{"catalog":{"uuid":"66bdfab0-ebad-4fec-8e96-e02bc9013988","metadata":{"links":[{"rel":"alternate","href":"#666de17a-c620-4fa2-a8bf-3f7cd62aca72"},{"rel":"cprt","href":"#56515ab3-80b5-4e50-a2ed-270cb67bd5bd"}],"props":[{"ns":"https://csrc.nist.gov/ns/cprt","name":"framework-identifier","value":"SP800_172"},{"ns":"https://csrc.nist.gov/ns/cprt","name":"framework-version-identifier","value":"SP_800_172_3_0_0"},{"ns":"https://csrc.nist.gov/ns/cprt","name":"generated-by","value":"Cybersecurity And Privacy Open Reference Datasets In OSCAL (CAPORDINO)"}],"roles":[{"id":"creator","title":"OSCAL Document Creator"},{"id":"publisher","title":"SP 800-172 Publisher"},{"id":"contact-creator","title":"Contact Electronic Version Creator"},{"id":"contact-publisher","title":"Contact Publisher"}],"title":"Electronic (OSCAL) Version of Enhanced Security Requirements for Protecting Controlled Unclassified Information v3.0.0","parties":[{"name":"OSCAL Program","type":"organization","uuid":"98c78f9b-5d50-4b01-b47f-d16801e8d0ab","addresses":[{"city":"Gaithersburg","state":"MD","addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 203.)"],"postal-code":"20899-203."}],"short-name":"NIST OSCAL","email-addresses":["oscal@nist.gov"]},{"name":"National Institute of Standards and Technology","type":"organization","uuid":"47c54e80-574f-44e7-b971-47c0a6bf6ec0","addresses":[{"city":"Gaithersburg","state":"MD","addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 203.)"],"postal-code":"20899-203."}],"short-name":"NIST","email-addresses":["sec-cert@nist.gov"]}],"version":"1.0.0","published":"2026-05-13T12:30:00Z","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"9d08acdd-0e88-4786-a0d7-8fec3f184a3b"}],"last-modified":"2026-05-12T16:10:46.938769-04:00","oscal-version":"v1.2.2","responsible-parties":[{"role-id":"creator","party-uuids":["98c78f9b-5d50-4b01-b47f-d16801e8d0ab"]},{"role-id":"publisher","party-uuids":["47c54e80-574f-44e7-b971-47c0a6bf6ec0"]},{"role-id":"contact-creator","party-uuids":["98c78f9b-5d50-4b01-b47f-d16801e8d0ab"]},{"role-id":"contact-publisher","party-uuids":["47c54e80-574f-44e7-b971-47c0a6bf6ec0"]}]},"groups":[{"id":"SP_800_172_3_0_0_3.1","class":"family","props":[{"name":"sort-id","value":"03.01"},{"name":"label","value":"Access Control (3.1)"}],"title":"Access Control","controls":[{"id":"SP_800_172_3_0_0_03.01.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#31bf29e8-67f8-4379-b08e-f6f9deab7809"}],"parts":[{"id":"ES-03.01.01E","name":"statement","prose":"Enforce dual authorization for {{ insert: param, A.03.01.01E.ODP.01 }}. "},{"id":"D-03.01.01E","name":"guidance","class":"discussion","prose":"Dual authorization is also known as two-person control. Dual authorization reduces risk related to insider threats, including adversaries who have obtained credentials. Dual authorization requires the approval of two authorized individuals to execute privileged commands and/or other organizational actions that may affect the protection of CUI. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations also consider the risk associated with implementing dual authorization when immediate responses are necessary to ensure public and environmental safety. This requirement enhances SP 800-171 requirement 03.01.02."},{"id":"AE-03.01.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.01E-2-effect","name":"item","class":"Preclude-AE-03.01.01E-2","parts":[{"id":"AE-03.01.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.01E-3-effect","name":"item","class":"Impede-AE-03.01.01E-3","parts":[{"id":"AE-03.01.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.01E"}],"prose":"dual authorization is enforced for {{ insert: param, A.03.01.01E.ODP.01 }}. "},{"id":"E-03.01.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement and dual authorization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of actions requiring dual authorization\n\nlist of privileged commands requiring dual authorization\n\nlist of approved authorizations (user privileges)\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with access enforcement responsibilities\n\nsystem/network administrators\n\nsystem developers\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Dual authorization mechanisms implementing access control policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.01E"},{"name":"label","value":"03.01.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Dual Authorization","params":[{"id":"A.03.01.01E.ODP.01","label":"privileged commands and/or other actions","props":[{"name":"label","value":"A.03.01.01E.ODP[01]"}],"usage":"organization-defined privileged commands and/or other organization-defined actions","guidelines":[{"prose":"privileged commands and/or other actions requiring dual authorization are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#bd81756e-61ac-44e9-bc3d-5b3aa015d3cb"}],"parts":[{"id":"ES-03.01.02E","name":"statement","prose":"Restrict the use of non-organizationally owned systems or system components to process, store, or transmit CUI using {{ insert: param, A.03.01.02E.ODP.01 }}. "},{"id":"D-03.01.02E","name":"guidance","class":"discussion","prose":"Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. These also include systems and system components that are leased, part of subscription services, government-furnished equipment, or \"bring your own\" devices. There are risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use. In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved safeguards prior to authorizing connections to non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to system components that are provisioned by the organization; and agreeing to the terms and conditions for usage. This requirement enhances SP 800-171 requirement 03.01.20 "},{"id":"AE-03.01.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.02E-2-effect","name":"item","class":"Preclude-AE-03.01.02E-2","parts":[{"id":"AE-03.01.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.02E-3-effect","name":"item","class":"Impede-AE-03.01.02E-3","parts":[{"id":"AE-03.01.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.02E"}],"prose":"the use of non-organizationally owned systems or system components to process, store, or transmit CUI is restricted using {{ insert: param, A.03.01.02E.ODP.01 }}. "},{"id":"E-03.01.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices\n\nsystem/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.02E"},{"name":"label","value":"03.01.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Non-Organizationally Owned Systems - Restricted Use","params":[{"id":"A.03.01.02E.ODP.01","label":"restrictions","props":[{"name":"label","value":"A.03.01.02E.ODP[01]"}],"usage":"organization-defined restrictions","guidelines":[{"prose":"restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit CUI are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.03E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.01.09E"},{"rel":"incorporated_into","href":"03.01.10E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.01.03"}],"props":[{"name":"sort-id","value":"03.01.03E"},{"name":"label","value":"03.01.03E"},{"name":"status","value":"withdrawn"}],"title":"03.01.03E"},{"id":"SP_800_172_3_0_0_03.01.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#c3bd8782-2f5d-4d24-8b91-b88afab25422"}],"parts":[{"id":"ES-03.01.04E","name":"statement","prose":"Limit the number of concurrent sessions for each {{ insert: param, A.03.01.04E.ODP.01 }} to {{ insert: param, A.03.01.04E.ODP.02 }}. "},{"id":"D-03.01.04E","name":"guidance","class":"discussion","prose":"Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.01.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.04E-2-effect","name":"item","class":"Preclude-AE-03.01.04E-2","parts":[{"id":"AE-03.01.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.04E-3-effect","name":"item","class":"Impede-AE-03.01.04E-3","parts":[{"id":"AE-03.01.04E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.04E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain and exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.04E"}],"prose":"the number of concurrent sessions for each {{ insert: param, A.03.01.04E.ODP.01 }} is limited to {{ insert: param, A.03.01.04E.ODP.02 }}. "},{"id":"E-03.01.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for concurrent session control"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.04E"},{"name":"label","value":"03.01.04E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Concurrent Session Control","params":[{"id":"A.03.01.04E.ODP.01","label":"account and/or account types","props":[{"name":"label","value":"A.03.01.04E.ODP[01]"}],"usage":"organization-defined account and/or account type","guidelines":[{"prose":"accounts and/or account types for which to limit the number of concurrent sessions is defined."}]},{"id":"A.03.01.04E.ODP.02","label":"number","props":[{"name":"label","value":"A.03.01.04E.ODP[02]"}],"usage":"organization-defined number","guidelines":[{"prose":"the number of concurrent sessions to be allowed for each account and/or account type is defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.05E","class":"security_requirement","links":[{"rel":"external_reference","href":"#2d6f9d4f-b674-453e-8171-eaacf15ddc28"}],"parts":[{"id":"ES-03.01.05E","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"D-03.01.05E","name":"guidance","class":"discussion","prose":"Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This is accomplished by auditing the connection activities of remote users on system components, including servers, notebook computers, workstations, smart phones, and tablets. This requirement enhances SP 800-171 requirement 03.01.02."},{"id":"AE-03.01.05E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.05E-2-effect","name":"item","class":"Preclude-AE-03.01.05E-2","parts":[{"id":"AE-03.01.05E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.05E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.05E-3-effect","name":"item","class":"Impede-AE-03.01.05E-3","parts":[{"id":"AE-03.01.05E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.05E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.05E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.05E"}],"prose":"automated mechanisms are employed to monitor remote access methods."},{"id":"DS-A.03.01.05E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.05E"}],"prose":"automated mechanisms are employed to control remote access methods."},{"id":"E-03.01.05E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.05E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.05E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.05E"},{"name":"label","value":"03.01.05E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Remote Access Monitoring and Control"},{"id":"SP_800_172_3_0_0_03.01.06E","class":"security_requirement","links":[{"rel":"external_reference","href":"#5058b05d-bee9-4d3a-ab17-1c62f1f51d4b"}],"parts":[{"id":"ES-03.01.06E","name":"statement","prose":"Protect information about remote access mechanisms from unauthorized use and disclosure."},{"id":"D-03.01.06E","name":"guidance","class":"discussion","prose":"Access to organizational information about remote access mechanisms by non-organizational entities can increase the risk of unauthorized use and disclosure. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior and access agreements. This requirement enhances SP 800-171 requirement 03.01.12."},{"id":"AE-03.01.06E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.06E-2-effect","name":"item","class":"Preclude-AE-03.01.06E-2","parts":[{"id":"AE-03.01.06E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.06E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.06E-3-effect","name":"item","class":"Impede-AE-03.01.06E-3","parts":[{"id":"AE-03.01.06E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.06E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.06E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.06E"}],"prose":"information about remote access mechanisms is protected from unauthorized use and disclosure."},{"id":"E-03.01.06E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.06E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with responsibilities for implementing or monitoring remote access to the system\n\nsystem users with knowledge of information about remote access mechanisms\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]}],"props":[{"name":"sort-id","value":"03.01.06E"},{"name":"label","value":"03.01.06E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Protection of Remote Access Mechanism Information"},{"id":"SP_800_172_3_0_0_03.01.07E","class":"security_requirement","links":[{"rel":"external_reference","href":"#7286bffd-83a1-4461-83f4-97405be5f159"}],"parts":[{"id":"ES-03.01.07E","name":"statement","prose":"Use automated mechanisms to audit account creation, modification, enabling, disabling, and removal actions."},{"id":"D-03.01.07E","name":"guidance","class":"discussion","prose":"The use of automated mechanisms to audit account management activities provides more timely and comprehensive data to guide and inform needed actions by system administrators. Security information and event management (SIEM) tools can help automate account management audit activities. This requirement enhances SP 800-171 requirement 03.01.01."},{"id":"AE-03.01.07E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.07E-2-effect","name":"item","class":"Preclude-AE-03.01.07E-2","parts":[{"id":"AE-03.01.07E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.07E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.07E-3-effect","name":"item","class":"Impede-AE-03.01.07E-3","parts":[{"id":"AE-03.01.07E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.07E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.07E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.07E"}],"prose":"automated mechanisms are used to audit account creation actions."},{"id":"DS-A.03.01.07E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.07E"}],"prose":"automated mechanisms are used to audit account modification actions."},{"id":"DS-A.03.01.07E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.07E"}],"prose":"automated mechanisms are used to audit account enabling actions."},{"id":"DS-A.03.01.07E.04","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.07E"}],"prose":"automated mechanisms are used to audit account disabling actions."},{"id":"DS-A.03.01.07E.05","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.07E"}],"prose":"automated mechanisms are used to audit account removal actions."},{"id":"E-03.01.07E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications or alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.07E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with account management responsibilities\n\nsystem/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.07E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.07E"},{"name":"label","value":"03.01.07E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Automated Audit Actions for Account Management"},{"id":"SP_800_172_3_0_0_03.01.08E","class":"security_requirement","links":[{"rel":"external_reference","href":"#24d416a8-ac05-4776-960a-c47ca1d8dd4e"}],"parts":[{"id":"ES-03.01.08E","name":"statement","parts":[{"id":"ES-03.01.08E-a","name":"item","props":[{"name":"label","value":"ES-03.01.08E-a"}],"prose":"Monitor system accounts for {{ insert: param, A.03.01.08E.ODP.01 }}. "},{"id":"ES-03.01.08E-b","name":"item","props":[{"name":"label","value":"ES-03.01.08E-b"}],"prose":"Report atypical usage of system accounts to {{ insert: param, A.03.01.08E.ODP.02 }}. "}]},{"id":"D-03.01.08E","name":"guidance","class":"discussion","prose":"Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. This requirement enhances SP 800-171 requirement 03.01.01."},{"id":"AE-03.01.08E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.08E-2-effect","name":"item","class":"Expose-AE-03.01.08E-2","parts":[{"id":"AE-03.01.08E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.01.08E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.01.08E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.08E-a"}],"prose":"system accounts are monitored for {{ insert: param, A.03.01.08E.ODP.01 }}. "},{"id":"DS-A.03.01.08E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.08E-b"}],"prose":"atypical usage of system accounts is reported to {{ insert: param, A.03.01.08E.ODP.02 }}. "},{"id":"E-03.01.08E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.08E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with account management responsibilities\n\nsystem/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.08E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.08E"},{"name":"label","value":"03.01.08E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Account Monitoring for Atypical Usage","params":[{"id":"A.03.01.08E.ODP.01","label":"atypical usage","props":[{"name":"label","value":"A.03.01.08E.ODP[01]"}],"usage":"organization-defined atypical usage","guidelines":[{"prose":"atypical usage for which to monitor system accounts is defined."}]},{"id":"A.03.01.08E.ODP.02","label":"personnel or roles","props":[{"name":"label","value":"A.03.01.08E.ODP[02]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to report atypical usage are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.09E","class":"security_requirement","links":[{"rel":"external_reference","href":"#2348e420-57fb-4675-9ae2-5ed8e703af2a"}],"parts":[{"id":"ES-03.01.09E","name":"statement","parts":[{"id":"ES-03.01.09E-a","name":"item","props":[{"name":"label","value":"ES-03.01.09E-a"}],"prose":"Enforce attribute-based access control policy over defined subjects and objects."},{"id":"ES-03.01.09E-b","name":"item","props":[{"name":"label","value":"ES-03.01.09E-b"}],"prose":"Control access based upon {{ insert: param, A.03.01.09E.ODP.01 }}. "}]},{"id":"D-03.01.09E","name":"guidance","class":"discussion","prose":"Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, role, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., document classification). Organizations can create rules based on specified attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. This requirement enhances SP 800-171 requirement 03.01.02."},{"id":"AE-03.01.09E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.09E-2-effect","name":"item","class":"Preclude-AE-03.01.09E-2","parts":[{"id":"AE-03.01.09E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.09E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.09E-3-effect","name":"item","class":"Impede-AE-03.01.09E-3","parts":[{"id":"AE-03.01.09E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.09E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.09E.a.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.09E-a"}],"prose":"the attribute-based access control policy is enforced over defined subjects."},{"id":"DS-A.03.01.09E.a.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.09E-a"}],"prose":"the attribute-based access control policy is enforced over defined objects."},{"id":"DS-A.03.01.09E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.09E-b"}],"prose":"access is controlled based upon {{ insert: param, A.03.01.09E.ODP.01 }}. "},{"id":"E-03.01.09E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.09E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with access enforcement responsibilities\n\nsystem/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.09E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.09E"},{"name":"label","value":"03.01.09E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Attribute-Based Access Control","params":[{"id":"A.03.01.09E.ODP.01","label":"attributes","props":[{"name":"label","value":"A.03.01.09E.ODP[01]"}],"usage":"organization-defined attributes to assume access permissions","guidelines":[{"prose":"attributes to assume access permissions are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.10E","class":"security_requirement","links":[{"rel":"external_reference","href":"#19071bfa-b136-4df5-9f64-eed511ed4f1d"}],"parts":[{"id":"ES-03.01.10E","name":"statement","prose":"Use {{ insert: param, A.03.01.10E.ODP.01 }} associated with {{ insert: param, A.03.01.10E.ODP.02 }} to enforce {{ insert: param, A.03.01.10E.ODP.03 }} as a basis for flow control decisions. "},{"id":"D-03.01.10E","name":"guidance","class":"discussion","prose":"Organizations implement information flow control policies and enforcement mechanisms to control the flow of CUI between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Information flow enforcement mechanisms compare the security attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows that are not explicitly allowed by information flow policies. Security attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security attributes can be used, for example, to control the release of certain types of information. This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.10E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.10E-2-effect","name":"item","class":"Preclude-AE-03.01.10E-2","parts":[{"id":"AE-03.01.10E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.10E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.10E-3-effect","name":"item","class":"Impede-AE-03.01.10E-3","parts":[{"id":"AE-03.01.10E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.10E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.10E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.10E"}],"prose":" {{ insert: param, A.03.01.10E.ODP.01 }} associated with {{ insert: param, A.03.01.10E.ODP.02 }}, {{ insert: param, A.03.01.10E.ODP.03 }}, and {{ insert: param, A.03.01.10E.ODP.04 }} are used to enforce {{ insert: param, A.03.01.10E.ODP.05 }} as a basis for flow control decisions. "},{"id":"E-03.01.10E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security attributes and associated source and destination objects\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.10E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.10E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.10E"},{"name":"label","value":"03.01.10E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Object Security Attributes","params":[{"id":"A.03.01.10E.ODP.01","label":"security attributes","props":[{"name":"label","value":"A.03.01.10E.ODP[01]"}],"usage":"organization-defined security attributes","guidelines":[{"prose":"security attributes to be associated with information, source, and destination objects are defined."}]},{"id":"A.03.01.10E.ODP.02","label":"information objects","props":[{"name":"label","value":"A.03.01.10E.ODP[02]"}],"usage":"organization-defined security attributes","guidelines":[{"prose":"information objects to be associated with information security attributes are defined."}]},{"id":"A.03.01.10E.ODP.03","label":"source objects","props":[{"name":"label","value":"A.03.01.10E.ODP[03]"}],"usage":"organization-defined security attributes","guidelines":[{"prose":"source objects to be associated with information security attributes are defined."}]},{"id":"A.03.01.10E.ODP.04","label":"destination objects","props":[{"name":"label","value":"A.03.01.10E.ODP[04]"}],"usage":"organization-defined information, source, and destination objects","guidelines":[{"prose":"destination objects to be associated with information security attributes are defined."}]},{"id":"A.03.01.10E.ODP.05","label":"information flow control policies","props":[{"name":"label","value":"A.03.01.10E.ODP[05]"}],"usage":"organization-defined information flow control policies","guidelines":[{"prose":"information flow control policies as a basis for the enforcement of flow control decisions are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.11E","class":"security_requirement","links":[{"rel":"external_reference","href":"#51cbc70e-d163-43c6-822a-7b7b86266e3d"}],"parts":[{"id":"ES-03.01.11E","name":"statement","parts":[{"id":"ES-03.01.11E-a","name":"item","props":[{"name":"label","value":"ES-03.01.11E-a"}],"prose":"Enforce a role-based access control policy over defined subjects and objects."},{"id":"ES-03.01.11E-b","name":"item","props":[{"name":"label","value":"ES-03.01.11E-b"}],"prose":"Control access based upon {{ insert: param, A.03.01.11E.ODP.01 }}. "}]},{"id":"D-03.01.11E","name":"guidance","class":"discussion","prose":"Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase security risks if individuals assigned to a role are given access to information beyond what they need to support organizational mission or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. This requirement enhances SP 800-171 requirement 03.01.02."},{"id":"AE-03.01.11E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.11E-2-effect","name":"item","class":"Preclude-AE-03.01.11E-2","parts":[{"id":"AE-03.01.11E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.11E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.11E-3-effect","name":"item","class":"Impede-AE-03.01.11E-3","parts":[{"id":"AE-03.01.11E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.11E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.11E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.11E-a"}],"prose":"a role-based access control policy over defined subjects and objects is enforced."