized before access is granted. | Identity policy, in conjunction with Data Owner approval for individual access requests. |
|
3.1.2 | Access Control | Utilize access control lists (derived from 3.1.1) to limit access to applications and data based on role and/or identity. Log access as appropriate. | User access requests checked against AD database for authorization. All access requests are recorded and logged. |
|
3.1.3 | Access Control | Enforce approved authorizations for controlling the flow of information within the system and between interconnected systems based on UI policies. | Enforcement includes: (i) prohibiting information transfers between interconnected systems; (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and labels. |
|
3.1.4 | Access Control | If a system user accesses data as well as maintains the system in someway, create separate accounts with appropriate access levels to separate functions. | System administrative accounts are separate from user accounts. Further, administrative responsibilities are separated within System Operations Team by function, providing a full separation of administrative and security duties. |
|
3.1.5 | Access Control | Only grant enough privileges to a system user to allow them to sufficiently fulfill their job duties. 3.1.4 references account separation. | System Operations Team user accounts are only authorized the minimum number of rights needed to operate the system; all additional privileges require administrative access, hierarchically arranged through. |
|
3.1.6 | Access Control | Users with multiple accounts (as defined in 3.1.4 and 3.1.5) must logon with the least privileged account. Access to non-security functions must be performed with an unprivileged account. | Implements GPO and IAM controls to limit security-relevant account access to non-security functions. |
|
3.1.7 | Access Control | Enable auditing of all privileged functions, and control access using access control lists based on identity or role. | Configures system to enable logging of all privileged functions on the system. |
|
3.1.8 | Access Control | Configure system to lock logon mechanism for a predetermined time and lock user account out of system after a predetermined number of invalid logon attempts. | Configures system to enable system lock based on a small number of unsuccessful logon attempts. |
|
3.1.9 | Access Control | Logon screen should display appropriate notices. | Updates logon screen to display privacy and security notices consistent with applicable CUI rules. |
|
3.1.10 | Access Control | Configure system to lock session after a predetermined time of inactivity. Allow user to lock session for temporary absence. | Configures system to enable session lock after no more than 10 minutes of inactivity, and allow user to manually lock session for temporary absence. |
|
3.1.11 | Access Control | Configure system to end a user session after a predetermined time based on duration and/or inactivity of session. | Configures system to terminate sessions after a finite period of time (less than 24 hours) or after a finite period of inactivity (less than 4 hours). |
|
3.1.12 | Access Control | Run network and system monitoring applications to monitor remote system access and log accordingly. | Remote access authorized through VPN only. Monitors remote system access and logs to central repository. Uses access control lists to limit remote access to authorized users and locations only. |
|
3.1.13 | Access Control | Any application used to remotely access the system must use approved encryption methods. | VPN uses approved encryption for all remote access. |
|
3.1.14 | Access Control | The information system routes all remote access through managed network access control points. | All remote access occurs via VPN portal. |
|
3.1.15 | Access Control | The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for emergency purposes, and documents the rationale for such access in the security plan for the information system | Remote security administration performed exclusively by ISPO; privileged remote access not authorized for non-ISPO personnel. |
|
3.1.16 | Access Control | The organization establishes usage restrictions, configuration/ connection requirements, and implementation guidance for wireless access; and authorizes wireless access to the IS before allowing such connections | WiFi access requires acknowledgement of UI Network Citizenship Policy; only authorized users allowed access. |
|
3.1.17 | Access Control | The information system protects wireless access to the system using authentication of users and encryption. | WiFi uses WPA2/Enterprise encryption and requires authentication prior to access |
|
3.1.18 | Access Control | The organization establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, and authorizes the connection of mobile devices to the information system. | Mobile access only authorized via VPN. |
|
3.1.19 | Access Control | The organization employs full-device drive encryption to protect the confidentiality and integrity of information on organization-defined mobile devices | Full-device encryption required on all mobile devices that process UI sensitive data |
|
3.1.20 | Access Control | The organization establishes terms and conditions, consistent with any trust relationships established with other external information systems, allowing authorized individuals to access the UI information system from external locations; and process, store, and transmit organization-controlled information using external information systems. | VPN connection required to access information system; a formal Data Handling Control policy is in place |
|
3.1.21 | Access Control | The organization restricts the use of portable storage devices by authorized individuals on external information systems. | Policy to prevent release of sensitive data outside UI control; portable storage devices are encrypted per UI policy. |
|