},{"id":"DS-A.03.01.11E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.11E-b"}],"prose":"access is controlled based upon {{ insert: param, A.03.01.11E.ODP.01 }}. "},{"id":"E-03.01.11E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\nrole-based access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of roles, users, and associated privileges required to control system access\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.11E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.11E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing role-based access control policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.11E"},{"name":"label","value":"03.01.11E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Role-Based Access Control","params":[{"id":"A.03.01.11E.ODP.01","props":[{"name":"label","value":"A.03.01.11E.ODP[01]"}],"usage":"organization-defined roles and users authorized to assume such roles","guidelines":[{"prose":"roles and users authorized to assume such roles are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.12E","class":"security_requirement","links":[{"rel":"external_reference","href":"#b2875d20-46a1-4d35-9fce-87946fa192dc"}],"parts":[{"id":"ES-03.01.12E","name":"statement","prose":"Separate CUI flows logically or physically using {{ insert: param, A.03.01.12E.ODP.01 }}. "},{"id":"D-03.01.12E","name":"guidance","class":"discussion","prose":"Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that CUI is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.12E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.12E-2-effect","name":"item","class":"Preclude-AE-03.01.12E-2","parts":[{"id":"AE-03.01.12E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.12E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.12E-3-effect","name":"item","class":"Impede-AE-03.01.12E-3","parts":[{"id":"AE-03.01.12E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.12E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.12E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.12E"}],"prose":"CUI flows are logically or physically separated using {{ insert: param, A.03.01.12E.ODP.01 }}. "},{"id":"E-03.01.12E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.12E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.12E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.12E"},{"name":"label","value":"03.01.12E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Physical or Logical Separation of CUI Flows","params":[{"id":"A.03.01.12E.ODP.01","props":[{"name":"label","value":"A.03.01.12E.ODP[01]"}],"usage":"organization-defined mechanisms and/or techniques","guidelines":[{"prose":"mechanisms and/or techniques to separate CUI flows are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.13E","class":"security_requirement","links":[{"rel":"external_reference","href":"#845c9b4b-0491-4b5b-a8a7-4d4a6b8619f0"}],"parts":[{"id":"ES-03.01.13E","name":"statement","prose":"Enforce information flow control based on {{ insert: param, A.03.01.13E.ODP.01 }}. "},{"id":"D-03.01.13E","name":"guidance","class":"discussion","prose":"Metadata is information that describes the characteristics of data. Metadata can include structural metadata that describes data structures or descriptive metadata that describes data content. The enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance). This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.13E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.13E-2-effect","name":"item","class":"Preclude-AE-03.01.13E-2","parts":[{"id":"AE-03.01.13E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.13E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.13E-3-effect","name":"item","class":"Impede-AE-03.01.13E-3","parts":[{"id":"AE-03.01.13E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.13E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.13E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.13E"}],"prose":"information flow control based on {{ insert: param, A.03.01.13E.ODP.01 }} is enforced. "},{"id":"E-03.01.13E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.13E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.13E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.13E"},{"name":"label","value":"03.01.13E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Metadata","params":[{"id":"A.03.01.13E.ODP.01","label":"metadata","props":[{"name":"label","value":"A.03.01.13E.ODP[01]"}],"usage":"organization-defined metadata","guidelines":[{"prose":"metadata that requires flow control is defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.14E","class":"security_requirement","links":[{"rel":"external_reference","href":"#3d199491-8b9e-49ae-8b31-b61a347ddc38"}],"parts":[{"id":"ES-03.01.14E","name":"statement","parts":[{"id":"ES-03.01.14E-a","name":"item","props":[{"name":"label","value":"ES-03.01.14E-a"}],"prose":"Enforce information flow control using {{ insert: param, A.03.01.14E.ODP.01 }} as a basis for flow control decisions for {{ insert: param, A.03.01.14E.ODP.02 }}. "},{"id":"ES-03.01.14E-b","name":"item","props":[{"name":"label","value":"ES-03.01.14E-b"}],"prose":" {{ insert: param, A.03.01.14E.ODP.03 }} data after a filter processing failure in accordance with {{ insert: param, A.03.01.14E.ODP.04 }}. "}]},{"id":"D-03.01.14E","name":"guidance","class":"discussion","prose":"Security policy filters for data structures check for maximum file lengths, maximum field sizes, and data/file types for structured and unstructured data. Security policy filters for data content check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the criticality or sensitivity of information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (e.g., image, video, or audio files) and textual objects that are based on written or printed languages. This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.14E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.14E-2-effect","name":"item","class":"Preclude-AE-03.01.14E-2","parts":[{"id":"AE-03.01.14E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.14E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.14E-3-effect","name":"item","class":"Impede-AE-03.01.14E-3","parts":[{"id":"AE-03.01.14E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.14E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.14E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.14E-a"}],"prose":"information flow control is enforced using {{ insert: param, A.03.01.14E.ODP.01 }} as a basis for flow control decisions for {{ insert: param, A.03.01.14E.ODP.02 }} . "},{"id":"DS-A.03.01.14E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.14E-b"}],"prose":" {{ insert: param, A.03.01.14E.ODP.03 }} data after a filter processing failure in accordance with {{ insert: param, A.03.01.14E.ODP.04 }}. "},{"id":"E-03.01.14E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters regulating flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.14E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.14E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity policy filters"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.14E"},{"name":"label","value":"03.01.14E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Security Policy Filters","params":[{"id":"A.03.01.14E.ODP.01","props":[{"name":"label","value":"A.03.01.14E.ODP[01]"}],"usage":"organization-defined security policy filters","guidelines":[{"prose":"security policy filers are defined."}]},{"id":"A.03.01.14E.ODP.02","props":[{"name":"label","value":"A.03.01.14E.ODP[02]"}],"usage":"organization-defined information flows","guidelines":[{"prose":"information flows are defined."}]},{"id":"A.03.01.14E.ODP.03","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.01.14E.ODP[03]"}],"select":{"choice":["Block","Strip","Modify","Quarantine"],"how-many":"one-or-more"}},{"id":"A.03.01.14E.ODP.04","props":[{"name":"label","value":"A.03.01.14E.ODP[04]"}],"usage":"organization-defined security policy","guidelines":[{"prose":"security policy addressing a filter processing failure is defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.15E","class":"security_requirement","links":[{"rel":"external_reference","href":"#e46a035a-76a4-4b73-b89b-3d884550b205"}],"parts":[{"id":"ES-03.01.15E","name":"statement","prose":"Use {{ insert: param, A.03.01.15E.ODP.01 }} to validate data that is essential for information flow decisions when transferring CUI between security domains. "},{"id":"D-03.01.15E","name":"guidance","class":"discussion","prose":"Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow for the transfer of data that is compliant with data type format specifications. The identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type. This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.15E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.15E-2-effect","name":"item","class":"Preclude-AE-03.01.15E-2","parts":[{"id":"AE-03.01.15E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.15E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.15E-3-effect","name":"item","class":"Impede-AE-03.01.15E-3","parts":[{"id":"AE-03.01.15E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.15E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.15E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.15E"}],"prose":"when transferring information between security domains, {{ insert: param, A.03.01.15E.ODP.01 }} are used to validate data that is essential for information flow decisions. "},{"id":"E-03.01.15E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of data type identifiers\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.15E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.15E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.15E"},{"name":"label","value":"03.01.15E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Data Type Identifiers","params":[{"id":"A.03.01.15E.ODP.01","label":"data type identifiers","props":[{"name":"label","value":"A.03.01.15E.ODP[01]"}],"usage":"organization-defined data type identifiers","guidelines":[{"prose":"data type identifiers are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.16E","class":"security_requirement","links":[{"rel":"external_reference","href":"#58950fbc-6437-4e7b-b044-2ef2da2a6fd2"}],"parts":[{"id":"ES-03.01.16E","name":"statement","prose":"Decompose CUI into {{ insert: param, A.03.01.16E.ODP.01 }} for submission to policy enforcement mechanisms when transferring CUI between different security domains. "},{"id":"D-03.01.16E","name":"guidance","class":"discussion","prose":"Decomposing CUI into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, and other security-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains. This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.16E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.16E-2-effect","name":"item","class":"Preclude-AE-03.01.16E-2","parts":[{"id":"AE-03.01.16E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.16E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.16E-3-effect","name":"item","class":"Impede-AE-03.01.16E-3","parts":[{"id":"AE-03.01.16E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.16E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.16E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.16E"}],"prose":"when transferring information between different security domains, CUI is decomposed into {{ insert: param, A.03.01.16E.ODP.01 }} for submission to policy enforcement mechanisms "},{"id":"E-03.01.16E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.16E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.16E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.16E"},{"name":"label","value":"03.01.16E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Decomposition Into Policy-Relevant Subcomponents","params":[{"id":"A.03.01.16E.ODP.01","label":"policy-relevant subcomponents","props":[{"name":"label","value":"A.03.01.16E.ODP[01]"}],"usage":"organization-defined policy-relevant subcomponents","guidelines":[{"prose":"policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined."}]}]},{"id":"SP_800_172_3_0_0_03.01.17E","class":"security_requirement","links":[{"rel":"external_reference","href":"#d5f32471-6f9b-4f4e-8c57-2baab5efdbdb"}],"parts":[{"id":"ES-03.01.17E","name":"statement","parts":[{"id":"ES-03.01.17E-a","name":"item","props":[{"name":"label","value":"ES-03.01.17E-a"}],"prose":"Examine CUI for the presence of {{ insert: param, A.03.01.17E.ODP.01 }} when transferring information between different security domains. "},{"id":"ES-03.01.17E-b","name":"item","props":[{"name":"label","value":"ES-03.01.17E-b"}],"prose":"Prohibit the transfer of the CUI defined in 03.01.17E.a in accordance with the {{ insert: param, A.03.01.17E.ODP.02 }}. "}]},{"id":"D-03.01.17E","name":"guidance","class":"discussion","prose":"Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, information that is not authorized to be stored or processed on the system, or executable code that could disrupt or harm services or systems on the destination network. This requirement enhances SP 800-171 requirement 03.01.03."},{"id":"AE-03.01.17E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.01.17E-2-effect","name":"item","class":"Preclude-AE-03.01.17E-2","parts":[{"id":"AE-03.01.17E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.01.17E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.01.17E-3-effect","name":"item","class":"Impede-AE-03.01.17E-3","parts":[{"id":"AE-03.01.17E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.01.17E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.01.17E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.17E-a"}],"prose":"when transferring information between different security domains, information is examined for the presence of {{ insert: param, A.03.01.17E.ODP.01 }}. "},{"id":"DS-A.03.01.17E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.01.17E-b"}],"prose":"the transfer of CUI defined in 03.01.17E.a is prohibited in accordance with {{ insert: param, A.03.01.17E.ODP.02 }}. "},{"id":"E-03.01.17E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of unsanctioned information types and associated information\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.01.17E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.01.17E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.01.17E"},{"name":"label","value":"03.01.17E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Detection of Unsanctioned CUI","params":[{"id":"A.03.01.17E.ODP.01","props":[{"name":"label","value":"A.03.01.17E.ODP[01]"}],"usage":"organization-defined unsanctioned information","guidelines":[{"prose":"unsanctioned information to be detected is defined."}]},{"id":"A.03.01.17E.ODP.02","props":[{"name":"label","value":"A.03.01.17E.ODP[02]"}],"usage":"organization-defined security policy","guidelines":[{"prose":"a security policy that prohibits the transfer of such information is defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.2","class":"family","props":[{"name":"sort-id","value":"03.02"},{"name":"label","value":"Awareness and Training (3.2)"}],"title":"Awareness and Training","controls":[{"id":"SP_800_172_3_0_0_03.02.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#65e14c03-9208-4680-b275-53003145e734"},{"rel":"external_reference","href":"#f8d5d73a-5d42-46de-a5bd-65c35e9404cd"},{"rel":"external_reference","href":"#d4be10bd-54c9-4f40-9d14-69feb1448df9"}],"parts":[{"id":"ES-03.02.01E","name":"statement","parts":[{"id":"ES-03.02.01E-a","name":"item","parts":[{"id":"ES-03.02.01E-a-1","name":"item","props":[{"name":"label","value":"ES-03.02.01E-a-1"}],"prose":"On the advanced persistent threat,"},{"id":"ES-03.02.01E-a-2","name":"item","props":[{"name":"label","value":"ES-03.02.01E-a-2"}],"prose":"On recognizing suspicious communications and anomalous behavior in systems using {{ insert: param, A.03.02.01E.ODP.01 }}, and "},{"id":"ES-03.02.01E-a-3","name":"item","props":[{"name":"label","value":"ES-03.02.01E-a-3"}],"prose":"On the cyber threat environment."}],"props":[{"name":"label","value":"ES-03.02.01E-a"}],"prose":"Provide security literacy training to system users:"},{"id":"ES-03.02.01E-b","name":"item","props":[{"name":"label","value":"ES-03.02.01E-b"}],"prose":"Update security literacy training content {{ insert: param, A.03.02.01E.ODP.02 }} and following {{ insert: param, A.03.02.01E.ODP.03 }}. "}]},{"id":"D-03.02.01E","name":"guidance","class":"discussion","prose":"An effective way to detect APTs, address the cyber threat environment, and preclude successful attacks is to provide specific literacy training for individuals. Threat literacy training includes educating individuals on the various ways that APTs can infiltrate the organization (e.g., through websites, emails, pop-ups, articles, and social engineering) and describes techniques for recognizing suspicious emails, the use of removable systems in non-secure settings, and the potential targeting of individuals at home. Personnel are also trained on what constitutes suspicious communications and how to respond to such communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning of the presence of malicious code. Recognizing anomalous behavior in systems can supplement the malicious code detection and protection tools and systems used by organizations. Since threats continue to change over time, threat literacy training is dynamic. Moreover, threat literacy training is not performed in isolation from the system operations that support organizational missions and business functions. This requirement enhances SP 800-171 requirement 03.02.01."},{"id":"AE-03.02.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.02.01E-2-effect","name":"item","class":"Preclude-AE-03.02.01E-2","parts":[{"id":"AE-03.02.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.02.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.02.01E-3-effect","name":"item","class":"Expose-AE-03.02.01E-3","parts":[{"id":"AE-03.02.01E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.02.01E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.02.01E.a.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.01E-a-1"}],"prose":"security literacy training on the advanced persistent threat is provided to system users."},{"id":"DS-A.03.02.01E.a.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.01E-a-2"}],"prose":"security literacy training on recognizing suspicious communications and anomalous behavior in systems using {{ insert: param, A.03.02.01E.ODP.01 }} is provided to system users. "},{"id":"DS-A.03.02.01E.a.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.01E-a-3"}],"prose":"security literacy training on the cyber threat environment is provided to system users."},{"id":"DS-A.03.02.01E.b.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.01E-b"}],"prose":"security literacy training content is updated {{ insert: param, A.03.02.01E.ODP.02 }}. "},{"id":"DS-A.03.02.01E.b.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.01E-b"}],"prose":"security literacy training content is updated following {{ insert: param, A.03.02.01E.ODP.03 }} "},{"id":"E-03.02.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System security plan\n\nsecurity literacy and awareness training policy\n\nprocedures addressing security literacy and awareness training implementation\n\nsecurity literacy and awareness training curriculum\n\nsecurity literacy and awareness training materials\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.02.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel who receive security literacy and awareness training\n\npersonnel with responsibilities for security literacy and awareness training\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]}],"props":[{"name":"sort-id","value":"03.02.01E"},{"name":"label","value":"03.02.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Advanced Literacy and Awareness Training","params":[{"id":"A.03.02.01E.ODP.01","label":"indicators of malicious code","props":[{"name":"label","value":"A.03.02.01E.ODP[01]"}],"usage":"organization-defined indicators of malicious code","guidelines":[{"prose":"indicators of malicious code are defined."}]},{"id":"A.03.02.01E.ODP.02","label":"frequency","props":[{"name":"label","value":"A.03.02.01E.ODP[02]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to update security literacy training content is defined."}]},{"id":"A.03.02.01E.ODP.03","label":"events","props":[{"name":"label","value":"A.03.02.01E.ODP[03]"}],"usage":"organization-defined events","guidelines":[{"prose":"events which cause security literacy training content to be updated are defined."}]}]},{"id":"SP_800_172_3_0_0_03.02.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#32e00cee-426c-4841-ad3d-987c40ea2c3e"}],"parts":[{"id":"ES-03.02.02E","name":"statement","prose":"Provide practical exercises in literacy training that simulate events and incidents."},{"id":"D-03.02.02E","name":"guidance","class":"discussion","prose":"Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking malicious web links via spear phishing attacks. This requirement enhances SP 800-171 requirement 03.02.01."},{"id":"AE-03.02.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.02.02E-2-effect","name":"item","class":"Preclude-AE-03.02.02E-2","parts":[{"id":"AE-03.02.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.02.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.02.02E-3-effect","name":"item","class":"Expose-AE-03.02.02E-3","parts":[{"id":"AE-03.02.02E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.02.02E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.02.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.02E"}],"prose":"practical exercises in literacy training that simulate events and incidents are provided."},{"id":"E-03.02.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System security plan\n\nsecurity literacy and awareness training policy\n\nprocedures addressing security literacy and awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.02.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel who receive security literacy and awareness training\n\npersonnel with responsibilities for security awareness training\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.02.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cyber-attack simulations in practical exercises"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.02.02E"},{"name":"label","value":"03.02.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Literacy and Awareness Training Practical Exercises"},{"id":"SP_800_172_3_0_0_03.02.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#4e91e018-7f06-4b35-9e11-82ec63730a82"}],"parts":[{"id":"ES-03.02.03E","name":"statement","prose":"Provide feedback on organizational training results to the following personnel {{ insert: param, A.03.02.03E.ODP.01 }}. "},{"id":"D-03.02.03E","name":"guidance","class":"discussion","prose":"Training feedback includes literacy and role-based training results, which can indicate a potentially serious problem, especially the failures of personnel in critical roles. Managers should be made aware of such situations so that they can respond accordingly. Training feedback supports the evaluation and update of organizational training content and methodology. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.02.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.02.03E-2-effect","name":"item","class":"Preclude-AE-03.02.03E-2","parts":[{"id":"AE-03.02.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.02.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.02.03E-3-effect","name":"item","class":"Expose-AE-03.02.03E-3","parts":[{"id":"AE-03.02.03E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.02.03E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.02.03E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.03E"}],"prose":"feedback on organizational training results is provided to {{ insert: param, A.03.02.03E.ODP.01 }}. "},{"id":"E-03.02.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Security awareness training policy\n\nprocedures addressing security literacy and awareness training records\n\nsecurity literacy and awareness training records\n\nsecurity plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.02.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with security and awareness training record retention responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.02.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security literacy and awareness training records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.02.03E"},{"name":"label","value":"03.02.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Literacy and Awareness Training Feedback","params":[{"id":"A.03.02.03E.ODP.01","label":"personnel","props":[{"name":"label","value":"A.03.02.03E.ODP[01]"}],"usage":"organization-defined personnel","guidelines":[{"prose":"personnel to whom feedback on organizational training results will be provided are assigned."}]}]},{"id":"SP_800_172_3_0_0_03.02.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#b78d8b19-021f-4995-8805-d7d7236472b7"}],"parts":[{"id":"ES-03.02.04E","name":"statement","prose":"Train {{ insert: param, A.03.02.04E.ODP.01 }} to detect counterfeit system components. "},{"id":"D-03.02.04E","name":"guidance","class":"discussion","prose":"System components include hardware, software, and firmware components as well as the documentation for those components. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.02.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.02.04E-2-effect","name":"item","class":"Preclude-AE-03.02.04E-2","parts":[{"id":"AE-03.02.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.02.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.02.04E-3-effect","name":"item","class":"Expose-AE-03.02.04E-3","parts":[{"id":"AE-03.02.04E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.02.04E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.02.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.02.04E"}],"prose":" {{ insert: param, A.03.02.04E.ODP.01 }} are trained to detect counterfeit system components. "},{"id":"E-03.02.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.02.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security responsibilities\n\npersonnel with supply chain risk management responsibilities\n\npersonnel with contract management responsibilities\n\npersonnel with personnel with responsibilities for anti-counterfeit policies, procedures, and training"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.02.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for anti-counterfeit training"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.02.04E"},{"name":"label","value":"03.02.04E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Anti-Counterfeit Training","params":[{"id":"A.03.02.04E.ODP.01","label":"personnel or roles","props":[{"name":"label","value":"A.03.02.04E.ODP[01]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.3","class":"family","props":[{"name":"sort-id","value":"03.03"},{"name":"label","value":"Audit and Accountability (3.3)"}],"title":"Audit and Accountability","controls":[{"id":"SP_800_172_3_0_0_03.03.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#ff799542-1361-4545-a8fc-8ece62932b59"}],"parts":[{"id":"ES-03.03.01E","name":"statement","prose":"Store audit records in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"D-03.03.01E","name":"guidance","class":"discussion","prose":"Storing audit records in a repository that is separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components preserves the confidentiality, integrity, and availability of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or system components applies to the initial generation and backup or long-term storage of audit records. This requirement enhances SP 800-171 requirement 03.03.08."},{"id":"AE-03.03.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.03.01E-2-effect","name":"item","class":"Preclude-AE-03.03.01E-2","parts":[{"id":"AE-03.03.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.03.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.03.01E-3-effect","name":"item","class":"Impede-AE-03.03.01E-3","parts":[{"id":"AE-03.03.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.03.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.03.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.03.01E"}],"prose":"audit records are stored in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"E-03.03.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.03.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with audit and accountability responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.03.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the backing up of audit records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.03.01E"},{"name":"label","value":"03.03.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Protection of Audit Record Storage in Separate Physical Systems or Components"},{"id":"SP_800_172_3_0_0_03.03.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#a4e9d937-ba64-4e9e-af1f-52d7c0a8236b"}],"parts":[{"id":"ES-03.03.02E","name":"statement","prose":"Provide an alert within {{ insert: param, A.03.03.02E.ODP.01 }} to {{ insert: param, A.03.03.02E.ODP.02 }} when the following audit failure events occur: {{ insert: param, A.03.03.02E.ODP.03 }}. "},{"id":"D-03.03.02E","name":"guidance","class":"discussion","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less). This requirement enhances SP 800-171 requirement 03.03.04."},{"id":"AE-03.03.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.03.02E-2-effect","name":"item","class":"Preclude-AE-03.03.02E-2","parts":[{"id":"AE-03.03.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.03.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.03.02E-3-effect","name":"item","class":"Impede-AE-03.03.02E-3","parts":[{"id":"AE-03.03.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.03.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.03.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.03.02E"}],"prose":"an alert is provided within {{ insert: param, A.03.03.02E.ODP.01 }} to {{ insert: param, A.03.03.02E.ODP.02 }} when {{ insert: param, A.03.03.02E.ODP.03 }} occur. "},{"id":"E-03.03.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.03.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with audit and accountability responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]}],"props":[{"name":"sort-id","value":"03.03.02E"},{"name":"label","value":"03.03.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Real-Time Alerts for Audit Processing Failures","params":[{"id":"A.03.03.02E.ODP.01","label":"real-time period","props":[{"name":"label","value":"A.03.03.02E.ODP[01]"}],"usage":"organization-defined real-time period","guidelines":[{"prose":"real-time period requiring alerts when audit failure events (defined in A.03.03.02E.ODP.03) occur is defined."}]},{"id":"A.03.03.02E.ODP.02","label":"personnel, roles, and/or locations","props":[{"name":"label","value":"A.03.03.02E.ODP[02]"}],"usage":"organization-defined personnel, roles, and/or locations","guidelines":[{"prose":"personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in A.03.03.02E.ODP.03) occur are defined."}]},{"id":"A.03.03.02E.ODP.03","label":"audit logging failure events","props":[{"name":"label","value":"A.03.03.02E.ODP[03]"}],"usage":"organization-defined audit logging failure events requiring real-time alerts","guidelines":[{"prose":"audit logging failure events requiring real-time alerts are defined."