3.1.22 | Access Control | The organization designates individuals authorized to post information at publicly-accessible locations; trains authorized individuals to ensure public information does not contain non-public information; reviews proposed content prior to public posting; and annually reviews the content of public data for non-public information release (and removes such information if discovered). |
|
|
3.2.1 | Awareness and Training | Users, managers, and system administrators of the information system will receive initial and annual training commensurate with their role and responsibilities. The training will provide a basic understanding of the need for information security, applicable policies, standards, and procedures related to the security of the information system, as well as user actions to maintain security and respond to suspected security incidents. The content will also address awareness of the need for operations security. | Personnel receive annual security training. |
|
3.2.2 | Awareness and Training | Personnel with security-related duties and responsibilities will receive initial and annual training on their specific operational, managerial, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Training will address required security controls related to environmental and physical security risks, as well as training on indications of potentially suspicious email or web communications, to include suspicious communications and other anomalous system behavior. | Personnel receive initial and annual training on their specific roles and responsibilities to meet this requirement. |
|
3.2.3 | Awareness and Training | Users, managers, and administrators of the information system will receive annual training on potential indicators and possible precursors of insider threat, to include long-term job dissatisfaction, attempts to gain unauthorized access to information, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security training will include how to communicate employee and management concerns regarding potential indicators of insider threat in accordance with established organizational policies and procedures. | Multi-tiered training. |
|
3.3.1 | Audit and Accountability | The organization creates, protects, retains information system audit records for between 30-days and 1-year (depending on data source) in order to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. | Audit information retained in accordance with policy |
|
3.3.2 | Audit and Accountability | The organization correlates network activity to individual user information order to uniquely trace and hold accountable users responsible for unauthorized actions. | Varies by organization. |
|
3.3.3 | Audit and Accountability | The organization reviews and updates audited events annually. | ISPO reviews audit scope regularly. |
|
3.3.4 | Audit and Accountability | The information system alerts the Security Office in the event of an audit processing failure, and maintains audit records on host servers | Failure to submit logs into log management solution results in alert notifications |
|
3.3.5 | Audit and Accountability | The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. | Audit records stored in log management solution for correlation and organization-wide situational awareness. |
|
3.3.6 | Audit and Accountability | The information system's audit capability provides an audit reduction and report generation capability that supports on-demand audit review, analysis, and reporting requirements and after-the-fact security investigations; and does not alter the original content or time ordering of audit records. | Audit functions retained in log management platform. |
|
3.3.7 | Audit and Accountability | The information system uses internal system clocks to generate time stamps for audit records, and records time stamps that can be mapped to UTC; compares system clocks with authoritative NTP servers, and synchronizes system clocks when the time difference is greater than 1 second. | Network Time coordinated with NTP servers and Microsoft/Apple NTP servers. |
|
3.3.8 | Audit and Accountability | The information system protects audit information and audit tools from unauthorized access, modification, and deletion. | Log management solution data cannot be deleted without administrative credentials. |
|
3.3.9 | Audit and Accountability | The organization authorizes access to management of audit functionality to only authorized individuals | Only System Operations Team personnel authorized to access Log management solution. |
|
3.4.1 | Configuration Management | Baseline configurations will be developed, documented, and maintained for each information system type. Baseline configurations will include software versions and patch level, configuration parameters, network information including topologies, and communications with connected systems. Baseline configurations will be updated as needed to accommodate security risks or software changes. Baseline configurations will be developed and approved in conjunction with the CISO (or equivalent) and the information security owner. Deviations from baseline configurations will be documented. | System Operations Team maintains baseline configurations and change management functions. |
|
3.4.2 | Configuration Management | Security settings will be included as part of baseline configurations. Security settings will reflect the most restrictive appropriate for compliance requirements. Changes or deviations to security settings will be documented. | System Operations Team baseline security settings retained in change management policy. |
|
3.4.3 | Configuration Management | Changes or deviations to information system security control configurations that affect compliance requirements will be reviewed and approved by a change advisory board. The changes will also be tracked and documented in an approved service management system (ITSM) or equivalent tracking service. Change control tracking will be audited annually. | ISPO reviews deviations from approved configurations and recorded in IRDB. |
|
3.4.4 | Configuration Management | Changes or deviations that affect information system security controls pertaining to compliance requibments will be tested prior to implementation to test their effectiveness. Only those changes or deviations that continue to meet compliance requirements will be approved and implemented. | All changes must be tested prior to implementation. |
|
3.4.5 | Configuration Management | Only those individuals approved to make physical or logical changes on information systems will be allowed to do so. Authorized personnel will be approved and documented by the service owner and IT security. All change documentation will include the authorized personnel making the change. | System configuration changes are centrally managed by System Operations Team. |
|
3.4.6 | Configuration Management | Information systems will be configured to deliver one function per system where practical. | System Operations Team (and ISPO) monitor system functionality and approve network architecture to achieve best-possible application of least-functionality principle. |
|
3.4.7 | Configuration Management | Only those ports and protocols necessary to provide the service of the information system will be configured for that system. Applications and services not necessary to provide the service of the information system will not be configured or enabled. Systems services will be reviewed to determine what is essential for the function of that system. |
|
|
3.4.8 | Configuration Management | The information system will be configured to only allow authorized software to run. The system will be configured to disallow running unauthorized software. The controls for allowing or disallowing the running of software may include but is not limited to the use of firewalls to restrict port access and user operational controls. | System configurations prevent unsigned/unauthorized software installation. |
|
3.4.9 | Configuration Management | User controls will be in place to prohibit the installation of unauthorized software. All software for information systems must be approved. | IT policy prohibits use of unauthorized software. |
|
3.5.1 | Identification and Authentication | Systems will make use of institutionally assigned accounts for unique access by individual. Should service accounts be necessary for device or process authentication, the accounts will be created by the central identity management team and assigned to a member of the research team. Institutional and service accounts are managed centrally and deprovisioned automatically when an individual leaves. | Users assigned account per user; service accounts supervised and managed by identity management team, and assigned to a specific user for implementation. |
|
3.5.2 | Identification and Authentication | Per control 3.5.1, the accounts in use will be assigned and managed by a central identity management system. Accounts are provisioned as part of the established account creation process. Initial passwords are randomly generated strings provided via a password reset mechanism. The password must be reset upon first use. All passwords are at least 8 characters, and require a mix of upper and lower case letters, numbers, and special characters. | User authentication via user/password which meets password policy standards. |
|
3.5.3 | Identification and Authentication | Any network access to servers and virtual machines hosting the project data requires multi-factor authentication regardless if the account is privileged or unprivileged. | Network access restricted to system administrators. Multi-factor authentication. |
|
3.5.4 | Identification and Authentication | Only anti-replay authentication mechanisms will be used. The authentication front-end technologies include shibboleth, SSH, Microsoft remote desktop protocol, and Cisco SSL VPN. Backend authentication mechanisms in use include Kerberos and Active Directory. | User Authentication utilizes SAML authentication for non-UI hosted sites; Active Directory / Kerberos authentication required for UI-hosted resources. |
|
3.5.5 | Identification and Authentication | Per control 3.5.1, the accounts in use will be assigned and managed by a central identity management system. Accounts are provisioned as part of the established account creation process. Accounts are uniquely assigned. Account identifiers are not reused. | Username is uniquely assigned. IDs are not reused. |
|
3.5.6 | Identification and Authentication | User accounts or identifiers associated with a project or contract covered by NIST 800-171 are monitored for inactivity. Account access to the in-scope systems after 90/180/365 days of inactivity. | Accounts are disabled after XXXX months of inactivity. Local system account configuration may be required to disable after a specified period of inactivity. |
|
3.5.7 | Identification and Authentication | Account passwords must be a minimum of 8 characters and a mix of upper/lower case, numbers and symbols. | Passwords conform to password policy. |
|
3.5.8 | Identification and Authentication | Passwords may not be re-used for <XX days>. | Passwords conform to password policy. |
|
3.5.9 | Identification and Authentication | New employees will receive an account and instructions for creating a password from HR during the hiring process. New students receive notification of their account via email with an activation link to set their initial password. Temporary password activation links are sent to validated. Temporary passwords are only good to allow for a password reset. | Temporary passwords are restricted to new employees only, and require password reset upon login. |
|
3.5.10 | Identification and Authentication | Passwords are not stored in reversible encryption form in any of our systems. Instead, they are stored as one-way hashes constructed from passwords. | Active Directory stores passwords in a one-way hash format (currently using SHA-256 algorithm) |