}]}]},{"id":"SP_800_172_3_0_0_03.03.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#ff8de932-aeb4-44e4-bcdd-dd64f65b296c"}],"parts":[{"id":"ES-03.03.03E","name":"statement","prose":"Enforce dual authorization for {{ insert: param, A.03.03.03E.ODP.01 }} of {{ insert: param, A.03.03.03E.ODP.02 }}. "},{"id":"D-03.03.03E","name":"guidance","class":"discussion","prose":"Dual authorization is also known as two-person control since it requires the approval of two authorized individuals to reduce the risk related to insider threat when executing audit functions. Dual authorization reduces risks related to insider threats, including adversaries who have obtained credentials. Organizations may choose different selection options for different types of audit information. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations consider the risk associated with implementing dual authorization when immediate responses are necessary to ensure public and environmental safety. This requirement enhances SP 800-171 requirement 03.03.08. It is also related to requirement 03.01.01E."},{"id":"AE-03.03.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.03.03E-2-effect","name":"item","class":"Preclude-AE-03.03.03E-2","parts":[{"id":"AE-03.03.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.03.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.03.03E-3-effect","name":"item","class":"Impede-AE-03.03.03E-3","parts":[{"id":"AE-03.03.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.03.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.03.03E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.03.03E"}],"prose":"dual authorization is enforced for the {{ insert: param, A.03.03.03E.ODP.01 }} of {{ insert: param, A.03.03.03E.ODP.02 }}. "},{"id":"E-03.03.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naccess authorizations\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.03.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with audit and accountability responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.03.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the enforcement of dual authorization"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.03.03E"},{"name":"label","value":"03.03.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Dual Authorization for Audit Information and Actions","params":[{"id":"A.03.03.03E.ODP.01","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.03.03E.ODP[01]"}],"select":{"choice":["movement","deletion"],"how-many":"one-or-more"}},{"id":"A.03.03.03E.ODP.02","label":"audit information","props":[{"name":"label","value":"A.03.03.03E.ODP[02]"}],"usage":"organization-defined audit information","guidelines":[{"prose":"audit information for which dual authorization is to be enforced is defined."}]}]},{"id":"SP_800_172_3_0_0_03.03.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#4b4b1f2b-40f9-4240-a2dc-8d222dc6a562"}],"parts":[{"id":"ES-03.03.04E","name":"statement","prose":"Integrate analysis of audit records with analysis of {{ insert: param, A.03.03.04E.ODP.01 }} to further enhance the ability to identify inappropriate or unusual activity. "},{"id":"D-03.03.04E","name":"guidance","class":"discussion","prose":"Integrated analysis of audit records requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security information and event management (SIEM) tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches to analyzing audit record information. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service (DoS) attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can also assist in uncovering attacks and relating audit information to operational situations. This requirement enhances SP 800-171 requirement 03.03.05."},{"id":"AE-03.03.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.03.04E-2-effect","name":"item","class":"Preclude-AE-03.03.04E-2","parts":[{"id":"AE-03.03.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.03.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.03.04E-3-effect","name":"item","class":"Expose-AE-03.03.04E-3","parts":[{"id":"AE-03.03.04E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.03.04E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.03.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.03.04E"}],"prose":"analysis of audit records is integrated with analysis of {{ insert: param, A.03.03.04E.ODP.01 }} to further enhance the ability to identify inappropriate or unusual activity. "},{"id":"E-03.03.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.03.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with audit review, analysis, and reporting responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.03.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to integrate analysis of audit records with analysis of data or information sources"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.03.04E"},{"name":"label","value":"03.03.04E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Integrated Analysis of Audit Records","params":[{"id":"A.03.03.04E.ODP.01","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.03.04E.ODP[01]"}],"select":{"choice":["vulnerability scanning information","performance data","system monitoring information"," {{ insert: param, A.03.03.04E.ODP.02 }} "],"how-many":"one-or-more"}},{"id":"A.03.03.04E.ODP.02","label":"data/information collected from other sources","props":[{"name":"label","value":"A.03.03.04E.ODP[02]"}],"usage":"organization-defined data/information collected from other sources","guidelines":[{"prose":"data or information collected from other sources to be analyzed is defined (if selected)."}]}]}]},{"id":"SP_800_172_3_0_0_3.4","class":"family","props":[{"name":"sort-id","value":"03.04"},{"name":"label","value":"Configuration Management (3.4)"}],"title":"Configuration Management","controls":[{"id":"SP_800_172_3_0_0_03.04.01E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.04.08E"},{"rel":"incorporated_into","href":"03.14.04E"},{"rel":"incorporated_into","href":"03.17.03E"},{"rel":"incorporated_into","href":"03.17.04E"},{"rel":"incorporated_into","href":"03.17.05E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.04.01"},{"rel":"external_reference","href":"03.04.03"},{"rel":"external_reference","href":"03.04.10"}],"props":[{"name":"sort-id","value":"03.04.01E"},{"name":"label","value":"03.04.01E"},{"name":"status","value":"withdrawn"}],"title":"03.04.01E"},{"id":"SP_800_172_3_0_0_03.04.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#aa1e16f2-50e4-4419-a3ef-16e4863a9c04"},{"rel":"external_reference","href":"#42c89468-dda2-4995-a012-7939becfb06a"},{"rel":"external_reference","href":"#6d45f8f9-3d6d-4dd9-9e09-a26d6ede6665"}],"parts":[{"id":"ES-03.04.02E","name":"statement","parts":[{"id":"ES-03.04.02E-a","name":"item","props":[{"name":"label","value":"ES-03.04.02E-a"}],"prose":"Detect the presence of unauthorized or misconfigured system components using {{ insert: param, A.03.04.02E.ODP.01 }}. "},{"id":"ES-03.04.02E-b","name":"item","props":[{"name":"label","value":"ES-03.04.02E-b"}],"prose":"Take the following actions when unauthorized or misconfigured components are detected: {{ insert: param, A.03.04.02E.ODP.02 }} . "}]},{"id":"D-03.04.02E","name":"guidance","class":"discussion","prose":"Monitoring for unauthorized or misconfigured components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized or misconfigured system components. Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved, for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" This requirement enhances SP 800-171 requirement 03.04.10. "},{"id":"AE-03.04.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.02E-2-effect","name":"item","class":"Preclude-AE-03.04.02E-2","parts":[{"id":"AE-03.04.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes expunge and preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.02E-3-effect","name":"item","class":"Impede-AE-03.04.02E-3","parts":[{"id":"AE-03.04.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.04.02E-4-effect","name":"item","class":"Expose-AE-03.04.02E-4","parts":[{"id":"AE-03.04.02E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.04.02E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.04.02E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.02E-a"}],"prose":"the presence of unauthorized or misconfigured system components is detected using {{ insert: param, A.03.04.02E.ODP.01 }}. "},{"id":"DS-A.03.04.02E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.02E-b"}],"prose":"one or more of the following actions is/are taken when unauthorized or misconfigured system components are detected: {{ insert: param, A.03.04.02E.ODP.02 }}. "},{"id":"E-03.04.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory and configuration settings\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nsystem design documentation\n\nchange control records\n\ncommon secure configuration checklists\n\nalerts or notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with component inventory and security configuration management responsibilities\n\npersonnel with responsibilities for managing automated mechanisms implementing unauthorized system component detection\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for the detection of unauthorized or misconfigured system components\n\nautomated processes for taking action when unauthorized or misconfigured system components are detected\n\nautomated mechanisms supporting and/or implementing the detection of unauthorized or misconfigured system components\n\nautomated mechanisms supporting and/or implementing actions taken when unauthorized or misconfigured system components are detected"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.02E"},{"name":"label","value":"03.04.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Automated Unauthorized Component Detection","params":[{"id":"A.03.04.02E.ODP.01","label":"automated mechanisms","props":[{"name":"label","value":"A.03.04.02E.ODP[01]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized or misconfigured system components are defined."}]},{"id":"A.03.04.02E.ODP.02","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.04.02E.ODP[02]"}],"select":{"choice":["disable network access by such components","isolate the components","notify {{ insert: param, A.03.04.02E.ODP.03 }} "],"how-many":"one-or-more"}},{"id":"A.03.04.02E.ODP.03","label":"personnel or roles","props":[{"name":"label","value":"A.03.04.02E.ODP[03]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized or misconfigured system components are detected are defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.04.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#773926cc-773e-46ac-945d-92478081b511"}],"parts":[{"id":"ES-03.04.03E","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, A.03.04.03E_prm_1 }}. "},{"id":"D-03.04.03E","name":"guidance","class":"discussion","prose":"The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items based on the authoritative source. The information necessary for the accountability of system components includes the system name, hardware and software component owners, hardware inventory specifications, software license information, software version numbers, and—for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. System component inventory information can include historic versioning of the information that can be used to track changes in the inventory and its ownership over the lifecycle of the system component inventory. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. This requirement enhances SP 800-171 requirement 03.04.10."},{"id":"AE-03.04.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.03E-2-effect","name":"item","class":"Preclude-AE-03.04.03E-2","parts":[{"id":"AE-03.04.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.03E-3-effect","name":"item","class":"Impede-AE-03.04.03E-3","parts":[{"id":"AE-03.04.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.04.03E-4-effect","name":"item","class":"Expose-AE-03.04.03E-4","parts":[{"id":"AE-03.04.03E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.04.03E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.04.03E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.03E"}],"prose":" {{ insert: param, A.03.04.03E.ODP.01 }} are used to maintain the currency of the system component inventory. "},{"id":"DS-A.03.04.03E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.03E"}],"prose":" {{ insert: param, A.03.04.03E.ODP.02 }} are used to maintain the completeness of the system component inventory. "},{"id":"DS-A.03.04.03E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.03E"}],"prose":" {{ insert: param, A.03.04.03E.ODP.03 }} are used to maintain the accuracy of the system component inventory. "},{"id":"DS-A.03.04.03E.04","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.03E"}],"prose":" {{ insert: param, A.03.04.03E.ODP.04 }} are used to maintain the availability of the system component inventory. "},{"id":"E-03.04.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with component inventory management responsibilities\n\npersonnel with information security responsibilities\n\nsystem developers\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for maintaining the system component inventory\n\nautomated mechanisms supporting and/or implementing the system component inventory"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.03E"},{"name":"label","value":"03.04.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Automated Maintenance of System Component Inventory","params":[{"id":"A.03.04.03E_prm_1","label":"organization-defined automated mechanisms","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.04.03E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.04.03E.ODP[02]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.04.03E.ODP[03]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.04.03E.ODP[04]"}]},{"id":"A.03.04.03E.ODP.01","label":"automated mechanisms","props":[{"name":"label","value":"A.03.04.03E.ODP[01]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the currency of the system component inventory are defined."}]},{"id":"A.03.04.03E.ODP.02","label":"automated mechanisms","props":[{"name":"label","value":"A.03.04.03E.ODP[02]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the completeness of the system component inventory are defined."}]},{"id":"A.03.04.03E.ODP.03","label":"automated mechanisms","props":[{"name":"label","value":"A.03.04.03E.ODP[03]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the accuracy of the system component inventory are defined."}]},{"id":"A.03.04.03E.ODP.04","label":"automated mechanisms","props":[{"name":"label","value":"A.03.04.03E.ODP[04]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the availability of the system component inventory are defined."}]}]},{"id":"SP_800_172_3_0_0_03.04.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#2c095e86-5096-41fa-9017-f008ff84b4da"}],"parts":[{"id":"ES-03.04.04E","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, A.03.04.04E.ODP.01 }}. "},{"id":"D-03.04.04E","name":"guidance","class":"discussion","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools; hardware, software, and firmware inventory tools; and network management tools. Automated tools can be used to track version numbers on operating systems, applications, the types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of 03.04.03E for organizations that combine system component inventory and baseline configuration activities. This requirement enhances SP 800-171 requirement 03.04.01."},{"id":"AE-03.04.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.04E-2-effect","name":"item","class":"Preclude-AE-03.04.04E-2","parts":[{"id":"AE-03.04.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.04E-3-effect","name":"item","class":"Impede-AE-03.04.04E-3","parts":[{"id":"AE-03.04.04E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.04E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.04.04E-4-effect","name":"item","class":"Expose-AE-03.04.04E-4","parts":[{"id":"AE-03.04.04E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.04.04E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.04.04E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.04E"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, A.03.04.04E.ODP.01 }}. "},{"id":"DS-A.03.04.04E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.04E"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, A.03.04.04E.ODP.01 }}. "},{"id":"DS-A.03.04.04E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.04E"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, A.03.04.04E.ODP.01 }}. "},{"id":"DS-A.03.04.04E.04","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.04E"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, A.03.04.04E.ODP.01 }}. "},{"id":"E-03.04.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with configuration management responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.04E"},{"name":"label","value":"03.04.04E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Automation Support for Baseline Configuration","params":[{"id":"A.03.04.04E.ODP.01","label":"automated mechanisms","props":[{"name":"label","value":"A.03.04.04E.ODP[01]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining the baseline configuration of the system are defined."}]}]},{"id":"SP_800_172_3_0_0_03.04.05E","class":"security_requirement","links":[{"rel":"external_reference","href":"#dfd91a2e-cacc-4a41-82ca-4f313cfd5ace"}],"parts":[{"id":"ES-03.04.05E","name":"statement","prose":"Enforce dual authorization for implementing changes to {{ insert: param, A.03.04.05E_prm_1 }}. "},{"id":"D-03.04.05E","name":"guidance","class":"discussion","prose":"Dual authorization is also known as two-person control. Organizations employ dual authorization to help ensure that any changes to selected system components and system-level information cannot occur unless two qualified individuals approve and implement such changes. Requiring two individuals to implement system changes provides an increased level of assurance that the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes that have been implemented. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures. This requirement enhances SP 800-171 requirement 03.04.05."},{"id":"AE-03.04.05E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.05E-2-effect","name":"item","class":"Preclude-AE-03.04.05E-2","parts":[{"id":"AE-03.04.05E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.05E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.05E-3-effect","name":"item","class":"Impede-AE-03.04.05E-3","parts":[{"id":"AE-03.04.05E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.05E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.04.05E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.05E"}],"prose":"dual authorization for implementing changes to {{ insert: param, A.03.04.05E.ODP.01 }} is enforced. "},{"id":"DS-A.03.04.05E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.05E"}],"prose":"dual authorization for implementing changes to {{ insert: param, A.03.04.05E.ODP.02 }} is enforced. "},{"id":"E-03.04.05E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem component inventory\n\nsystem information types\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.05E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with dual authorization enforcement responsibilities for implementing system changes\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.05E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for managing access restrictions to change\n\nmechanisms implementing dual authorization enforcement"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.05E"},{"name":"label","value":"03.04.05E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Dual Authorization for System Changes","params":[{"id":"A.03.04.05E_prm_1","label":"organization-defined system components and system-level information","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.04.05E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.04.05E.ODP[02]"}]},{"id":"A.03.04.05E.ODP.01","label":"system components","props":[{"name":"label","value":"A.03.04.05E.ODP[01]"}],"usage":"organization-defined system components and system-level information","guidelines":[{"prose":"system components requiring dual authorization for the implementation of changes are defined."}]},{"id":"A.03.04.05E.ODP.02","label":"system-level information","props":[{"name":"label","value":"A.03.04.05E.ODP[02]"}],"usage":"organization-defined system components and system-level information","guidelines":[{"prose":"system-level information requiring dual authorization for the implementation of changes is defined."}]}]},{"id":"SP_800_172_3_0_0_03.04.06E","class":"security_requirement","links":[{"rel":"external_reference","href":"#3ad9454b-7a02-42b7-b90c-d4920bb18777"}],"parts":[{"id":"ES-03.04.06E","name":"statement","prose":"Retain {{ insert: param, A.03.04.06E.ODP.01 }} previous versions of baseline configurations of the system to support rollback. "},{"id":"D-03.04.06E","name":"guidance","class":"discussion","prose":"Retaining previous versions of baseline configurations to support rollback includes configuration files for hardware, software, and firmware, configuration records, and associated documentation. This requirement enhances SP 800-171 requirement 03.04.01."},{"id":"AE-03.04.06E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.06E-2-effect","name":"item","class":"Preclude-AE-03.04.06E-2","parts":[{"id":"AE-03.04.06E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.06E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.06E-3-effect","name":"item","class":"Impede-AE-03.04.06E-3","parts":[{"id":"AE-03.04.06E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.06E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.04.06E-4-effect","name":"item","class":"Limit-AE-03.04.06E-4","parts":[{"id":"AE-03.04.06E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.04.06E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.04.06E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.06E"}],"prose":" {{ insert: param, A.03.04.06E.ODP.01 }} previous versions of baseline configurations of the system are retained to support rollback. "},{"id":"E-03.04.06E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.06E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with configuration management responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.06E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for managing baseline configurations"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.06E"},{"name":"label","value":"03.04.06E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Retention of Previous Configurations","params":[{"id":"A.03.04.06E.ODP.01","label":"number","props":[{"name":"label","value":"A.03.04.06E.ODP[01]"}],"usage":"organization-defined number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined."}]}]},{"id":"SP_800_172_3_0_0_03.04.07E","class":"security_requirement","links":[{"rel":"external_reference","href":"#d3537fba-0209-4c9f-848f-26e0fa322534"}],"parts":[{"id":"ES-03.04.07E","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"D-03.04.07E","name":"guidance","class":"discussion","prose":"Changes to systems include modifications to hardware, software, or firmware components and defined configuration settings. Organizations ensure that testing does not interfere with system operations that support organizational missions and business functions. Individuals or groups that conduct the tests understand the system security policies and procedures associated with the specific facilities or processes. Operational systems may need to be taken offline or replicated to the extent feasible before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating protection measures. This requirement enhances SP 800-171 requirement 03.04.03."},{"id":"AE-03.04.07E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.07E-2-effect","name":"item","class":"Preclude-AE-03.04.07E-2","parts":[{"id":"AE-03.04.07E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.07E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.07E-3-effect","name":"item","class":"Impede-AE-03.04.07E-3","parts":[{"id":"AE-03.04.07E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.07E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.04.07E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.07E"}],"prose":"changes to the system are tested before finalizing the implementation of the changes."},{"id":"DS-A.03.04.07E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.07E"}],"prose":"changes to the system are validated before finalizing the implementation of the changes."},{"id":"DS-A.03.04.07E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.07E"}],"prose":"changes to the system are documented before finalizing the implementation of the changes."},{"id":"E-03.04.07E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem architecture and configuration documentation\n\nsystem design documentation\n\ntest records\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.07E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with configuration change control responsibilities\n\npersonnel with information security responsibilities\n\nmembers of change control board or similar\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.07E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for configuration change control\n\nmechanisms supporting and/or implementing, testing, validating, and documenting system changes"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.07E"},{"name":"label","value":"03.04.07E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Testing, Validation, and Documentation of Changes"},{"id":"SP_800_172_3_0_0_03.04.08E","class":"security_requirement","links":[{"rel":"external_reference","href":"#5f03da20-db03-4b94-ab6d-3f8658650949"}],"parts":[{"id":"ES-03.04.08E","name":"statement","prose":"Provide a centralized repository for the inventory of system components."},{"id":"D-03.04.08E","name":"guidance","class":"discussion","prose":"Organizations may implement centralized system component inventories that include components from all organizational systems. Centralized repositories of component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories can help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. This requirement enhances SP 800-171 requirement 03.04.10."},{"id":"AE-03.04.08E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.04.08E-2-effect","name":"item","class":"Preclude-AE-03.04.08E-2","parts":[{"id":"AE-03.04.08E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.04.08E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.04.08E-3-effect","name":"item","class":"Impede-AE-03.04.08E-3","parts":[{"id":"AE-03.04.08E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.04.08E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.04.08E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.04.08E"}],"prose":"a centralized repository for the inventory of system components is provided."},{"id":"E-03.04.08E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.04.08E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.04.08E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and/or implementing system component inventory"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.04.08E"},{"name":"label","value":"03.04.08E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Centralized Repository"}]},{"id":"SP_800_172_3_0_0_3.5","class":"family","props":[{"name":"sort-id","value":"03.05"},{"name":"label","value":"Identification and Authentication (3.5)"}],"title":"Identification and Authentication","controls":[{"id":"SP_800_172_3_0_0_03.05.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#a6207520-295d-4c60-9450-949356317cac"}],"parts":[{"id":"ES-03.05.01E","name":"statement","prose":"Authenticate {{ insert: param, A.03.05.01E.ODP.01 }} before establishing a system connection using bidirectional authentication that is cryptographically based. "},{"id":"D-03.05.01E","name":"guidance","class":"discussion","prose":"Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk. This requirement enhances SP 800-171 requirement 03.05.02."},{"id":"AE-03.05.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.01E-2-effect","name":"item","class":"Preclude-AE-03.05.01E-2","parts":[{"id":"AE-03.05.