|
3.5.11 | Identification and Authentication | The most basic feedback control is never informing the user in an error message what part of the of the authentication transaction failed. | Login pages obscure password input; error feedback does not specify username or password error. |
|
3.6.1 | Incident Response | The organization maintains a standardized incident-response framework that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. | Cyber Security Incident Escalation |
|
3.6.2 | Incident Response | The organization tracks, documents, and reports incidents to appropriate authorities and/or officials both inside and outside the organization. | Cyber Security Incident Escalation |
|
3.6.3 | Incident Response | The organization tests the incident response capability for the information system at least annually using tabletop exercises and simulations to determine incident response effectiveness and documents the results. | Cyber Security Incident Escalation |
|
3.7.1 | Maintenance | All systems, devices, supporting systems for organizational information systems must be maintained according to manufacturer recommendations or organizationally defined schedules | Maintenance performed on all system and network systems in accordance with manufacturer recommendations. |
|
3.7.2 | Maintenance | Organizations will put in place controls that limit the tools, techniques, mechanisms and personnel that will be used to maintain information systems, devices, and supporting systems. This can include a lists of authorized tools, authorized personnel, and authorized techniques and mechanisms. Any such maintenance must occur within the context of other information systems controls in place. | System maintenance centralized with System Operations Team sections. |
|
3.7.3 | Maintenance | Any media that is removed from the premises for maintenance or disposal must be sanitized according to the organization's media sanitization policies. | Computer Data and Media Disposal Policy |
|
3.7.4 | Maintenance | Any media that is provided by authorized maintenance personnel (and not normal Systems administrators/owners) for troubleshooting, diagnostics, or other maintenance must be run through an anti-virus/anti-malware program prior to use in an organizational information system. | Tools being used for system maintenance undergo software review prior to use on UI networks. |
|
3.7.5 | Maintenance | All remote access to an information system for maintenance or diagnostics must occur via an approved remote solution using multi-factor authentication. A remote session must be disconnected when maintenance is complete | Remote maintenance activities logically segregated from production servers; remote administrative access requires use of multi-factor authentication. |
|
3.7.6 | Maintenance | All activities of maintenance personnel who do not normally have access to a system must be monitored. The organization will define approved methods for supervision. | Data Centers log all maintenance and visitors. |
|
3.8.1 | Media Protection | Responsible parties for data in these systems will document and ensure proper authorization controls for data in media and print. Documented workflow, data access contols and media policy will be enforced to ensure proper access controls. |
|
|
3.8.2 | Media Protection | All CUI systems will be managed under least access rules. |
|
|
3.8.3 | Media Protection | All managed data storage will be erased, encrypted or destroyed using mechanisms with sufficient power to ensure that no usable data is retrievable from storage devices identified in the workflow of these systems/services. |
|
|
3.8.4 | Media Protection | All CUI system will be identified with an asset control identifier |
|
|
3.8.5 | Media Protection | Only approved individuals are to have access to media from CUI systems. Chain of evidence will be maintained for any media removed from these systems. |
|
|
3.8.6 | Media Protection | All CUI data on media will be encrypted or physically locked prior to transport outside of the institutions secure locations. |
|
|
3.8.7 | Media Protection | Removable media will only be allowed if there are processes in place to control them. Removable media must be able to support physical encryption and key vaulting must be utilized to ensure recoverability | Removable media not authorized on devices processing CUI data. |
|
3.8.8 | Media Protection | Only approved portable storage devices under asset management are to be used to store CUI data. | Portable Storage not authorized to store or process CUI data. |
|
3.8.9 | Media Protection | Data backups will be encrypted on media before removal from a secured facility | Backup data remains encrypted until retrieval by System Owner |
|
3.9.1 | Personnel Security | The organization will screen individuals prior to authorizing access to the information system, in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Criteria may include, for example, position sensitivity background screening requirements. |
|
|
3.9.2 | Personnel Security | The organzation will disable information system accesss prior to individual termination or transfer. Within 24 hours of termination or transfer, the organization will revoke any authenticators/credentials associated with the individual, retrieve all organizational information system-related property from the individual, retain access to organizational information and information systems formerly controlled by the individual, and notify the information security office and data owner of the change in authorization. | Data Custodian must notify System Operations Team prior to termination or transfer of an individual with access to CUI. |
|