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt and negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.01E-3-effect","name":"item","class":"Impede-AE-03.05.01E-3","parts":[{"id":"AE-03.05.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.05.01E-4-effect","name":"item","class":"Expose-AE-03.05.01E-4","parts":[{"id":"AE-03.05.01E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.05.01E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.05.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.01E"}],"prose":" {{ insert: param, A.03.05.01E.ODP.01 }} are authenticated before establishing a system connection using bidirectional authentication that is cryptographically based. "},{"id":"E-03.05.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nconfiguration settings and associated documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with operational responsibilities for device identification and authentication\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing device authentication capabilities\n\ncryptographically based bidirectional authentication mechanisms"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.01E"},{"name":"label","value":"03.05.01E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Cryptographic Bidirectional Authentication","params":[{"id":"A.03.05.01E.ODP.01","label":"devices and/or types of devices","props":[{"name":"label","value":"A.03.05.01E.ODP[01]"}],"usage":"organization-defined devices and/or types of devices","guidelines":[{"prose":"devices and/or types of devices requiring the use of cryptographically based bidirectional authentication to authenticate before establishing a system connection are defined."}]}]},{"id":"SP_800_172_3_0_0_03.05.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#3ff9cd9a-11cc-44f1-b3dc-8a8f7830f3b0"}],"parts":[{"id":"ES-03.05.02E","name":"statement","parts":[{"id":"ES-03.05.02E-a","name":"item","props":[{"name":"label","value":"ES-03.05.02E-a"}],"prose":"Employ {{ insert: param, A.03.05.02E.ODP.01 }} to generate and manage passwords. "},{"id":"ES-03.05.02E-b","name":"item","props":[{"name":"label","value":"ES-03.05.02E-b"}],"prose":"Protect the passwords using {{ insert: param, A.03.05.02E.ODP.02 }}. "}]},{"id":"D-03.05.02E","name":"guidance","class":"discussion","prose":"A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the passwords require strong protection, including encrypting the passwords. This requirement enhances SP 800-171 requirement 03.05.07."},{"id":"AE-03.05.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.02E-2-effect","name":"item","class":"Preclude-AE-03.05.02E-2","parts":[{"id":"AE-03.05.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.02E-3-effect","name":"item","class":"Impede-AE-03.05.02E-3","parts":[{"id":"AE-03.05.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes delay and exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.05.02E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.02E-a"}],"prose":" {{ insert: param, A.03.05.02E.ODP.01 }} are employed to generate and manage passwords. "},{"id":"DS-A.03.05.02E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.02E-b"}],"prose":"passwords are protected using {{ insert: param, A.03.05.02E.ODP.02 }}. "},{"id":"E-03.05.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with identification and authentication management responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing account management capabilities\n\nmechanisms supporting and/or implementing identification and authentication management capabilities for the system"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.02E"},{"name":"label","value":"03.05.02E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Password Managers","params":[{"id":"A.03.05.02E.ODP.01","label":"password managers","props":[{"name":"label","value":"A.03.05.02E.ODP[01]"}],"usage":"organization-defined password managers","guidelines":[{"prose":"password managers employed for generating and managing passwords are defined."}]},{"id":"A.03.05.02E.ODP.02","label":"safeguards","props":[{"name":"label","value":"A.03.05.02E.ODP[02]"}],"usage":"organization-defined controls","guidelines":[{"prose":"safeguards for protecting passwords are defined."}]}]},{"id":"SP_800_172_3_0_0_03.05.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#7f33ea69-e0a7-4ffd-a405-559bfce23674"}],"parts":[{"id":"ES-03.05.03E","name":"statement","prose":"Handle device identification and authentication based on attestation by {{ insert: param, A.03.05.03E.ODP.01 }}. "},{"id":"D-03.05.03E","name":"guidance","class":"discussion","prose":"Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt identification and authentication to other devices. This requirement enhances SP 800-171 requirement 03.05.02."},{"id":"AE-03.05.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.03E-2-effect","name":"item","class":"Preclude-AE-03.05.03E-2","parts":[{"id":"AE-03.05.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.03E-3-effect","name":"item","class":"Impede-AE-03.05.03E-3","parts":[{"id":"AE-03.05.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.05.03E-4-effect","name":"item","class":"Expose-AE-03.05.03E-4","parts":[{"id":"AE-03.05.03E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.05.03E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.05.03E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.03E"}],"prose":"device identification and authentication are handled based on attestation by {{ insert: param, A.03.05.03E.ODP.01 }}. "},{"id":"E-03.05.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nprocedures addressing device configuration management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconfiguration management records\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with operational responsibilities for device identification and authentication\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing device identification and authentication capabilities\n\nmechanisms supporting and/or implementing configuration management\n\ncryptographic mechanisms supporting device attestation"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.03E"},{"name":"label","value":"03.05.03E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Device Attestation","params":[{"id":"A.03.05.03E.ODP.01","props":[{"name":"label","value":"A.03.05.03E.ODP[01]"}],"usage":"organization-defined configuration management process","guidelines":[{"prose":"the configuration management process to be implemented to handle device identification and authentication based on attestation is defined."}]}]},{"id":"SP_800_172_3_0_0_03.05.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#d7037019-eefb-4537-b789-aaa4446d72a2"}],"parts":[{"id":"ES-03.05.04E","name":"statement","prose":"Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage."},{"id":"D-03.05.04E","name":"guidance","class":"discussion","prose":"In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are encrypted or unencrypted. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators. This requirement enhances SP 800-171 requirement 03.05.07."},{"id":"AE-03.05.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.04E-2-effect","name":"item","class":"Preclude-AE-03.05.04E-2","parts":[{"id":"AE-03.05.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.04E-3-effect","name":"item","class":"Impede-AE-03.05.04E-3","parts":[{"id":"AE-03.05.04E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.04E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.05.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.04E"}],"prose":"unencrypted static authenticators are not embedded in applications or other forms of static storage."},{"id":"E-03.05.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with authenticator management responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing authenticator management capabilities\n\nmechanisms implementing authentication in applications"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.04E"},{"name":"label","value":"03.05.04E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"No Embedded Unencrypted Static Authenticators"},{"id":"SP_800_172_3_0_0_03.05.05E","class":"security_requirement","links":[{"rel":"external_reference","href":"#625e2402-ce8d-48d6-b4a9-00bd50b980e3"}],"parts":[{"id":"ES-03.05.05E","name":"statement","prose":"Prohibit the use of cached authenticators after {{ insert: param, A.03.05.05E.ODP.01 }}. "},{"id":"D-03.05.05E","name":"guidance","class":"discussion","prose":"Cached authenticators are used to authenticate to a local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable. This requirement enhances SP 800-171 requirement 03.05.07."},{"id":"AE-03.05.05E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.05E-2-effect","name":"item","class":"Preclude-AE-03.05.05E-2","parts":[{"id":"AE-03.05.05E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.05E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.05E-3-effect","name":"item","class":"Impede-AE-03.05.05E-3","parts":[{"id":"AE-03.05.05E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.05E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.05.05E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.05E"}],"prose":"the use of cached authenticators is prohibited after {{ insert: param, A.03.05.05E.ODP.01 }}. "},{"id":"E-03.05.05E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.05E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with authenticator management responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.05E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing authenticator management capabilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.05E"},{"name":"label","value":"03.05.05E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Expiration of Cached Authenticators","params":[{"id":"A.03.05.05E.ODP.01","label":"time period","props":[{"name":"label","value":"A.03.05.05E.ODP[01]"}],"usage":"organization-defined time period","guidelines":[{"prose":"the time period after which the use of cached authenticators is prohibited is defined."}]}]},{"id":"SP_800_172_3_0_0_03.05.06E","class":"security_requirement","links":[{"rel":"external_reference","href":"#3d24f5c5-be95-4586-8420-5498354b2df7"}],"parts":[{"id":"ES-03.05.06E","name":"statement","parts":[{"id":"ES-03.05.06E-a","name":"item","props":[{"name":"label","value":"ES-03.05.06E-a"}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines."},{"id":"ES-03.05.06E-b","name":"item","props":[{"name":"label","value":"ES-03.05.06E-b"}],"prose":"Resolve user identities to a unique individual."},{"id":"ES-03.05.06E-c","name":"item","props":[{"name":"label","value":"ES-03.05.06E-c"}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"D-03.05.06E","name":"guidance","class":"discussion","prose":"Identity proofing is the process of collecting, validating, and verifying user identity information to establish credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Resolving user identities ensure each user identity belongs to a unique individual. Organizations may be subject to laws, Executive Orders, directives, regulations, or policies that address the collection of identity evidence. An example of an applicable guideline that covers identity proofing is SP 800-63 .ADD REFERENCE. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.05.06E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.06E-2-effect","name":"item","class":"Preclude-AE-03.05.06E-2","parts":[{"id":"AE-03.05.06E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.06E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.06E-3-effect","name":"item","class":"Impede-AE-03.05.06E-3","parts":[{"id":"AE-03.05.06E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.06E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.05.06E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.06E-a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity-proofed."},{"id":"DS-A.03.05.06E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.06E-b"}],"prose":"user identities are resolved to a unique individual."},{"id":"DS-A.03.05.06E.c.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.06E-c"}],"prose":"identity evidence is collected."},{"id":"DS-A.03.05.06E.c.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.06E-c"}],"prose":"identity evidence is validated."},{"id":"DS-A.03.05.06E.c.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.06E-c"}],"prose":"identity evidence is verified."},{"id":"E-03.05.06E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.06E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system operations responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers\n\npersonnel with identification and authentication responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.06E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing identification and authentication capabilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.06E"},{"name":"label","value":"03.05.06E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Identity Proofing"},{"id":"SP_800_172_3_0_0_03.05.07E","class":"security_requirement","links":[{"rel":"external_reference","href":"#99879d5e-31a2-431b-938d-1363b026de07"}],"parts":[{"id":"ES-03.05.07E","name":"statement","prose":"Employ identity providers and authorization servers to manage user, device, and non-person entity identities, attributes, and access rights that support authentication and authorization decisions in accordance with {{ insert: param, A.03.05.07E.ODP.01 }} using {{ insert: param, A.03.05.07E.ODP.02 }}. "},{"id":"D-03.05.07E","name":"guidance","class":"discussion","prose":"Identity providers (both internal and external to the organization) manage user, device, and non-person entity authenticators and issue statements (often called identity assertions) that attest to the identities of other systems or system components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to organizational systems or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.05.07E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.05.07E-2-effect","name":"item","class":"Preclude-AE-03.05.07E-2","parts":[{"id":"AE-03.05.07E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.05.07E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.05.07E-3-effect","name":"item","class":"Impede-AE-03.05.07E-3","parts":[{"id":"AE-03.05.07E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.05.07E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.05.07E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.07E"}],"prose":"identity providers are employed to manage user, device, and non-person entity identities, attributes, and access rights supporting authentication decisions in accordance with {{ insert: param, A.03.05.07E.ODP.01 }} using {{ insert: param, A.03.05.07E.ODP.02 }}. "},{"id":"DS-A.03.05.07E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.07E"}],"prose":"identity providers are employed to manage user, device, and non-person entity identities, attributes, and access rights supporting authorization decisions in accordance with {{ insert: param, A.03.05.07E.ODP.01 }} using {{ insert: param, A.03.05.07E.ODP.02 }}. "},{"id":"DS-A.03.05.07E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.05.07E"}],"prose":"authorization servers are employed to manage user, device, and non-person entity identities, attributes, and access rights supporting authentication decisions in accordance with {{ insert: param, A.03.05.07E.ODP.01 }} using {{ insert: param, A.03.05.07E.ODP.02 }}. "},{"id":"E-03.05.07E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.05.07E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.05.07E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing identification and authentication capabilities and access rights"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.05.07E"},{"name":"label","value":"03.05.07E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Identity Providers and Authorization Servers","params":[{"id":"A.03.05.07E.ODP.01","label":"policy","props":[{"name":"label","value":"A.03.05.07E.ODP[01]"}],"usage":"organization-defined identification and authentication policy","guidelines":[{"prose":"an identification and authentication policy is defined."}]},{"id":"A.03.05.07E.ODP.02","label":"mechanisms","props":[{"name":"label","value":"A.03.05.07E.ODP[02]"}],"usage":"organization-defined mechanisms","guidelines":[{"prose":"mechanisms supporting authentication and authorization decisions are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.6","class":"family","props":[{"name":"sort-id","value":"03.06"},{"name":"label","value":"Incident Response (3.6)"}],"title":"Incident Response","controls":[{"id":"SP_800_172_3_0_0_03.06.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#edfd3867-107d-49ae-b7bd-55a10093e944"}],"parts":[{"id":"ES-03.06.01E","name":"statement","prose":"Establish and maintain a security operations center."},{"id":"D-03.06.01E","name":"guidance","class":"discussion","prose":"A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to security incidents in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) and implements a combination of technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-relevant event data from multiple sources. These sources include perimeter defenses, network devices (e.g., routers, switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC, while smaller organizations may employ third-party organizations to provide this capability. This requirement enhances SP 800-171 requirement 03.06.01."},{"id":"AE-03.06.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.06.01E-2-effect","name":"item","class":"Limit-AE-03.06.01E-2","parts":[{"id":"AE-03.06.01E-2-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.06.01E-2-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."},{"id":"AE-03.06.01E-3-effect","name":"item","class":"Expose-AE-03.06.01E-3","parts":[{"id":"AE-03.06.01E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.06.01E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.06.01E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.01E"}],"prose":"a security operations center is established."},{"id":"DS-A.03.06.01E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.01E"}],"prose":"a security operations center is maintained."},{"id":"E-03.06.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nprocedures addressing the security operations center operations\n\nmechanisms supporting dynamic response capabilities\n\nsystem security plan\n\ncontingency plan\n\nincident response plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.06.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with incident handling responsibilities\n\npersonnel with information security responsibilities\n\nsecurity operations center personnel\n\npersonnel with contingency planning responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.06.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms that support and/or implement the security operations center capability\n\nmechanisms that support and/or implement the incident handling process"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.06.01E"},{"name":"label","value":"03.06.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Security Operations Center"},{"id":"SP_800_172_3_0_0_03.06.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#6549e81c-17b2-4153-8e2a-90b49cc149f5"}],"parts":[{"id":"ES-03.06.02E","name":"statement","prose":"Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, A.03.06.02E.ODP.01 }}. "},{"id":"D-03.06.02E","name":"guidance","class":"discussion","prose":"An integrated incident response team is a group of individuals who assess, document, and respond to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. An integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient. For some organizations, the incident response team can be a cross-organizational entity. This requirement enhances SP 800-171 requirement 03.06.01."},{"id":"AE-03.06.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.06.02E-2-effect","name":"item","class":"Preclude-AE-03.06.02E-2","parts":[{"id":"AE-03.06.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.06.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes expunge)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.06.02E-3-effect","name":"item","class":"Impede-AE-03.06.02E-3","parts":[{"id":"AE-03.06.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.06.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain and exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.06.02E-4-effect","name":"item","class":"Limit-AE-03.06.02E-4","parts":[{"id":"AE-03.06.02E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.06.02E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."},{"id":"AE-03.06.02E-5-effect","name":"item","class":"Expose-AE-03.06.02E-5","parts":[{"id":"AE-03.06.02E-5-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.06.02E-5-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes scrutinize)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.06.02E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.02E"}],"prose":"an integrated incident response team is established."},{"id":"DS-A.03.06.02E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.02E"}],"prose":"an integrated incident response team is maintained."},{"id":"DS-A.03.06.02E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.02E"}],"prose":"the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, A.03.06.02E.ODP.01 }}. "},{"id":"E-03.06.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.06.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with incident handling responsibilities\n\npersonnel with information security responsibilities\n\nmembers of the integrated incident response team"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]}],"props":[{"name":"sort-id","value":"03.06.02E"},{"name":"label","value":"03.06.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Integrated Incident Response Team","params":[{"id":"A.03.06.02E.ODP.01","label":"time period","props":[{"name":"label","value":"A.03.06.02E.ODP[01]"}],"usage":"organization-defined time period","guidelines":[{"prose":"the time period within which an integrated incident response team can be deployed is defined."}]}]},{"id":"SP_800_172_3_0_0_03.06.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#f180ad71-6c1c-4756-bb93-b80767a52f98"}],"parts":[{"id":"ES-03.06.03E","name":"statement","prose":"Analyze anomalous or suspected adversarial behavior in or related to {{ insert: param, A.03.06.03E.ODP.01 }}. "},{"id":"D-03.06.03E","name":"guidance","class":"discussion","prose":"If the organization maintains a deception environment, an analysis of behaviors in that environment, including resources targeted by the adversary and the timing of the incident or event, can provide significant insights into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous behavior (e.g., changes in system performance or usage patterns) or suspected adversarial behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight. This requirement enhances SP 800-171 requirement 03.06.01."},{"id":"AE-03.06.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.06.03E-2-effect","name":"item","class":"Expose-AE-03.06.03E-2","parts":[{"id":"AE-03.06.03E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.06.03E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.06.03E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.03E"}],"prose":"anomalous or suspected adversarial behavior in or related to {{ insert: param, A.03.06.03E.ODP.01 }} is analyzed. "},{"id":"E-03.06.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing system monitoring tools and techniques\n\nincident response plan\n\nsystem monitoring logs or records\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nsystem component inventory\n\nnetwork diagram\n\nsystem protocols documentation\n\nlist of acceptable thresholds for false positives and false negatives\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.06.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.06.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for detecting anomalous behavior"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.06.03E"},{"name":"label","value":"03.06.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Behavior Analysis","params":[{"id":"A.03.06.03E.ODP.01","label":"environments or resources","props":[{"name":"label","value":"A.03.06.03E.ODP[01]"}],"usage":"organization-defined environments or resources","guidelines":[{"prose":"environments or resources that may contain or be related to anomalous or suspected adversarial behavior are defined."}]}]},{"id":"SP_800_172_3_0_0_03.06.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#93b92a8b-bca2-44dd-a915-e4d7735c3e75"}],"parts":[{"id":"ES-03.06.04E","name":"statement","prose":"Track incidents and collect and analyze incident information using {{ insert: param, A.03.06.04E_prm_1 }}. "},{"id":"D-03.06.04E","name":"guidance","class":"discussion","prose":"Automated mechanisms for tracking incidents and collecting and analyzing incident information include electronic databases of incidents and network monitoring devices. This requirement enhances SP 800-171 requirement 03.06.02."},{"id":"AE-03.06.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.06.04E-2-effect","name":"item","class":"Expose-AE-03.06.04E-2","parts":[{"id":"AE-03.06.04E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.06.04E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.06.04E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.04E"}],"prose":"incidents are tracked using {{ insert: param, A.03.06.04E.ODP.01 }}. "},{"id":"DS-A.03.06.04E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.04E"}],"prose":"incident information is collected using {{ insert: param, A.03.06.04E.ODP.02 }}. "},{"id":"DS-A.03.06.04E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.06.04E"}],"prose":"incident information is analyzed using {{ insert: param, A.03.06.04E.ODP.03 }}. "},{"id":"E-03.06.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.06.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with incident monitoring responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.06.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and/or implementing the tracking and documenting of system security incidents"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.06.04E"},{"name":"label","value":"03.06.04E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Automated Tracking, Data Collection, and Analysis for Incident Monitoring","params":[{"id":"A.03.06.04E_prm_1","label":"organization-defined automated mechanisms","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.06.04E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.06.04E.ODP[02]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.06.04E.ODP[03]"}]},{"id":"A.03.06.04E.ODP.01","label":"automated mechanisms","props":[{"name":"label","value":"A.03.06.04E.ODP[01]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to track incidents are defined."}]},{"id":"A.03.06.04E.ODP.02","label":"automated mechanisms","props":[{"name":"label","value":"A.03.06.04E.ODP[02]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to collect incident information are defined."}]},{"id":"A.03.06.04E.ODP.03","label":"automated mechanisms","props":[{"name":"label","value":"A.03.06.04E.ODP[03]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to analyze incident information are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.7","class":"family","props":[{"name":"sort-id","value":"03.07"},{"name":"label","value":"Maintenance (3.7)"}],"title":"Maintenance","controls":[{"id":"SP_800_172_3_0_0_03.07.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#19a24db1-344e-4041-9542-161d48af64f4"}],"parts":[{"id":"ES-03.07.01E","name":"statement","prose":"Inspect maintenance tools to ensure the latest software updates and patches are installed."},{"id":"D-03.07.01E","name":"guidance","class":"discussion","prose":"Maintenance tools using outdated and/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations. This requirement enhances SP 800-171 requirement 03.07.04."},{"id":"AE-03.07.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.07.01E-2-effect","name":"item","class":"Preclude-AE-03.07.01E-2","parts":[{"id":"AE-03.07.