3.10.1 | Physical Protection | The Area/Building Manager will desginate building areas as "sensitve" and design physical security protections (including guards, locks, cameras, card readers, etc) as necessary to limit physical access to the area to only authorized individuals. Output devices such as printers should be placed in areas where their use does not expose data to unauthorized individuals. | Data centers designated as locations for sensitive data with extensive physical security controls. |
|
3.10.2 | Physical Protection | The Area/Building Manager will review the location and type of physical security in use (including guards, locks, card readers, etc) and evaluate its suitability for the organization's needs. | Data centers designated as locations for sensitive data with extensive physical security controls. |
|
3.10.3 | Physical Protection | All visitors to sensitive areas will be escorted by an authorized employee at all times. | Data centers require all visitors be escorted at all times. |
|
3.10.4 | Physical Protection | Logs of physical access to sensitive areas are maintained according to retention policies. This includes authorized access as well as visitor access. | Data center access logs maintained according to Log Retention Guidelines |
|
3.10.5 | Physical Protection | Physical access devices (such as card readers, proximity readers, and locks) will be maintained and operated according to the manufacturer recommendations. These devices will be updated with any changed access control information as necessary to prevent unauthorized access. The Area/Building Manager will review the location and type of each physical access device and evaluate its suitability for the organization's needs. | Data center physical access devices are maintained by facilities management personnel and vendors IAW manufacturer requirements. |
|
3.10.6 | Physical Protection | All alternate sites where sensitive data is stored or processed must meet the same physical security requirements as the main site. | Data center backup site meets same physical security requirements as ITF |
|
3.11.1 | Risk Assessment | The stewards of the system/services will provide an initial and periodic risk assessment. The assessments will be impact scored using FIPS 199. Changes in the environment that may affect the system or service, changes in use of or infrastructure will be documented and assessed as modified. The impact analysis is to be a living document and incorporated into a larger risk assessment profile for the system/service. |
|
|
3.11.2 | Risk Assessment | Systems will be periodically scanned for common and new vulnerabilities. Any vulnerability not documented will be risk assessed and documented. Reports regarding the scans will be made available to system stewards and owners in a timely manner. | Vulnerability scanning performed quarterly and upon request. |
|
3.11.3 | Risk Assessment | Stewards and owners upon recognition of any vulnerability will provide an action plan for remediation, acceptance, aversion or transference of the vulnerability risk including a reasonable time frame for implementation. All high vulnerabilities will be prioritized. |
|
|
3.12.1 | Security Assessment | An annual security assessment will be conducted to ensure that security controls are implemented correctly and meet the security requirements for the compliance environment. The assessment scope includes all information systems and networks in or directly connected to the compliance environment and all security controls and procedures necessary to meet the compliance requirements of the environment. The assessment will include, but is not limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and personnel interviews. A representative sampling of systems will be assessed. Information Security, or an independent security auditor, will conduct the assessment. A final written assessment report and findings will be provided to the CIO at the conclusion of the assessment. | An annual security assessment will be performed on the information system maintaining CUI. |
|
3.12.2 | Security Assessment | An action plan to remediate identified weaknesses or deficiencies will be maintained. The action plan will designate remediation dates and milestones for each item. Deficiencies and weaknesses identified in security controls assessments, security impact analyses, and |
|
|
3.12.3 | Security Assessment | At a minimum, systems will be monitored for privileged access, permission changes, kernel modifications, and binary changes, against a control and system baseline. Continuous monitoring reports and alerts will be reviewed daily. Unauthorized changes or unauthorized access will be reported to the CISO and information system owner within 24 hours of it being reported. | System security monitoring in place. Controls are reviewed regularly for effectiveness and updated when necessary. |
|
3.13.1 | System and Communications Protection | Enumerate policies for managed interfaces such as gateways, routers, firewalls, VPNs; organizational DMZs; and restricting external web traffic to only designated servers. | IT Policies |
|
3.13.2 | System and Communications Protection | Outline organizational information security policies, to include standards for architectural design, software development, and system engineering principles designed to promote information security. | IT Policies |
|
3.13.3 | System and Communications Protection | Enumerate the physical or logical controls used to separate user functionality from system management-related functionality (e.g., to ensure that administration (e.g. privilege) options are not available to general users). | IT Policies |
|
3.13.4 | System and Communications Protection | Enumerate the controls implemented to prevent object reuse and to protect residual information. | IT Policies |
|
3.13.5 | System and Communications Protection | Outline the policies for organizational DMZs. | IT Policies |
|
3.13.6 | System and Communications Protection | Document all business need exceptions to network communications traffic (inbound/outbound) “deny all” policies. | Firewall ACL changes noted in IRDB. |
|