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.07.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.07.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.07.01E"}],"prose":"maintenance tools are inspected to ensure that the latest software updates and patches are installed."},{"id":"E-03.07.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.07.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system maintenance responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.07.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for inspecting maintenance tools\n\nprocesses for maintenance tool updates\n\nmechanisms supporting and/or implementing the inspection of maintenance tools\n\nmechanisms supporting and/or implementing maintenance tool updates"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.07.01E"},{"name":"label","value":"03.07.01E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Software Updates and Patches for Maintenance Tools"}]},{"id":"SP_800_172_3_0_0_3.8","class":"family","props":[{"name":"sort-id","value":"03.08"},{"name":"label","value":"Media Protection (3.8)"}],"title":"Media Protection","controls":[{"id":"SP_800_172_3_0_0_03.08.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#e1fde113-1bf1-4822-a218-d81be0b790be"}],"parts":[{"id":"ES-03.08.01E","name":"statement","prose":"Enforce dual authorization for the sanitization of {{ insert: param, A.03.08.01E.ODP.01 }}. "},{"id":"D-03.08.01E","name":"guidance","class":"discussion","prose":"Dual authorization is also known as two-person control. Dual authorization reduces risk related to insider threats, including adversaries who have obtained credentials. Organizations employ dual authorization to help ensure that the sanitization of system media cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine whether the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended to protect against errors and false claims of having performed the sanitization actions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations consider the risks associated with implementing dual authorization when immediate responses are necessary to help ensure public and environmental safety. This requirement enhances SP 800-171 requirement 03.08.03."},{"id":"AE-03.08.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.08.01E-2-effect","name":"item","class":"Preclude-AE-03.08.01E-2","parts":[{"id":"AE-03.08.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.08.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.08.01E-3-effect","name":"item","class":"Impede-AE-03.08.01E-3","parts":[{"id":"AE-03.08.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.08.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.08.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.08.01E"}],"prose":"dual authorization for the sanitization of {{ insert: param, A.03.08.01E.ODP.01 }} is enforced. "},{"id":"E-03.08.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ndual authorization policy and procedures\n\nlist of system media requiring dual authorization for sanitization\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.08.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system media sanitization responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.08.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes requiring dual authorization for media sanitization\n\nmechanisms supporting and/or implementing media sanitization\n\nmechanisms supporting and/or implementing dual authorization"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.08.01E"},{"name":"label","value":"03.08.01E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Dual Authorization for Media Sanitization","params":[{"id":"A.03.08.01E.ODP.01","label":"system media","props":[{"name":"label","value":"A.03.08.01E.ODP[01]"}],"usage":"organization-defined system media containing CUI","guidelines":[{"prose":"system media to be sanitized using dual authorization is defined."}]}]},{"id":"SP_800_172_3_0_0_03.08.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#a6892981-eb36-48a1-8a1b-3ee95e9afe59"}],"parts":[{"id":"ES-03.08.02E","name":"statement","prose":"Enforce dual authorization for the deletion or destruction of {{ insert: param, A.03.08.02E.ODP.01 }}. "},{"id":"D-03.08.02E","name":"guidance","class":"discussion","prose":"Dual authorization is also known as two-person control. Dual authorization reduces risk related to insider threats, including adversaries who have obtained credentials. Dual authorization ensures that the deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals who delete or destroy backup information possess the knowledge, skills, or expertise to determine whether the proposed deletion or destruction of such information reflects organizational policies and procedures. To reduce the risk of collusion, organizations often rotate dual authorization duties among various individuals. Organizations also consider the risk associated with implementing dual authorization when immediate responses are necessary to ensure public and environmental safety. This requirement enhances SP 800-171 requirement 03.08.09."},{"id":"AE-03.08.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.08.02E-2-effect","name":"item","class":"Preclude-AE-03.08.02E-2","parts":[{"id":"AE-03.08.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.08.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.08.02E-3-effect","name":"item","class":"Impede-AE-03.08.02E-3","parts":[{"id":"AE-03.08.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.08.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.08.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.08.02E"}],"prose":"dual authorization for the deletion or destruction of {{ insert: param, A.03.08.02E.ODP.01 }} is enforced. "},{"id":"E-03.08.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of dual authorization credentials or rules\n\nlogs or records of the deletion or destruction of backup information\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.08.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system backup responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.08.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing dual authorization\n\nmechanisms supporting and/or implementing the deletion and/or destruction of backup information"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.08.02E"},{"name":"label","value":"03.08.02E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Dual Authorization for System Backup Deletion and Destruction","params":[{"id":"A.03.08.02E.ODP.01","label":"system backup information","props":[{"name":"label","value":"A.03.08.02E.ODP[01]"}],"usage":"organization-defined system backup information","guidelines":[{"prose":"backup information for which to enforce dual authorization in order to delete or destroy is defined."}]}]},{"id":"SP_800_172_3_0_0_03.08.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#ca993761-8fd9-47e8-931a-8d83ba6b3080"}],"parts":[{"id":"ES-03.08.03E","name":"statement","prose":"Test backup information {{ insert: param, A.03.08.03E_prm_1 }} to verify media reliability and information integrity. "},{"id":"D-03.08.03E","name":"guidance","class":"discussion","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components in which the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of these aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance. This requirement enhances SP 800-171 requirement 03.08.09."},{"id":"AE-03.08.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.08.03E-2-effect","name":"item","class":"Preclude-AE-03.08.03E-2","parts":[{"id":"AE-03.08.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.08.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.08.03E-3-effect","name":"item","class":"Impede-AE-03.08.03E-3","parts":[{"id":"AE-03.08.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.08.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.08.03E-4-effect","name":"item","class":"Limit-AE-03.08.03E-4","parts":[{"id":"AE-03.08.03E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.08.03E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.08.03E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.08.03E"}],"prose":"backup information is tested {{ insert: param, A.03.08.03E.ODP.01 }} to verify media reliability. "},{"id":"DS-A.03.08.03E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.08.03E"}],"prose":"backup information is tested {{ insert: param, A.03.08.03E.ODP.02 }} to verify information integrity. "},{"id":"E-03.08.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.08.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system backup responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.08.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for conducting system backups\n\nmechanisms supporting and/or implementing system backups"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.08.03E"},{"name":"label","value":"03.08.03E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Testing System Backups for Reliability and Integrity","params":[{"id":"A.03.08.03E_prm_1","label":"organization-defined frequency","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.08.03E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.08.03E.ODP[02]"}]},{"id":"A.03.08.03E.ODP.01","label":"frequency","props":[{"name":"label","value":"A.03.08.03E.ODP[01]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to test backup information for media reliability is defined."}]},{"id":"A.03.08.03E.ODP.02","label":"frequency","props":[{"name":"label","value":"A.03.08.03E.ODP[02]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to test backup information for information integrity is defined."}]}]},{"id":"SP_800_172_3_0_0_03.08.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#83ab460d-592c-41d8-99d1-9a20351c55d4"}],"parts":[{"id":"ES-03.08.04E","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, A.03.08.04E_prm_1 }} after a disruption, compromise, or failure. "},{"id":"D-03.08.04E","name":"guidance","class":"discussion","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution occurs following recovery operations and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, the reestablishment of continuous monitoring activities, and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.08.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.08.04E-2-effect","name":"item","class":"Limit-AE-03.08.04E-2","parts":[{"id":"AE-03.08.04E-2-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.08.04E-2-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.08.04E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.08.04E"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, A.03.08.04E.ODP.01 }} after a disruption, compromise, or failure. "},{"id":"DS-A.03.08.04E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.08.04E"}],"prose":"the reconstitution of the system to a known state is provided within {{ insert: param, A.03.08.04E.ODP.02 }} after a disruption, compromise, or failure. "},{"id":"E-03.08.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocations of redundant secondary backup systems\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.08.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.08.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and/or implementing system recovery and reconstitution operations"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.08.04E"},{"name":"label","value":"03.08.04E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"}],"title":"System Recovery and Reconstitution","params":[{"id":"A.03.08.04E_prm_1","label":"organization-defined time period consistent with recovery time and recovery point objectives","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.08.04E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.08.04E.ODP[02]"}]},{"id":"A.03.08.04E.ODP.01","label":"time period","props":[{"name":"label","value":"A.03.08.04E.ODP[01]"}],"usage":"organization-defined time period consistent with recovery time and recovery point objectives","guidelines":[{"prose":"a time period consistent with recovery time and recovery point objectives for the recovery of the system is determined."}]},{"id":"A.03.08.04E.ODP.02","label":"time period","props":[{"name":"label","value":"A.03.08.04E.ODP[02]"}],"usage":"organization-defined time period consistent with recovery time and recovery point objectives","guidelines":[{"prose":"a time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined."}]}]}]},{"id":"SP_800_172_3_0_0_3.9","class":"family","props":[{"name":"sort-id","value":"03.09"},{"name":"label","value":"Personnel Security (3.9)"}],"title":"Personnel Security","controls":[{"id":"SP_800_172_3_0_0_03.09.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.09.01"}],"props":[{"name":"sort-id","value":"03.09.01E"},{"name":"label","value":"03.09.01E"},{"name":"status","value":"withdrawn"}],"title":"03.09.01E"},{"id":"SP_800_172_3_0_0_03.09.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.01.01"},{"rel":"external_reference","href":"03.09.01"}],"props":[{"name":"sort-id","value":"03.09.02E"},{"name":"label","value":"03.09.02E"},{"name":"status","value":"withdrawn"}],"title":"03.09.02E"},{"id":"SP_800_172_3_0_0_03.09.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#34863225-1727-4394-9f3c-d2a61148ccc6"}],"parts":[{"id":"ES-03.09.03E","name":"statement","parts":[{"id":"ES-03.09.03E-a","name":"item","props":[{"name":"label","value":"ES-03.09.03E-a"}],"prose":"Develop and document access agreements for systems processing, storing, or transmitting CUI."},{"id":"ES-03.09.03E-b","name":"item","props":[{"name":"label","value":"ES-03.09.03E-b"}],"prose":"Review and update the access agreements {{ insert: param, A.03.09.03E_prm_1 }}. "},{"id":"ES-03.09.03E-c","name":"item","parts":[{"id":"ES-03.09.03E-c-1","name":"item","props":[{"name":"label","value":"ES-03.09.03E-c-1"}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ES-03.09.03E-c-2","name":"item","props":[{"name":"label","value":"ES-03.09.03E-c-2"}],"prose":"Re-sign access agreements to maintain access to systems when access agreements have been updated or {{ insert: param, A.03.09.03E_prm_1 }}. "}],"props":[{"name":"label","value":"ES-03.09.03E-c"}],"prose":"Verify that individuals requiring access to CUI and systems processing, storing, or transmitting CUI:"}]},{"id":"D-03.09.03E","name":"guidance","class":"discussion","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with systems processing, storing, or transmitting CUI to which they have authorized access. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.09.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.09.03E-2-effect","name":"item","class":"Preclude-AE-03.09.03E-2","parts":[{"id":"AE-03.09.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.09.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.09.03E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.09.03E-a"}],"prose":"access agreements are developed and documented for systems processing, storing, or transmitting CUI."},{"id":"DS-A.03.09.03E.b.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.09.03E-b"}],"prose":"access agreements are reviewed {{ insert: param, A.03.09.03E.ODP.01 }}. "},{"id":"DS-A.03.09.03E.b.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.09.03E-b"}],"prose":"access agreements are updated {{ insert: param, A.03.09.03E.ODP.01 }}. "},{"id":"DS-A.03.09.03E.c.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.09.03E-c-1"}],"prose":"individuals requiring access to CUI and systems processing, storing, or transmitting CUI sign appropriate access agreements prior to being granted access."},{"id":"DS-A.03.09.03E.c.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.09.03E-c-2"}],"prose":"individuals requiring access to CUI and systems processing, storing, or transmitting CUI re-sign access agreements to maintain access when access agreements have been updated or {{ insert: param, A.03.09.03E.ODP.02 }}. "},{"id":"E-03.09.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for systems processing, storing, or transmitting CUI\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.09.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with personnel security responsibilities\n\npersonnel who have signed and/or resigned access agreements\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.09.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting reviewing, updating, and re-signing of access agreements"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.09.03E"},{"name":"label","value":"03.09.03E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Access Agreements","params":[{"id":"A.03.09.03E_prm_1","label":"organization-defined frequency","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.09.03E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.09.03E.ODP[02]"}]},{"id":"A.03.09.03E.ODP.01","label":"frequency","props":[{"name":"label","value":"A.03.09.03E.ODP[01]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined."}]},{"id":"A.03.09.03E.ODP.02","label":"frequency","props":[{"name":"label","value":"A.03.09.03E.ODP[02]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access systems processing, storing, or transmitting CUI is defined."}]}]},{"id":"SP_800_172_3_0_0_03.09.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#6266bc38-a0e8-450d-a231-843c87fb28ef"}],"parts":[{"id":"ES-03.09.04E","name":"statement","prose":"Verify that individuals accessing a system that processes, stores, or transmits CUI meet {{ insert: param, A.03.09.04E.ODP.01 }}. "},{"id":"D-03.09.04E","name":"guidance","class":"discussion","prose":"Organizations may determine that individuals who need access to CUI associated with a high value asset or critical program require U.S. citizenship status. This requirement enhances SP 800-171 requirement 03.09.01."},{"id":"AE-03.09.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.09.04E-2-effect","name":"item","class":"Preclude-AE-03.09.04E-2","parts":[{"id":"AE-03.09.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.09.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.09.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.09.04E"}],"prose":"individuals accessing a system processing, storing, or transmitting CUI meet {{ insert: param, A.03.09.04E.ODP.01 }}. "},{"id":"E-03.09.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.09.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with personnel security responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.09.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for ensuring valid access authorizations for accessing CUI and systems requiring citizenship\n\nprocesses for additional personnel screening"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.09.04E"},{"name":"label","value":"03.09.04E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Citizenship Requirements","params":[{"id":"A.03.09.04E.ODP.01","props":[{"name":"label","value":"A.03.09.04E.ODP[01]"}],"usage":"organization-defined citizenship requirements","guidelines":[{"prose":"Citizenship requirements to be met by individuals to access a system processing, storing, or transmitting CUI are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.10","class":"family","props":[{"name":"sort-id","value":"03.10"},{"name":"label","value":"Physical Protection (3.10)"}],"title":"Physical Protection","controls":[{"id":"SP_800_172_3_0_0_03.10.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#27df5e44-bda8-4e2a-a39e-3521844585f8"}],"parts":[{"id":"ES-03.10.01E","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"D-03.10.01E","name":"guidance","class":"discussion","prose":"Physical intrusion alarms can be used to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and facility security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, including motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility. This requirement enhances SP 800-171 requirement 03.10.02."},{"id":"AE-03.10.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.10.01E-2-effect","name":"item","class":"Expose-AE-03.10.01E-2","parts":[{"id":"AE-03.10.01E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.10.01E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.10.01E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.01E"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms."},{"id":"DS-A.03.10.01E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.01E"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment."},{"id":"E-03.10.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access monitoring records\n\nphysical access log reviews\n\nphysical access logs or records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.10.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with physical access monitoring responsibilities\n\npersonnel with incident response responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.10.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and/or implementing physical access monitoring"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.10.01E"},{"name":"label","value":"03.10.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Intrusion Alarms and Surveillance Equipment"},{"id":"SP_800_172_3_0_0_03.10.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#21977c72-de9e-4f80-8a66-8671a3bfd6d8"}],"parts":[{"id":"ES-03.10.02E","name":"statement","parts":[{"id":"ES-03.10.02E-a","name":"item","props":[{"name":"label","value":"ES-03.10.02E-a"}],"prose":"Authorize and control {{ insert: param, A.03.10.02E_prm_1 }} entering and exiting the facility. "},{"id":"ES-03.10.02E-b","name":"item","props":[{"name":"label","value":"ES-03.10.02E-b"}],"prose":"Maintain records of the system components."}]},{"id":"D-03.10.02E","name":"guidance","class":"discussion","prose":"Enforcing authorizations for the entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.10.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.10.02E-2-effect","name":"item","class":"Preclude-AE-03.10.02E-2","parts":[{"id":"AE-03.10.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.10.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.10.02E.a.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.02E-a"}],"prose":" {{ insert: param, A.03.10.02E.ODP.01 }} are authorized when entering the facility. "},{"id":"DS-A.03.10.02E.a.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.02E-a"}],"prose":" {{ insert: param, A.03.10.02E.ODP.01 }} are controlled when entering the facility. "},{"id":"DS-A.03.10.02E.a.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.02E-a"}],"prose":" {{ insert: param, A.03.10.02E.ODP.02 }} are authorized when exiting the facility. "},{"id":"DS-A.03.10.02E.a.04","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.02E-a"}],"prose":" {{ insert: param, A.03.10.02E.ODP.02 }} are controlled when exiting the facility. "},{"id":"DS-A.03.10.02E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.10.02E-b"}],"prose":"records of the system components entering and exiting the facility are maintained."},{"id":"E-03.10.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.10.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with responsibilities for controlling system components entering and exiting the facility\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.10.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and/or implementing, authorizing, monitoring, and controlling system components entering and exiting the facility"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.10.02E"},{"name":"label","value":"03.10.02E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Delivery and Removal of System Components","params":[{"id":"A.03.10.02E_prm_1","label":"organization-defined types of system components","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.10.02E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.10.02E.ODP[02]"}]},{"id":"A.03.10.02E.ODP.01","label":"types of system components","props":[{"name":"label","value":"A.03.10.02E.ODP[01]"}],"usage":"organization-defined types of system components","guidelines":[{"prose":"the types of system components to be authorized and controlled when entering the facility are defined."}]},{"id":"A.03.10.02E.ODP.02","label":"types of system components","props":[{"name":"label","value":"A.03.10.02E.ODP[02]"}],"usage":"organization-defined types of system components","guidelines":[{"prose":"the types of system components to be authorized and controlled when exiting the facility are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.11","class":"family","props":[{"name":"sort-id","value":"03.11"},{"name":"label","value":"Risk Assessment (3.11)"}],"title":"Risk Assessment","controls":[{"id":"SP_800_172_3_0_0_03.11.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#36284636-2ecc-4526-92d0-d15290590a46"}],"parts":[{"id":"ES-03.11.01E","name":"statement","prose":"Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."},{"id":"D-03.11.01E","name":"guidance","class":"discussion","prose":"Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be likely that adversaries can successfully breach or compromise organizational systems. One of the techniques that organizations can use to address this concern is to share threat information. This can include the tactics, techniques, and procedures that organizations have experienced; mitigations that organizations have found to be effective against certain types of threats; and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing can include organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.11.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.01E-2-effect","name":"item","class":"Preclude-AE-03.11.01E-2","parts":[{"id":"AE-03.11.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.11.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.11.01E-3-effect","name":"item","class":"Impede-AE-03.11.01E-3","parts":[{"id":"AE-03.11.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.11.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.11.01E-4-effect","name":"item","class":"Expose-AE-03.11.01E-4","parts":[{"id":"AE-03.11.01E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.01E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.01E"}],"prose":"a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented."},{"id":"E-03.11.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nthreat awareness program policy\n\nthreat awareness program procedures\n\nrisk assessment results relevant to threat awareness\n\ndocumentation about the cross-organization information-sharing capability\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security program planning and plan implementation responsibilities\n\npersonnel responsible for the threat awareness program\n\npersonnel responsible for the cross-organization information-sharing capability\n\npersonnel with information security responsibilities\n\nexternal personnel with whom threat awareness information is shared by the organization"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for implementing the threat awareness program\n\nprocesses for implementing the cross-organization information-sharing capability\n\nmechanisms supporting and/or implementing the threat awareness program\n\nmechanisms supporting and/or implementing the cross-organization information-sharing capability"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.01E"},{"name":"label","value":"03.11.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Threat Awareness Program"},{"id":"SP_800_172_3_0_0_03.11.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#72f28255-3454-4891-96f7-1605cf0947ed"}],"parts":[{"id":"ES-03.11.02E","name":"statement","parts":[{"id":"ES-03.11.02E-a","name":"item","parts":[{"id":"ES-03.11.02E-a-1","name":"item","props":[{"name":"label","value":"ES-03.11.02E-a-1"}],"prose":"Search for indicators of compromise in organizational systems and"},{"id":"ES-03.11.02E-a-2","name":"item","props":[{"name":"label","value":"ES-03.11.02E-a-2"}],"prose":"Detect, track, and disrupt threats that evade existing safeguards."}],"props":[{"name":"label","value":"ES-03.11.02E-a"}],"prose":"Establish and maintain a cyber threat-hunting capability to:"},{"id":"ES-03.11.02E-b","name":"item","props":[{"name":"label","value":"ES-03.11.02E-b"}],"prose":"Employ the threat-hunting capability {{ insert: param, A.03.11.02E.ODP.01 }}. "}]},{"id":"D-03.11.02E","name":"guidance","class":"discussion","prose":"Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management (SIEM) technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat-hunting teams leverage existing threat intelligence and may create new threat intelligence that is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.11.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.02E-2-effect","name":"item","class":"Preclude-AE-03.11.02E-2","parts":[{"id":"AE-03.11.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.11.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes expunge)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.11.02E-3-effect","name":"item","class":"Limit-AE-03.11.02E-3","parts":[{"id":"AE-03.11.02E-3-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.11.02E-3-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."},{"id":"AE-03.11.02E-4-effect","name":"item","class":"Expose-AE-03.11.02E-4","parts":[{"id":"AE-03.11.02E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.02E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and scrutinize)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.02E.a.01.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.02E-a-1"}],"prose":"a cyber threat-hunting capability is established to search for indicators of compromise in organizational systems."},{"id":"DS-A.03.11.02E.a.01.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.02E-a-1"}],"prose":"a cyber threat-hunting capability is maintained to search for indicators of compromise in organizational systems."},{"id":"DS-A.03.11.02E.a.02.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.02E-a-2"}],"prose":"a cyber threat-hunting capability is established to detect, track, and disrupt threats that evade existing safeguards."},{"id":"DS-A.03.11.02E.a.02.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.02E-a-2"}],"prose":"a cyber threat-hunting capability is maintained to detect, track, and disrupt threats that evade existing safeguards."},{"id":"DS-A.03.11.02E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.02E-b"}],"prose":"the threat-hunting capability is employed {{ insert: param, A.03.11.02E.ODP.01 }}. "},{"id":"E-03.11.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records and/or event logs\n\nthreat-hunting capability\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with threat-hunting responsibilities\n\nsystem/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for assessments and audits\n\nmechanisms or tools supporting and/or implementing threat-hunting capabilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.02E"},{"name":"label","value":"03.11.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Threat Hunting","params":[{"id":"A.03.11.02E.ODP.01","label":"frequency","props":[{"name":"label","value":"A.03.11.02E.ODP[01]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to implement the threat-hunting capability is defined."}]}]},{"id":"SP_800_172_3_0_0_03.11.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#b59cd2f1-e57b-4e7c-88dd-aafa1d82d364"}],"parts":[{"id":"ES-03.11.03E","name":"statement","prose":"Employ the following advanced automation and analytics capabilities to predict and identify risks to {{ insert: param, A.03.11.03E.ODP.01 }}: {{ insert: param, A.03.11.03E.ODP.02 }}. "},{"id":"D-03.11.03E","name":"guidance","class":"discussion","prose":"A properly resourced security operations center (SOC) or computer incident response team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and predictive analytics capabilities are typically supported by artificial intelligence concepts and machine learning. Examples include automated threat discovery and response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), automated workflow operations, and machine-assisted decision tools. However, sophisticated adversaries may be able to extract information related to analytic parameters and retrain the machine learning to classify malicious activity as benign. Accordingly, machine learning is augmented by human monitoring to help ensure that sophisticated adversaries are not able to conceal their activities. This requirement enhances SP 800-171 requirement 03.11.01."},{"id":"AE-03.11.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.03E-2-effect","name":"item","class":"Preclude-AE-03.11.03E-2","parts":[{"id":"AE-03.11.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.11.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes expunge)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.11.03E-3-effect","name":"item","class":"Limit-AE-03.11.03E-3","parts":[{"id":"AE-03.11.03E-3-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.11.03E-3-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."},{"id":"AE-03.11.03E-4-effect","name":"item","class":"Expose-AE-03.11.03E-4","parts":[{"id":"AE-03.11.03E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.03E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and scrutinize)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.03E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.03E"}],"prose":" {{ insert: param, A.03.11.03E.ODP.01 }} are employed to predict and identify risks to {{ insert: param, A.03.11.03E.ODP.02 }}. "},{"id":"DS-A.03.11.03E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.03E"}],"prose":" {{ insert: param, A.03.11.03E.ODP.03 }} are employed to predict and identify risks to {{ insert: param, A.03.11.03E.ODP.02 }}. "},{"id":"E-03.11.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk reports\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with risk assessment responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.03E"},{"name":"label","value":"03.11.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Predictive Cyber Analytics","params":[{"id":"A.03.11.03E.ODP.01","label":"advanced automation capabilities","props":[{"name":"label","value":"A.03.11.03E.ODP[01]"}],"usage":"organization-defined advanced automation and analytics capabilities","guidelines":[{"prose":"advanced automation capabilities to predict and identify risks are defined."}]},{"id":"A.03.11.03E.ODP.02","label":"systems or system components","props":[{"name":"label","value":"A.03.11.03E.ODP[02]"}],"usage":"organization-defined systems or system components","guidelines":[{"prose":"systems or system components in which advanced automation and analytics capabilities are to be employed are defined."}]},{"id":"A.03.11.03E.ODP.03","label":"advanced analytics capabilities","props":[{"name":"label","value":"A.03.11.03E.ODP[03]"}],"usage":"organization-defined advanced automation and analytics capabilities","guidelines":[{"prose":"advanced analytics capabilities to predict and identify risks are defined."}]}]},{"id":"SP_800_172_3_0_0_03.11.04E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.15.01E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.11.01"},{"rel":"external_reference","href":"03.11.04"},{"rel":"external_reference","href":"03.15.02"}],"props":[{"name":"sort-id","value":"03.11.04E"},{"name":"label","value":"03.11.04E"},{"name":"status","value":"withdrawn"}],"title":"03.11.04E"},{"id":"SP_800_172_3_0_0_03.11.05E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.11.01E"},{"rel":"incorporated_into","href":"03.11.03E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.11.01"},{"rel":"external_reference","href":"03.11.04"},{"rel":"external_reference","href":"03.12.01"},{"rel":"external_reference","href":"03.12.03"}],"props":[{"name":"sort-id","value":"03.11.05E"},{"name":"label","value":"03.11.05E"},{"name":"status","value":"withdrawn"}],"title":"03.11.05E"},{"id":"SP_800_172_3_0_0_03.11.06E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.12.03E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.11.01"},{"rel":"external_reference","href":"03.11.04"},{"rel":"external_reference","href":"03.12.01"},{"rel":"external_reference","href":"03.12.03"},{"rel":"external_reference","href":"03.17.03"}],"props":[{"name":"sort-id","value":"03.11.06E"},{"name":"label","value":"03.11.06E"},{"name":"status","value":"withdrawn"}],"title":"03.11.06E"},{"id":"SP_800_172_3_0_0_03.11.07E","class":"security_requirement","links":[{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.17.01"}],"props":[{"name":"sort-id","value":"03.11.07E"},{"name":"label","value":"03.11.07E"},{"name":"status","value":"withdrawn"}],"title":"03.11.07E"},{"id":"SP_800_172_3_0_0_03.11.08E","class":"security_requirement","links":[{"rel":"external_reference","href":"#af1f6523-8f19-41a1-bda6-97453f0e98c4"}],"parts":[{"id":"ES-03.11.08E","name":"statement","prose":"Determine the current cyber threat environment on an ongoing basis using {{ insert: param, A.03.11.08E.ODP.01 }}. "},{"id":"D-03.11.08E","name":"guidance","class":"discussion","prose":"The threat awareness information that is gathered feeds into the organization’s security operations to ensure that procedures are updated in response to the changing threat environment. For example, at higher threat levels, organizations may change the privilege or authentication thresholds required to perform certain operations. This requirement enhances SP 800-171 requirement 03.11.01."},{"id":"AE-03.11.08E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.08E-2-effect","name":"item","class":"Expose-AE-03.11.08E-2","parts":[{"id":"AE-03.11.08E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.08E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.08E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.08E"}],"prose":"the current cyber threat environment is determined on an ongoing basis using {{ insert: param, A.03.11.08E.ODP.01 }}. "},{"id":"E-03.11.08E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk reports\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.08E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with risk assessment responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.08E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for risk assessment\n\nmechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.08E"},{"name":"label","value":"03.11.08E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Dynamic Threat Awareness","params":[{"id":"A.03.11.08E.ODP.01","label":"means","props":[{"name":"label","value":"A.03.11.08E.ODP[01]"}],"usage":"organization-defined means","guidelines":[{"prose":"the means to determine the current cyber threat environment on an ongoing basis are defined."}]}]},{"id":"SP_800_172_3_0_0_03.11.09E","class":"security_requirement","links":[{"rel":"external_reference","href":"#fe4ddff3-fafc-4de7-9dc2-76027d796507"}],"parts":[{"id":"ES-03.11.09E","name":"statement","prose":"Discover, collect, and distribute to {{ insert: param, A.03.11.09E.ODP.01 }}, indicators of compromise provided by {{ insert: param, A.03.11.09E.ODP.02 }} . "},{"id":"D-03.11.09E","name":"guidance","class":"discussion","prose":"Indicators of compromise (IOCs) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include universal resource locator (URL) or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other IOCs may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams (FIRST), the Computer Emergency Response Team Coordination Center (CERT/CC), the United States Computer Emergency Readiness Team (US-CERT), and the Defense Industrial Base (DIB) Cybersecurity Information Sharing Program. This requirement enhances SP 800-171 requirement 03.14.06."},{"id":"AE-03.11.09E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.09E-2-effect","name":"item","class":"Expose-AE-03.11.09E-2","parts":[{"id":"AE-03.11.09E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.09E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.09E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.09E"}],"prose":"indicators of compromise provided by {{ insert: param, A.03.11.09E.ODP.01 }} are discovered. "},{"id":"DS-A.03.11.09E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.09E"}],"prose":"indicators of compromise provided by {{ insert: param, A.03.11.09E.ODP.01 }} are collected. "},{"id":"DS-A.03.11.09E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.09E"}],"prose":"indicators of compromise provided by {{ insert: param, A.03.11.09E.ODP.01 }} are distributed to {{ insert: param, A.03.11.09E.ODP.02 }}. "},{"id":"E-03.11.09E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.09E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers\n\npersonnel installing, configuring, and/or maintaining the system\n\npersonnel responsible for monitoring system hosts"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.09E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for system monitoring\n\nprocesses for the discovery, collection, distribution, and use of indicators of compromise\n\nmechanisms supporting and/or implementing a system monitoring capability\n\nmechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.09E"},{"name":"label","value":"03.11.09E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Indicators of Compromise","params":[{"id":"A.03.11.09E.ODP.01","label":"sources","props":[{"name":"label","value":"A.03.11.09E.ODP[01]"}],"usage":"organization-defined sources","guidelines":[{"prose":"sources that provide indicators of compromise are defined."}]},{"id":"A.03.11.09E.ODP.02","label":"personnel or roles","props":[{"name":"label","value":"A.03.11.09E.ODP[02]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to whom indicators of compromise are to be distributed are defined."}]}]},{"id":"SP_800_172_3_0_0_03.11.10E","class":"security_requirement","links":[{"rel":"external_reference","href":"#490d4b64-4f60-4516-b1e4-1a4d642e624a"}],"parts":[{"id":"ES-03.11.10E","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, A.03.11.10E.ODP.01 }} at {{ insert: param, A.03.11.10E.ODP.02 }}. "},{"id":"D-03.11.10E","name":"guidance","class":"discussion","prose":"Organizations conduct a functional decomposition of a system to identify mission-critical functions and system components. The functional decomposition includes the identification of organizational missions supported by the system, the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by components within and external to the system. The operational environment of a system or a system component may impact its criticality, including the connections to and dependencies on other systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early and throughout the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these functions and components, such as by adding redundancy or alternate paths into the system design. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.11.10E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.10E-2-effect","name":"item","class":"Preclude-AE-03.11.10E-2","parts":[{"id":"AE-03.11.10E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.11.10E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.11.10E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.10E"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, A.03.11.10E.ODP.01 }} at {{ insert: param, A.03.11.10E.ODP.02 }}. "},{"id":"E-03.11.10E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis and/or finalized criticality for each component and/or subcomponent\n\naudit records and/or event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.10E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with assessment and auditing responsibilities\n\npersonnel with criticality analysis responsibilities\n\nsystem/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.10E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for assessments and audits\n\nmechanisms and/or tools supporting and/or implementing assessments and auditing"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.10E"},{"name":"label","value":"03.11.10E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Criticality Analysis","params":[{"id":"A.03.11.10E.ODP.01","label":"systems, system components, or system services","props":[{"name":"label","value":"A.03.11.10E.ODP[01]"}],"usage":"organization-defined systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined."}]},{"id":"A.03.11.10E.ODP.02","label":"decision points","props":[{"name":"label","value":"A.03.11.10E.ODP[02]"}],"usage":"organization-defined decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined."}]}]},{"id":"SP_800_172_3_0_0_03.11.11E","class":"security_requirement","links":[{"rel":"external_reference","href":"#269bc7f2-4333-48cd-a2fe-b440894c5a17"}],"parts":[{"id":"ES-03.11.11E","name":"statement","prose":"Determine information about the system that is discoverable and take {{ insert: param, A.03.11.11E.ODP.01 }}. "},{"id":"D-03.11.11E","name":"guidance","class":"discussion","prose":"Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This requirement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) implemented by the organization. This requirement enhances SP 800-171 requirement 03.11.02."},{"id":"AE-03.11.11E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.11E-2-effect","name":"item","class":"Expose-AE-03.11.11E-2","parts":[{"id":"AE-03.11.11E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.11E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.11E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.11E"}],"prose":"discoverable information about the system is identified."},{"id":"DS-A.03.11.11E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.11E"}],"prose":" {{ insert: param, A.03.11.11E.ODP.01 }} are taken when information about the system is confirmed as discoverable. "},{"id":"E-03.11.11E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken on discoverable information\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.11E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with vulnerability scanning and/or penetration testing responsibilities\n\npersonnel with vulnerability scan analysis responsibilities\n\npersonnel responsible for risk response\n\npersonnel responsible for incident management and response\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.11E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for vulnerability scanning\n\nprocesses for risk response\n\nprocesses for incident management and response\n\nmechanisms and/or tools supporting and/or implementing vulnerability scanning\n\nmechanisms supporting and/or implementing risk response\n\nmechanisms supporting and/or implementing incident management and response"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.11E"},{"name":"label","value":"03.11.11E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Discoverable Information","params":[{"id":"A.03.11.11E.ODP.01","label":"corrective actions","props":[{"name":"label","value":"A.03.11.11E.ODP[01]"}],"usage":"organization-defined corrective actions","guidelines":[{"prose":"corrective actions to be taken if information about the system is discoverable are defined."}]}]},{"id":"SP_800_172_3_0_0_03.11.12E","class":"security_requirement","links":[{"rel":"external_reference","href":"#d3395183-d092-4fae-9ca2-0540d9d2b224"}],"parts":[{"id":"ES-03.11.12E","name":"statement","prose":"Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information."},{"id":"D-03.11.12E","name":"guidance","class":"discussion","prose":"To maximize the effectiveness of monitoring and sharing threat intelligence information, it is important to know what threat observables and indicators the sensors need to be searching for. By using well-established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed the relevant threat detection signatures into monitoring tools. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.11.12E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.11.12E-2-effect","name":"item","class":"Preclude-AE-03.11.12E-2","parts":[{"id":"AE-03.11.12E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.11.12E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.11.12E-3-effect","name":"item","class":"Impede-AE-03.11.12E-3","parts":[{"id":"AE-03.11.12E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.11.12E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.11.12E-4-effect","name":"item","class":"Expose-AE-03.11.12E-4","parts":[{"id":"AE-03.11.12E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.11.12E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.11.12E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.11.12E"}],"prose":"automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information."},{"id":"E-03.11.12E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nthreat awareness program policy\n\nthreat awareness program procedures\n\nrisk assessment results related to threat awareness\n\ndocumentation about the cross-organization information-sharing capability\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.11.12E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security program planning and plan implementation responsibilities\n\npersonnel responsible for the threat awareness program\n\npersonnel responsible for the cross-organization information-sharing capability\n\npersonnel with information security responsibilities\n\nexternal personnel with whom threat awareness information is shared by the organization"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.11.12E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for implementing the threat awareness program\n\nprocesses for implementing the cross-organization information-sharing capability\n\nautomated mechanisms supporting and/or implementing the threat awareness program\n\nautomated mechanisms supporting and/or implementing the cross-organization information-sharing capability"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.11.12E"},{"name":"label","value":"03.11.12E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Automated Means for Sharing Threat Intelligence"}]},{"id":"SP_800_172_3_0_0_3.12","class":"family","props":[{"name":"sort-id","value":"03.12"},{"name":"label","value":"Security Assessment and Monitoring (3.12)"}],"title":"Security Assessment and Monitoring","controls":[{"id":"SP_800_172_3_0_0_03.12.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#c3565db2-c3e1-4be8-a9d0-0ea9b2734ebd"}],"parts":[{"id":"ES-03.12.01E","name":"statement","prose":"Conduct penetration testing {{ insert: param, A.03.12.01E.ODP.01 }} on {{ insert: param, A.03.12.01E.ODP.02 }}. "},{"id":"D-03.12.01E","name":"guidance","class":"discussion","prose":"Penetration testing is a specialized type of assessment conducted on systems or system components to identify vulnerabilities that could be exploited by adversaries. It is conducted by penetration testing agents and teams with particular skills and experience that include technical expertise in network, operating system, and application-level security. Penetration testing can be used to validate vulnerabilities or to determine a system’s penetration resistance to adversaries within specified constraints, such as time, resources, and skills. It can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for conducting penetration testing includes pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the specified rules of engagement before the commencement of penetration testing. Organizations may also supplement penetration testing with red team exercises. Red teams attempt to duplicate the actions of adversaries in carrying out attacks against organizations and provide an in-depth analysis of security-related weaknesses or deficiencies. Organizations correlate the rules of engagement for penetration tests and red teaming exercises (if used) with the tools, techniques, and procedures that they anticipate adversaries may employ. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.12.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.12.01E-2-effect","name":"item","class":"Preclude-AE-03.12.01E-2","parts":[{"id":"AE-03.12.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.12.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.12.01E-3-effect","name":"item","class":"Impede-AE-03.12.01E-3","parts":[{"id":"AE-03.12.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.12.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.12.01E-4-effect","name":"item","class":"Expose-AE-03.12.01E-4","parts":[{"id":"AE-03.12.01E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.12.01E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.12.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.01E"}],"prose":"penetration testing is conducted {{ insert: param, A.03.12.01E.ODP.01 }} on {{ insert: param, A.03.12.01E.ODP.02 }}. "},{"id":"E-03.12.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Assessment and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\nsystem security plan\n\npenetration test rules of engagement\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.12.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with assessment responsibilities\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.12.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting penetration testing"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.12.01E"},{"name":"label","value":"03.12.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Penetration Testing","params":[{"id":"A.03.12.01E.ODP.01","label":"frequency","props":[{"name":"label","value":"A.03.12.01E.ODP[01]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to conduct penetration testing on systems or system components is defined."}]},{"id":"A.03.12.01E.ODP.02","label":"systems or system components","props":[{"name":"label","value":"A.03.12.01E.ODP[02]"}],"usage":"organization-defined systems or system components","guidelines":[{"prose":"systems or system components on which penetration testing is to be conducted are defined."}]}]},{"id":"SP_800_172_3_0_0_03.12.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#c826cde3-fb29-42e1-911a-5df0dd0194a4"}],"parts":[{"id":"ES-03.12.02E","name":"statement","prose":"Use independent assessors or assessment teams to conduct security requirement assessments."},{"id":"D-03.12.02E","name":"guidance","class":"discussion","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of security requirement effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from entities that are internal or external to organizations. Organizations determine whether the level of assessor independence provides sufficient assurance such that the assessment results are sound and can be used to make effective risk-based decisions. This requirement enhances SP 800-171 requirement 03.12.01."},{"id":"AE-03.12.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.12.02E-2-effect","name":"item","class":"Preclude-AE-03.12.02E-2","parts":[{"id":"AE-03.12.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.12.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.12.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.02E"}],"prose":"independent assessors or assessment teams are used to conduct security requirement assessments."},{"id":"E-03.12.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Assessment and monitoring policy\n\nprocedures addressing assessments\n\nprevious assessment plan\n\nprevious assessment report\n\nplan of action and milestones\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.12.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with assessment responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]}],"props":[{"name":"sort-id","value":"03.12.02E"},{"name":"label","value":"03.12.02E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Independent Assessors"},{"id":"SP_800_172_3_0_0_03.12.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#4fb7756f-35ce-4d1f-9bce-ee6c2ef2a645"}],"parts":[{"id":"ES-03.12.03E","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes effectiveness monitoring, compliance monitoring, change monitoring."},{"id":"D-03.12.03E","name":"guidance","class":"discussion","prose":"Risk monitoring is guided and informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security risk. This requirement enhances SP 800-171 requirement 03.12.03."},{"id":"AE-03.12.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.12.03E-2-effect","name":"item","class":"Preclude-AE-03.12.03E-2","parts":[{"id":"AE-03.12.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.12.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.12.03E-3-effect","name":"item","class":"Impede-AE-03.12.03E-3","parts":[{"id":"AE-03.12.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.12.