3.13.7 | System and Communications Protection | Outline controls to prevent split tunneling in remote devices, and to mandate VPN use when necessary for business functions. | ACL rules noted in IT Policies, validated via ISPO scanning |
|
3.13.8 | System and Communications Protection | Outline the processes and automated mechanisms used to provide encryption of CUI during transmission; or document all alternative physical safeguards used to provide confidentiality of CUI during transmission. | Data transfer between systems must occur over encrypted channels only. This includes use of HTTPS, TLS, and other standard protocol encryption methodologies. |
|
3.13.9 | System and Communications Protection | Outline controls for terminating communications sessions on both internal and external networks (e.g., deallocating TCP/IP addresses/port pairs); and institute time periods of inactivity based on type of network accesses. | Network sessions are deactivated upon termination of a session. Systems have varying inactivity timelines for termination. |
|
3.13.10 | System and Communications Protection | Outline the processes and automated mechanisms used to provide key management within the information system (should also follow any relevant laws, regulations, and policies). | ISPO manages signed keys for network services via InCommon. Self-signed keys for internal systems are managed by System Operations Team. |
|
3.13.11 | System and Communications Protection | Outline where FIPS-validated cryptographic is used. | DES/AES encryption used for CUI protection. |
|
3.13.12 | System and Communications Protection | Enumerate actions to remove or disable collaborative computing devices from information systems housing CUI; and to notify users when collaborative computing devices are in use (e.g., cameras, microphones, etc.). |
|
|
3.13.13 | System and Communications Protection | Define limits of mobile code usage, establish usage restrictions, and specifically authorize use of mobile code (e.g., Java, ActiveX, Flash, etc.) within an information system. | May not be met by existing policies |
|
3.13.14 | System and Communications Protection | Define and establish usage restrictions, and specifically authorize the business necessary use of VoIP technologies within an information system. | No VoIP used in CUI networks. |
|
3.13.15 | System and Communications Protection | Outline the controls implemented to protect session communications (e.g., the controls implemented to validate identities and information transmitted to protect against MITM attacks, session hijacking, and insertion of false information into sessions). | Web communications use signed certificates via InCommon that are managed by ISPO. |
|
3.13.16 | System and Communications Protection | Outline controls used to protect CUI while stored in organizational information systems. | Data-At-Rest Encryption required for all CUI servers. |
|
3.14.1 | System and Information Integrity | The organization will perform all security-relevant software updates, to include patching, service packs, hot fixes, and anti-virus signature additions in response to identified system flas and vulnerabilities within the time prescribed by organizational policy (Critical/High: 5 days, Moderate: 30 days, Low: As-Available). When available, managers and administrators of the information system will rely on centralized management of the flaw remediation process, to include the use of automated update software, patch management tools, and automated status scanning. | Achieved via SCCM, SCEP, and ISPO Vulnerability Scanning procedures. |
|
3.14.2 | System and Information Integrity | The organization will employ malicious code protection mechanisms at information system entry and exit points to minimize the presence of malicious code. These protection mechanisms may include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. | Cisco FireSIGHT IDS enabled at border, along with firewalls between network segments. |
|
3.14.3 | System and Information Integrity | The organization will receive security alerts, advisories, and directives from reputable external agencies, and disseminate this information to individuals with need-to-know in the organization. In the event of alerts, advisories, or directives that have widespread impact on the organization, internal security directives will be disseminated directly to information system users, managers, and administrators. | ISPO receives security alerts, advisories, and alerts from a variety of government and non-governmental resources, to include REN-ISAC, MS-ISAC, FBI, Trustwave, SourceFire, et. al. Alerts that require system user or data custodian need-to-know are disseminated to the lowest level. |
|
3.14.4 | System and Information Integrity | The organization will update information system protection mechanisms within 5 days of new releases. | SCEP and IDS threat feeds update signatures at least hourly; SCEP updates to endpoints occur either immediately or at next logon. |
|
3.14.5 | System and Information Integrity | The organization will perform quarterly scans of the information system, as well as real-time scanning of files from external sources. | Network Vulnerability Scanning & Penetration Testing |
|
3.14.6 | System and Information Integrity | The organization will monitor the information system to detect attacks and indicators of potential attacks, as well as unauthorized local, network, and remote connections. The organization will strategically deploy monitoring devices within the information system to collect essential information system. Information gained from these monitoring tools will be protected from unauthorized access, modification, and deletion. | Information Security Framework |
|
3.14.7 | System and Information Integrity | The organization will monitor the information system to identify unauthorized access and use, as well as potential misuse of the information system. | Information Security Framework |
|