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.12.03E-4-effect","name":"item","class":"Expose-AE-03.12.03E-4","parts":[{"id":"AE-03.12.03E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.12.03E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.12.03E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.03E"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy."},{"id":"DS-A.03.12.03E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.03E"}],"prose":"effectiveness monitoring is included in risk monitoring."},{"id":"DS-A.03.12.03E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.03E"}],"prose":"compliance monitoring is included in risk monitoring."},{"id":"DS-A.03.12.03E.04","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.03E"}],"prose":"change monitoring is included in risk monitoring."},{"id":"E-03.12.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Assessment and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.12.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with continuous monitoring responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.12.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.12.03E"},{"name":"label","value":"03.12.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Risk Monitoring"},{"id":"SP_800_172_3_0_0_03.12.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#82899f04-4f03-4d78-955e-34ed4314830a"}],"parts":[{"id":"ES-03.12.04E","name":"statement","parts":[{"id":"ES-03.12.04E-a","name":"item","props":[{"name":"label","value":"ES-03.12.04E-a"}],"prose":"Authorize internal connections of {{ insert: param, A.03.12.04E.ODP.01 }} to the system. "},{"id":"ES-03.12.04E-b","name":"item","props":[{"name":"label","value":"ES-03.12.04E-b"}],"prose":"Document, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."},{"id":"ES-03.12.04E-c","name":"item","props":[{"name":"label","value":"ES-03.12.04E-c"}],"prose":"Terminate internal system connections after {{ insert: param, A.03.12.04E.ODP.02 }}. "},{"id":"ES-03.12.04E-d","name":"item","props":[{"name":"label","value":"ES-03.12.04E-d"}],"prose":"Review {{ insert: param, A.03.12.04E.ODP.03 }} the continued need for each internal connection. "}]},{"id":"D-03.12.04E","name":"guidance","class":"discussion","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system), including components that are used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.12.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.12.04E-2-effect","name":"item","class":"Preclude-AE-03.12.04E-2","parts":[{"id":"AE-03.12.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.12.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.12.04E-3-effect","name":"item","class":"Impede-AE-03.12.04E-3","parts":[{"id":"AE-03.12.04E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.12.04E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.12.04E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.04E-a"}],"prose":"internal connections of {{ insert: param, A.03.12.04E.ODP.01 }} to the system are authorized. "},{"id":"DS-A.03.12.04E.b.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.04E-b"}],"prose":"for each internal connection, the interface characteristics are documented."},{"id":"DS-A.03.12.04E.b.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.04E-b"}],"prose":"for each internal connection, the security requirements are documented."},{"id":"DS-A.03.12.04E.b.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.04E-b"}],"prose":"for each internal connection, the nature of the information communicated is documented."},{"id":"DS-A.03.12.04E.c","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.04E-c"}],"prose":"internal system connections are terminated after {{ insert: param, A.03.12.04E.ODP.02 }}. "},{"id":"DS-A.03.12.04E.d","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.12.04E-d"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, A.03.12.04E.ODP.03 }}. "},{"id":"E-03.12.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Assessment and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem audit records\n\nlist of components or classes of components authorized as internal system connections\n\nsystem security plan\n\nsystem configuration settings and associated documentation\n\nassessment report\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.12.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\npersonnel with information security and responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.12.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.12.04E"},{"name":"label","value":"03.12.04E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Internal System Connections","params":[{"id":"A.03.12.04E.ODP.01","label":"system components or classes of components","props":[{"name":"label","value":"A.03.12.04E.ODP[01]"}],"usage":"organization-defined system components or classes of components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined."}]},{"id":"A.03.12.04E.ODP.02","label":"conditions","props":[{"name":"label","value":"A.03.12.04E.ODP[02]"}],"usage":"organization-defined conditions","guidelines":[{"prose":"conditions requiring the termination of internal connections are defined."}]},{"id":"A.03.12.04E.ODP.03","label":"frequency","props":[{"name":"label","value":"A.03.12.04E.ODP[03]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to review the continued need for each internal connection is defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.13","class":"family","props":[{"name":"sort-id","value":"03.13"},{"name":"label","value":"System and Communications Protection (3.13)"}],"title":"System and Communications Protection","controls":[{"id":"SP_800_172_3_0_0_03.13.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#8a04b6e3-2555-4529-82e5-901d5d48bf9f"}],"parts":[{"id":"ES-03.13.01E","name":"statement","prose":"Employ a diverse set of information technologies for the following system components in the implementation of the system: {{ insert: param, A.03.13.01E.ODP.01 }}. "},{"id":"D-03.13.01E","name":"guidance","class":"discussion","prose":"Increasing the diversity of information technologies within organizational systems reduces the impact of exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.01E-2-effect","name":"item","class":"Preclude-AE-03.13.01E-2","parts":[{"id":"AE-03.13.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.01E-3-effect","name":"item","class":"Impede-AE-03.13.01E-3","parts":[{"id":"AE-03.13.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain and exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.01E-4-effect","name":"item","class":"Limit-AE-03.13.01E-4","parts":[{"id":"AE-03.13.01E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.01E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.01E"}],"prose":"a diverse set of information technologies is employed for {{ insert: param, A.03.13.01E.ODP.01 }} in the implementation of the system. "},{"id":"E-03.13.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of technologies deployed in the system\n\nacquisition documentation\n\nacquisition contracts for system components or services\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with system acquisition, development, and implementation responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the use of a diverse set of information technologies"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.01E"},{"name":"label","value":"03.13.01E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Heterogeneity","params":[{"id":"A.03.13.01E.ODP.01","label":"system components","props":[{"name":"label","value":"A.03.13.01E.ODP[01]"}],"usage":"organization-defined system components","guidelines":[{"prose":"system components requiring a diverse set of information technologies to be used in the implementation of the system are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#a588e5c9-bbbd-44b0-9ce7-ad3f63a1b70a"}],"parts":[{"id":"ES-03.13.02E","name":"statement","prose":"Employ {{ insert: param, A.03.13.02E.ODP.01 }} to introduce randomness into organizational operations and assets. "},{"id":"D-03.13.02E","name":"guidance","class":"discussion","prose":"Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target organizational systems that support critical missions or business functions. Uncertainty may cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating the roles and responsibilities of organizational personnel. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets. This requirement also depends on the selection of 03.13.03E."},{"id":"AE-03.13.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.02E-2-effect","name":"item","class":"Preclude-AE-03.13.02E-2","parts":[{"id":"AE-03.13.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.02E-3-effect","name":"item","class":"Impede-AE-03.13.02E-3","parts":[{"id":"AE-03.13.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.02E-4-effect","name":"item","class":"Redirect-AE-03.13.02E-4","parts":[{"id":"AE-03.13.02E-4-effect-impact","name":"item","class":"I-Redirect","prose":"Reduce likelihood of occurrence and (to a lesser extent) reduce likelihood of impact."},{"id":"AE-03.13.02E-4-effect-expected_result-1","name":"item","class":"ER-Redirect-1","prose":"The adversary’s efforts cease."},{"id":"AE-03.13.02E-4-effect-expected_result-2","name":"item","class":"ER-Redirect-2","prose":"The adversary actions are mistargeted or misinformed."}],"prose":"(includes deceive)\n\nDirect threat events away from defender-chosen resources."}]},{"id":"DS-A.03.13.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.02E"}],"prose":" {{ insert: param, A.03.13.02E.ODP.01 }} are employed to introduce randomness into organizational operations and assets. "},{"id":"E-03.13.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of techniques to be used to introduce randomness into organizational operations and assets\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with the responsibility to implement concealment and misdirection techniques for systems\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing randomness as a concealment and misdirection technique"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.02E"},{"name":"label","value":"03.13.02E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Randomness","params":[{"id":"A.03.13.02E.ODP.01","label":"techniques","props":[{"name":"label","value":"A.03.13.02E.ODP[01]"}],"usage":"organization-defined techniques","guidelines":[{"prose":"the techniques employed to introduce randomness into organizational operations and assets are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#21be8a83-d199-4135-836a-5261bf4f9819"}],"parts":[{"id":"ES-03.13.03E","name":"statement","prose":"Employ the following concealment and misdirection techniques to mislead adversaries: {{ insert: param, A.03.13.03E.ODP.01 }} . "},{"id":"D-03.13.03E","name":"guidance","class":"discussion","prose":"Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of specific concealment and misdirection techniques and methods, including randomness, uncertainty, and virtualization, may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.03E-2-effect","name":"item","class":"Preclude-AE-03.13.03E-2","parts":[{"id":"AE-03.13.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.03E-3-effect","name":"item","class":"Impede-AE-03.13.03E-3","parts":[{"id":"AE-03.13.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.03E-4-effect","name":"item","class":"Redirect-AE-03.13.03E-4","parts":[{"id":"AE-03.13.03E-4-effect-impact","name":"item","class":"I-Redirect","prose":"Reduce likelihood of occurrence and (to a lesser extent) reduce likelihood of impact."},{"id":"AE-03.13.03E-4-effect-expected_result-1","name":"item","class":"ER-Redirect-1","prose":"The adversary’s efforts cease."},{"id":"AE-03.13.03E-4-effect-expected_result-2","name":"item","class":"ER-Redirect-2","prose":"The adversary actions are mistargeted or misinformed."}],"prose":"(includes deceive)\n\nDirect threat events away from defender-chosen resources."}]},{"id":"DS-A.03.13.03E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.03E"}],"prose":" {{ insert: param, A.03.13.03E.ODP.01 }} are used to mislead adversaries. "},{"id":"E-03.13.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of concealment and misdirection techniques to be used for organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with the responsibility to implement concealment and misdirection techniques for systems"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing concealment and misdirection techniques"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.03E"},{"name":"label","value":"03.13.03E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Concealment and Misdirection","params":[{"id":"A.03.13.03E.ODP.01","label":"concealment and misdirection techniques","props":[{"name":"label","value":"A.03.13.03E.ODP[01]"}],"usage":"organization-defined concealment and misdirection techniques","guidelines":[{"prose":"the concealment and misdirection techniques used to confuse and mislead adversaries potentially targeting systems are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#138ce585-a7aa-4547-8240-fd0afdaa9f12"}],"parts":[{"id":"ES-03.13.04E","name":"statement","prose":"Employ boundary protection mechanisms to isolate {{ insert: param, A.03.13.04E.ODP.01 }}. "},{"id":"D-03.13.04E","name":"guidance","class":"discussion","prose":"Organizations can isolate system components that perform different mission or business functions. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. The degree of isolation varies depending on the mechanisms selected. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys. This requirement enhances SP 800-171 requirement 03.13.01."},{"id":"AE-03.13.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.04E-2-effect","name":"item","class":"Preclude-AE-03.13.04E-2","parts":[{"id":"AE-03.13.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.04E-3-effect","name":"item","class":"Impede-AE-03.13.04E-3","parts":[{"id":"AE-03.13.04E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.04E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.04E-4-effect","name":"item","class":"Limit-AE-03.13.04E-4","parts":[{"id":"AE-03.13.04E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.04E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.04E"}],"prose":"boundary protection mechanisms are employed to isolate {{ insert: param, A.03.13.04E.ODP.01 }}. "},{"id":"E-03.13.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with boundary protection responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the capability to separate system components"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.04E"},{"name":"label","value":"03.13.04E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Isolation of System Components","params":[{"id":"A.03.13.04E.ODP.01","label":"system components","props":[{"name":"label","value":"A.03.13.04E.ODP[01]"}],"usage":"organization-defined system components","guidelines":[{"prose":"system components to be isolated by boundary protection mechanisms are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.05E","class":"security_requirement","links":[{"rel":"external_reference","href":"#3051df2e-43ae-488c-a681-011a26e0295d"}],"parts":[{"id":"ES-03.13.05E","name":"statement","prose":"Change the location of {{ insert: param, A.03.13.05E.ODP.02 }} {{ insert: param, A.03.13.05E.ODP.01 }}. "},{"id":"D-03.13.05E","name":"guidance","class":"discussion","prose":"Adversaries target critical missions and business functions and the systems that support those missions and business functions while also trying to minimize the exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational systems targeted by adversaries make such systems more susceptible to attacks with less adversary cost and effort to be successful. Changing processing and storage locations (also referred to as moving target defense) addresses the advanced persistent threat using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the system components (i.e., processing, storage) that support critical missions and business functions. Changing the locations of processing activities and/or storage sites introduces a degree of uncertainty to the targeting activities of adversaries. The targeting uncertainty increases the work factor of adversaries and makes compromises or breaches of the organizational systems more difficult and time-consuming. Uncertainty also increases the chances that adversaries may inadvertently disclose aspects of their tradecraft while attempting to locate critical organizational assets. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.05E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.05E-2-effect","name":"item","class":"Preclude-AE-03.13.05E-2","parts":[{"id":"AE-03.13.05E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.05E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt and negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.05E-3-effect","name":"item","class":"Impede-AE-03.13.05E-3","parts":[{"id":"AE-03.13.05E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.05E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain and exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.05E-4-effect","name":"item","class":"Limit-AE-03.13.05E-4","parts":[{"id":"AE-03.13.05E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.05E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.05E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.05E"}],"prose":"the location of {{ insert: param, A.03.13.05E.ODP.01 }} is changed {{ insert: param, A.03.13.05E.ODP.02 }}. "},{"id":"E-03.13.05E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nlist of processing and/or storage locations to be changed at organizational time intervals\n\nchange control records\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.05E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with the responsibility to change processing and/or storage locations"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.05E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing changing processing and/or storage locations"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.05E"},{"name":"label","value":"03.13.05E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Change Processing and Storage Locations","params":[{"id":"A.03.13.05E.ODP.01","label":"processing and/or storage","props":[{"name":"label","value":"A.03.13.05E.ODP[01]"}],"usage":"organization-defined processing and/or storage","guidelines":[{"prose":"processing and/or storage locations to be changed are defined."}]},{"id":"A.03.13.05E.ODP.02","label":"SELECTED PARAMETER VALUE","props":[{"name":"label","value":"A.03.13.05E.ODP[02]"}],"select":{"choice":[" {{ insert: param, A.03.13.05E.ODP.03 }} ","at random time intervals"],"how-many":"one"}},{"id":"A.03.13.05E.ODP.03","label":"frequency","props":[{"name":"label","value":"A.03.13.05E.ODP[03]"}],"usage":".organization-defined time frequency","guidelines":[{"prose":"the frequency at which to change the location of processing and/or storage is defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.13.06E","class":"security_requirement","links":[{"rel":"external_reference","href":"#f74165ba-b4e4-4db1-ac19-920c1bae3755"}],"parts":[{"id":"ES-03.13.06E","name":"statement","prose":"Include within organizational systems the following platform independent applications: {{ insert: param, A.03.13.06E.ODP.01 }} . "},{"id":"D-03.13.06E","name":"guidance","class":"discussion","prose":"Platforms are the hardware, software, and firmware components used to execute the organization’s software applications. Platforms include operating systems, the underlying computer architectures, or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. The portability of applications and the ability to reconstitute applications on different platforms increase the availability of mission-essential functions within organizations when systems with specific operating systems are under attack. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.06E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.06E-2-effect","name":"item","class":"Limit-AE-03.13.06E-2","parts":[{"id":"AE-03.13.06E-2-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.06E-2-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.06E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.06E"}],"prose":" {{ insert: param, A.03.13.06E.ODP.01 }} are implemented within organizational systems. "},{"id":"E-03.13.06E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing platform-independent applications\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of platform-independent applications\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.06E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.06E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing platform-independent applications"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.06E"},{"name":"label","value":"03.13.06E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"}],"title":"Platform-Independent Applications","params":[{"id":"A.03.13.06E.ODP.01","label":"platform-independent applications","props":[{"name":"label","value":"A.03.13.06E.ODP[01]"}],"usage":"organization-defined platform-independent applications","guidelines":[{"prose":"platform-independent applications to be included within organizational systems are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.07E","class":"security_requirement","links":[{"rel":"external_reference","href":"#ebf73c4c-2ed3-4bf6-9622-3f478ea2de19"}],"parts":[{"id":"ES-03.13.07E","name":"statement","prose":"Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed {{ insert: param, A.03.13.07E.ODP.01 }}. "},{"id":"D-03.13.07E","name":"guidance","class":"discussion","prose":"While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.07E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.07E-2-effect","name":"item","class":"Preclude-AE-03.13.07E-2","parts":[{"id":"AE-03.13.07E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.07E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.07E-3-effect","name":"item","class":"Impede-AE-03.13.07E-3","parts":[{"id":"AE-03.13.07E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.07E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.07E-4-effect","name":"item","class":"Limit-AE-03.13.07E-4","parts":[{"id":"AE-03.13.07E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.07E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.07E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.07E"}],"prose":"virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed {{ insert: param, A.03.13.07E.ODP.01 }}. "},{"id":"E-03.13.07E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of operating systems and applications deployed using virtualization techniques\n\nchange control records\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.07E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with responsibilities for implementing approved virtualization techniques to the system"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.07E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the use of a diverse set of information technologies\n\nmechanisms supporting and/or implementing virtualization techniques"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.07E"},{"name":"label","value":"03.13.07E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Virtualization Techniques","params":[{"id":"A.03.13.07E.ODP.01","label":"frequency","props":[{"name":"label","value":"A.03.13.07E.ODP[01]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.08E","class":"security_requirement","links":[{"rel":"external_reference","href":"#dd18d1f4-4dc0-4905-b420-87d0554b161f"}],"parts":[{"id":"ES-03.13.08E","name":"statement","prose":"Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks."},{"id":"D-03.13.08E","name":"guidance","class":"discussion","prose":"Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and deflect attacks away from the operational systems that support organizational missions and business functions. The use of decoys requires some supporting isolation measures to ensure that any deflected malicious code does not infect organizational systems. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.08E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.08E-2-effect","name":"item","class":"Expose-AE-03.13.08E-2","parts":[{"id":"AE-03.13.08E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.13.08E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."},{"id":"AE-03.13.08E-3-effect","name":"item","class":"Limit-AE-03.13.08E-3","parts":[{"id":"AE-03.13.08E-3-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.08E-3-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.08E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.08E"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks."},{"id":"DS-A.03.13.08E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.08E"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks."},{"id":"DS-A.03.13.08E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.08E"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks."},{"id":"E-03.13.08E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of decoys\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.08E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.08E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing decoys"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.08E"},{"name":"label","value":"03.13.08E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Decoys"},{"id":"SP_800_172_3_0_0_03.13.09E","class":"security_requirement","links":[{"rel":"external_reference","href":"#95fb039d-3545-402c-a17a-86e1e6e87eac"}],"parts":[{"id":"ES-03.13.09E","name":"statement","prose":"Isolate {{ insert: param, A.03.13.09E.ODP.01 }} from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system. "},{"id":"D-03.13.09E","name":"guidance","class":"discussion","prose":"Physically separate subnetworks with managed interfaces are useful for isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations. This requirement enhances SP 800-171 requirement 03.13.01."},{"id":"AE-03.13.09E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.09E-2-effect","name":"item","class":"Preclude-AE-03.13.09E-2","parts":[{"id":"AE-03.13.09E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.09E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.09E-3-effect","name":"item","class":"Impede-AE-03.13.09E-3","parts":[{"id":"AE-03.13.09E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.09E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.13.09E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.09E"}],"prose":" {{ insert: param, A.03.13.09E.ODP.01 }} are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system. "},{"id":"E-03.13.09E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of security tools and support components to be isolated from other internal system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.09E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with boundary protection responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.09E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the isolation of information security tools, mechanisms, and support components"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.09E"},{"name":"label","value":"03.13.09E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Isolation of Security Tools, Mechanisms, and Support Components","params":[{"id":"A.03.13.09E.ODP.01","label":"information security tools, mechanisms, and support components","props":[{"name":"label","value":"A.03.13.09E.ODP[01]"}],"usage":"organization-defined information security tools, mechanisms, and support components","guidelines":[{"prose":"information security tools, mechanisms, and support components to be isolated from other internal system components are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.10E","class":"security_requirement","links":[{"rel":"external_reference","href":"#effd14dc-1623-49e6-91ef-80b6cbb39810"}],"parts":[{"id":"ES-03.13.10E","name":"statement","prose":"Implement separate network addresses to connect to systems in different security domains."},{"id":"D-03.13.10E","name":"guidance","class":"discussion","prose":"The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains. This requirement enhances SP 800-171 requirement 03.13.01."},{"id":"AE-03.13.10E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.10E-2-effect","name":"item","class":"Preclude-AE-03.13.10E-2","parts":[{"id":"AE-03.13.10E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.10E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.10E-3-effect","name":"item","class":"Impede-AE-03.13.10E-3","parts":[{"id":"AE-03.13.10E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.10E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.10E-4-effect","name":"item","class":"Limit-AE-03.13.10E-4","parts":[{"id":"AE-03.13.10E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.10E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.10E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.10E"}],"prose":"separate network addresses are implemented to connect to systems in different security domains."},{"id":"E-03.13.10E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.10E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\nsystem developers\n\npersonnel with boundary protection responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.10E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing separate network addresses or different subnets"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.10E"},{"name":"label","value":"03.13.10E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Separate Subnetworks"},{"id":"SP_800_172_3_0_0_03.13.11E","class":"security_requirement","links":[{"rel":"external_reference","href":"#9b7ff92a-3a53-41b7-a650-32aa59e68dc6"}],"parts":[{"id":"ES-03.13.11E","name":"statement","prose":"Employ minimal functionality and information storage on the following system components: {{ insert: param, A.03.13.11E.ODP.01 }} . "},{"id":"D-03.13.11E","name":"guidance","class":"discussion","prose":"The deployment of system components with minimal functionality reduces the need to secure every endpoint and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.11E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.11E-2-effect","name":"item","class":"Preclude-AE-03.13.11E-2","parts":[{"id":"AE-03.13.11E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.11E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.11E-3-effect","name":"item","class":"Impede-AE-03.13.11E-3","parts":[{"id":"AE-03.13.11E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.11E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.13.11E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.11E"}],"prose":"minimal functionality for {{ insert: param, A.03.13.11E.ODP.01 }} is employed. "},{"id":"DS-A.03.13.11E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.11E"}],"prose":"minimal information storage on {{ insert: param, A.03.13.11E.ODP.01 }} is employed. "},{"id":"E-03.13.11E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing use of thin nodes\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.11E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.11E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing thin nodes"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.11E"},{"name":"label","value":"03.13.11E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Thin Nodes","params":[{"id":"A.03.13.11E.ODP.01","label":"system components","props":[{"name":"label","value":"A.03.13.11E.ODP[01]"}],"usage":"organization-defined system components","guidelines":[{"prose":"system components to be implemented with minimal functionality and information storage are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.12E","class":"security_requirement","links":[{"rel":"external_reference","href":"#ac3ee5df-95ed-4249-9798-9db701a6d335"}],"parts":[{"id":"ES-03.13.12E","name":"statement","parts":[{"id":"ES-03.13.12E-a","name":"item","props":[{"name":"label","value":"ES-03.13.12E-a"}],"prose":" {{ insert: param, A.03.13.12E.ODP.01 }} the effects of the following types of denial-of-service events: {{ insert: param, A.03.13.12E.ODP.02 }}. "},{"id":"ES-03.13.12E-b","name":"item","props":[{"name":"label","value":"ES-03.13.12E-b"}],"prose":"Employ the following safeguards to prevent the denial-of-service events {{ insert: param, A.03.13.12E.ODP.03 }}. "}]},{"id":"D-03.13.12E","name":"guidance","class":"discussion","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.13.12E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.12E-2-effect","name":"item","class":"Preclude-AE-03.13.12E-2","parts":[{"id":"AE-03.13.12E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.12E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt and negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.12E-3-effect","name":"item","class":"Impede-AE-03.13.12E-3","parts":[{"id":"AE-03.13.12E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.12E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.12E-4-effect","name":"item","class":"Limit-AE-03.13.12E-4","parts":[{"id":"AE-03.13.12E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.12E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.12E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.12E-a"}],"prose":"the effects of {{ insert: param, A.03.13.12E.ODP.01 }} are {{ insert: param, A.03.13.12E.ODP.02 }}. "},{"id":"DS-A.03.13.12E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.12E-b"}],"prose":" {{ insert: param, A.03.13.12E.ODP.03 }} are employed to protect against or limit the effects of denial-of-service events. "},{"id":"E-03.13.12E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nsystem design documentation\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.12E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel with incident response responsibilities\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.12E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.12E"},{"name":"label","value":"03.13.12E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Denial-of-Service Protection","params":[{"id":"A.03.13.12E.ODP.01","label":"types of denial-of-service events","props":[{"name":"label","value":"A.03.13.12E.ODP[01]"}],"usage":"organization-defined types of denial-of-service events","guidelines":[{"prose":"the types of denial-of-service events to be protected against or limited are defined."}]},{"id":"A.03.13.12E.ODP.02","label":"SELECTED PARAMETER VALUE","props":[{"name":"label","value":"A.03.13.12E.ODP[02]"}],"select":{"choice":["Protect against","Limit"],"how-many":"one"}},{"id":"A.03.13.12E.ODP.03","label":"safeguards","props":[{"name":"label","value":"A.03.13.12E.ODP[03]"}],"usage":"organization-defined safeguards by type of denial-of-service event","guidelines":[{"prose":"the safeguards to prevent the denial-of-service objective by type of denial-of-service event are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.13E","class":"security_requirement","links":[{"rel":"external_reference","href":"#04a6063a-dd8c-4551-a37c-671fac148ada"}],"parts":[{"id":"ES-03.13.13E","name":"statement","prose":" {{ insert: param, A.03.13.13E.ODP.01 }} disable or remove {{ insert: param, A.03.13.13E.ODP.02 }} on the following systems or system components: {{ insert: param, A.03.13.13E.ODP.03 }}. "},{"id":"D-03.13.13E","name":"guidance","class":"discussion","prose":"Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/output (I/O) devices include optical drives (e.g., compact disc and digital versatile disc drives), printers, and network attached storage devices. Disabling or removing such connection ports and I/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.13E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.13E-2-effect","name":"item","class":"Preclude-AE-03.13.13E-2","parts":[{"id":"AE-03.13.13E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.13E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.13E-3-effect","name":"item","class":"Impede-AE-03.13.13E-3","parts":[{"id":"AE-03.13.13E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.13E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.13.13E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.13E"}],"prose":" {{ insert: param, A.03.13.13E.ODP.01 }} are {{ insert: param, A.03.13.13E.ODP.02 }} disabled or removed on {{ insert: param, A.03.13.13E.ODP.03 }}. "},{"id":"E-03.13.13E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing port and input/output device access\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystems or system components\n\nlist of connection ports or input/output devices to be physically disabled or removed on systems or system components\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.13E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\npersonnel with information security responsibilities\n\npersonnel installing, configuring, and/or maintaining the system"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.13E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the disabling of connection ports or input/output devices"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.13E"},{"name":"label","value":"03.13.13E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Port and Input/Output Device Access","params":[{"id":"A.03.13.13E.ODP.01","label":"connection ports or input/output devices","props":[{"name":"label","value":"A.03.13.13E.ODP[01]"}],"usage":"organization-defined connection ports or input/output devices","guidelines":[{"prose":"connection ports or input/output devices to be disabled or removed are defined."}]},{"id":"A.03.13.13E.ODP.02","label":"SELECTED PARAMETER VALUE","props":[{"name":"label","value":"A.03.13.13E.ODP[02]"}],"select":{"choice":["Physically","Logically"],"how-many":"one"}},{"id":"A.03.13.13E.ODP.03","label":"systems or system components","props":[{"name":"label","value":"A.03.13.13E.ODP[03]"}],"usage":"organization-defined systems or system components","guidelines":[{"prose":"systems or system components with connection ports or input/output devices to be disabled or removed are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.14E","class":"security_requirement","links":[{"rel":"external_reference","href":"#18665b72-8cbf-407d-b989-476eeebfcb94"}],"parts":[{"id":"ES-03.13.14E","name":"statement","prose":"Employ a detonation chamber capability within {{ insert: param, A.03.13.14E.ODP.01 }}. "},{"id":"D-03.13.14E","name":"guidance","class":"discussion","prose":"Detonation chambers (also known as dynamic execution environments) allow organizations to open email attachments, execute untrusted or suspicious applications, and execute URL requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.14E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.14E-2-effect","name":"item","class":"Preclude-AE-03.13.14E-2","parts":[{"id":"AE-03.13.14E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.14E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt and negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.14E-3-effect","name":"item","class":"Impede-AE-03.13.14E-3","parts":[{"id":"AE-03.13.14E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.14E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes contain and exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.14E-4-effect","name":"item","class":"Expose-AE-03.13.14E-4","parts":[{"id":"AE-03.13.14E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.13.14E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect and reveal)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.13.14E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.14E"}],"prose":"a detonation chamber capability is employed within the {{ insert: param, A.03.13.14E.ODP.01 }}. "},{"id":"E-03.13.14E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing detonation chambers\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem design documentation\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.14E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"system/network administrators\n\npersonnel with information security responsibilities\n\npersonnel installing, configuring, and/or maintaining the system"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.14E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the detonation chamber capability"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.14E"},{"name":"label","value":"03.13.14E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Detonation Chambers","params":[{"id":"A.03.13.14E.ODP.01","label":"system, system component, or location","props":[{"name":"label","value":"A.03.13.14E.ODP[01]"}],"usage":"organization-defined system, system component, or location","guidelines":[{"prose":"the system, system component, or location in which a detonation chamber capability is to be employed is defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.15E","class":"security_requirement","links":[{"rel":"external_reference","href":"#e4c82123-b3ae-4c4c-98f6-ea4bea002bb3"}],"parts":[{"id":"ES-03.13.15E","name":"statement","prose":"Implement {{ insert: param, A.03.13.15E.ODP.01 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, A.03.13.15E.ODP.02 }}. "},{"id":"D-03.13.15E","name":"guidance","class":"discussion","prose":"Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command-and-control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions. This requirement enhances SP 800-171 requirement 03.13.01."},{"id":"AE-03.13.15E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.15E-2-effect","name":"item","class":"Preclude-AE-03.13.15E-2","parts":[{"id":"AE-03.13.15E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.15E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.15E-3-effect","name":"item","class":"Impede-AE-03.13.15E-3","parts":[{"id":"AE-03.13.15E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.15E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.15E-4-effect","name":"item","class":"Limit-AE-03.13.15E-4","parts":[{"id":"AE-03.13.15E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.15E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.15E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.15E"}],"prose":"subnetworks are separated {{ insert: param, A.03.13.15E.ODP.01 }} to isolate {{ insert: param, A.03.13.15E.ODP.02 }}. "},{"id":"E-03.13.15E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\ncriticality analysis\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.15E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.15E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms separating critical system components and functions"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.15E"},{"name":"label","value":"03.13.15E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Separate Subnets to Isolate System Components and Functions","params":[{"id":"A.03.13.15E.ODP.01","label":"SELECTED PARAMETER VALUE","props":[{"name":"label","value":"A.03.13.15E.ODP[01]"}],"select":{"choice":["physically","logically"],"how-many":"one"}},{"id":"A.03.13.15E.ODP.02","label":"critical system components and functions","props":[{"name":"label","value":"A.03.13.15E.ODP[02]"}],"usage":"organization-defined critical system components and functions","guidelines":[{"prose":"critical system components and functions to be isolated are defined."}]}]},{"id":"SP_800_172_3_0_0_03.13.16E","class":"security_requirement","links":[{"rel":"external_reference","href":"#117fcbce-07f0-43fb-a079-e7dab1db227d"}],"parts":[{"id":"ES-03.13.16E","name":"statement","prose":"Partition the system into {{ insert: param, A.03.13.16E.ODP.02 }} residing in separate {{ insert: param, A.03.13.16E.ODP.01 }} domains or environments based on {{ insert: param, A.03.13.16E.ODP.03 }}. "},{"id":"D-03.13.16E","name":"guidance","class":"discussion","prose":"System partitioning is part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Managed interfaces restrict or prohibit network access and information flow among partitioned system components. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.13.16E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.13.16E-2-effect","name":"item","class":"Preclude-AE-03.13.16E-2","parts":[{"id":"AE-03.13.16E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.13.16E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.13.16E-3-effect","name":"item","class":"Impede-AE-03.13.16E-3","parts":[{"id":"AE-03.13.16E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.13.16E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.13.16E-4-effect","name":"item","class":"Limit-AE-03.13.16E-4","parts":[{"id":"AE-03.13.16E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.13.16E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.13.16E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.13.16E"}],"prose":"the system is partitioned into {{ insert: param, A.03.13.16E.ODP.01 }} residing in separate {{ insert: param, A.03.13.16E.ODP.02 }} security domains or environments based on {{ insert: param, A.03.13.16E.ODP.03 }}. "},{"id":"E-03.13.16E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical domains (or environments)\n\nsystem facility diagrams\n\nsystem network diagrams\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.13.16E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\nsystem developers/integrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.13.16E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the physical separation of system components"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.13.16E"},{"name":"label","value":"03.13.16E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"System Partitioning","params":[{"id":"A.03.13.16E.ODP.01","label":"system components","props":[{"name":"label","value":"A.03.13.16E.ODP[01]"}],"usage":"organization-defined system components","guidelines":[{"prose":"system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined."}]},{"id":"A.03.13.16E.ODP.02","label":"SELECTED PARAMETER VALUE","props":[{"name":"label","value":"A.03.13.16E.ODP[02]"}],"select":{"choice":["physical","logical"],"how-many":"one"}},{"id":"A.03.13.16E.ODP.03","label":"circumstances","props":[{"name":"label","value":"A.03.13.16E.ODP[03]"}],"usage":"organization-defined circumstances for physical or logical separation of components","guidelines":[{"prose":"circumstances for the physical or logical separation of components are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.14","class":"family","props":[{"name":"sort-id","value":"03.14"},{"name":"label","value":"System and Information Integrity (3.14)"}],"title":"System and Information Integrity","controls":[{"id":"SP_800_172_3_0_0_03.14.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#8d199f79-e4f0-45c2-b0f7-26e5cabfe9a5"}],"parts":[{"id":"ES-03.14.01E","name":"statement","parts":[{"id":"ES-03.14.01E-a","name":"item","props":[{"name":"label","value":"ES-03.14.01E-a"}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, A.03.14.01E_prm_1 }}. "},{"id":"ES-03.14.01E-b","name":"item","props":[{"name":"label","value":"ES-03.14.01E-b"}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, A.03.14.01E_prm_2 }}. "}]},{"id":"D-03.14.01E","name":"guidance","class":"discussion","prose":"Verifying the integrity of security-critical or essential software is an important capability since corrupted software is the primary attack vector used by adversaries to undermine or disrupt the proper functioning of systems. Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes boot firmware, operating systems with key internal components (e.g., kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output Systems (BIOS). Information includes CUI and metadata that contains security attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications. There are many ways to verify software integrity throughout the system development life cycle. Root of trust mechanisms (e.g., secure boot, trusted platform modules, UEFI) verify that only trusted code is executed during boot processes. The employment of cryptographic signatures ensures the integrity and authenticity of critical software that stores, processes, or transmits, CUI. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.01E-2-effect","name":"item","class":"Preclude-AE-03.14.01E-2","parts":[{"id":"AE-03.14.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.01E-3-effect","name":"item","class":"Expose-AE-03.14.01E-3","parts":[{"id":"AE-03.14.01E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.01E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.01E.a.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.01E-a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, A.03.14.01E.ODP.01 }}. "},{"id":"DS-A.03.14.01E.a.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.01E-a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, A.03.14.01E.ODP.02 }}. "},{"id":"DS-A.03.14.01E.a.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.01E-a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, A.03.14.01E.ODP.03 }}. "},{"id":"DS-A.03.14.01E.b.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.01E-b"}],"prose":" {{ insert: param, A.03.14.01E.ODP.04 }} are taken when unauthorized changes to software are detected. "},{"id":"DS-A.03.14.01E.b.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.01E-b"}],"prose":" {{ insert: param, A.03.14.01E.ODP.05 }} are taken when unauthorized changes to firmware are detected. "},{"id":"DS-A.03.14.01E.b.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.01E-b"}],"prose":" {{ insert: param, A.03.14.01E.ODP.06 }} are taken when unauthorized changes to information are detected. "},{"id":"E-03.14.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by system design documentation\n\nintegrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for software, firmware, and/or information integrity\n\npersonnel with information security responsibilities\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.01E"},{"name":"label","value":"03.14.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Software, Firmware, and Information Integrity","params":[{"id":"A.03.14.01E_prm_1","label":"organization-defined software, firmware, and information","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.01E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.01E.ODP[02]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.01E.ODP[03]"}]},{"id":"A.03.14.01E_prm_2","label":"organization-defined actions","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.01E.ODP[04]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.01E.ODP[05]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.01E.ODP[06]"}]},{"id":"A.03.14.01E.ODP.01","label":"software","props":[{"name":"label","value":"A.03.14.01E.ODP[01]"}],"usage":"organization-defined software, firmware, and information","guidelines":[{"prose":"software requiring integrity verification tools to be used to detect unauthorized changes is defined."}]},{"id":"A.03.14.01E.ODP.02","label":"firmware","props":[{"name":"label","value":"A.03.14.01E.ODP[02]"}],"usage":"organization-defined software, firmware, and information","guidelines":[{"prose":"firmware requiring integrity verification tools to be used to detect unauthorized changes is defined."}]},{"id":"A.03.14.01E.ODP.03","label":"information","props":[{"name":"label","value":"A.03.14.01E.ODP[03]"}],"usage":"organization-defined software, firmware, and information","guidelines":[{"prose":"information requiring integrity verification tools to be used to detect unauthorized changes is defined."}]},{"id":"A.03.14.01E.ODP.04","label":"actions","props":[{"name":"label","value":"A.03.14.01E.ODP[04]"}],"usage":"organization-defined actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined."}]},{"id":"A.03.14.01E.ODP.05","label":"actions","props":[{"name":"label","value":"A.03.14.01E.ODP[05]"}],"usage":"organization-defined actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined."}]},{"id":"A.03.14.01E.ODP.06","label":"actions","props":[{"name":"label","value":"A.03.14.01E.ODP[06]"}],"usage":"organization-defined actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.14.06"}],"props":[{"name":"sort-id","value":"03.14.02E"},{"name":"label","value":"03.14.02E"},{"name":"status","value":"withdrawn"}],"title":"03.14.02E"},{"id":"SP_800_172_3_0_0_03.14.03E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.13.16E"},{"rel":"incorporated_into","href":"03.15.01E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.12.01"},{"rel":"external_reference","href":"03.13.01"},{"rel":"external_reference","href":"03.16.01"}],"props":[{"name":"sort-id","value":"03.14.03E"},{"name":"label","value":"03.14.03E"},{"name":"status","value":"withdrawn"}],"title":"03.14.03E"},{"id":"SP_800_172_3_0_0_03.14.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#adf73f5c-2f89-46a2-a396-0de1155d5ba2"}],"parts":[{"id":"ES-03.14.04E","name":"statement","prose":"Obtain software and data employed during system component and service refreshes from the following trusted sources: {{ insert: param, A.03.14.04E.ODP.01 }}. "},{"id":"D-03.14.04E","name":"guidance","class":"discussion","prose":"Trusted sources include software and data from write-once, read-only media or from selected offline secure storage facilities. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.14.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.04E-2-effect","name":"item","class":"Preclude-AE-03.14.04E-2","parts":[{"id":"AE-03.14.04E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.04E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.04E-3-effect","name":"item","class":"Impede-AE-03.14.04E-3","parts":[{"id":"AE-03.14.04E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.04E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.14.04E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.04E"}],"prose":"the software and data used during system component and service refreshes are obtained from {{ insert: param, A.03.14.04E.ODP.01 }} . "},{"id":"E-03.14.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem design documentation\n\nprocedures addressing non-persistence for system components\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for obtaining component and service refreshes from trusted sources\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for defining and obtaining component and service refreshes from trusted sources\n\nautomated mechanisms supporting and/or implementing component and service refreshes"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.04E"},{"name":"label","value":"03.14.04E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Refresh From Trusted Sources","params":[{"id":"A.03.14.04E.ODP.01","label":"trusted sources","props":[{"name":"label","value":"A.03.14.04E.ODP[01]"}],"usage":"organization-defined trusted sources","guidelines":[{"prose":"trusted sources to obtain software and data for system component and service refreshes are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.05E","class":"security_requirement","links":[{"rel":"external_reference","href":"#beff0086-196f-4989-aeb3-6e2178ac04b9"}],"parts":[{"id":"ES-03.14.05E","name":"statement","parts":[{"id":"ES-03.14.05E-a","name":"item","props":[{"name":"label","value":"ES-03.14.05E-a"}],"prose":" {{ insert: param, A.03.14.05E.ODP.01 }}. "},{"id":"ES-03.14.05E-b","name":"item","props":[{"name":"label","value":"ES-03.14.05E-b"}],"prose":"Delete information when no longer needed."}]},{"id":"D-03.14.05E","name":"guidance","class":"discussion","prose":"Retaining information longer than is required makes that information a potential target for advanced adversaries searching for high value assets to compromise through unauthorized disclosure, unauthorized modification, or exfiltration. For system-related information, unnecessary retention provides adversaries with information that can assist in their reconnaissance and lateral movement through the system. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.14.05E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.05E-2-effect","name":"item","class":"Preclude-AE-03.14.05E-2","parts":[{"id":"AE-03.14.05E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.05E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.05E-3-effect","name":"item","class":"Impede-AE-03.14.05E-3","parts":[{"id":"AE-03.14.05E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.05E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.14.05E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.05E-a"}],"prose":" {{ insert: param, A.03.14.05E.ODP.01 }} is performed. "},{"id":"DS-A.03.14.05E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.05E-b"}],"prose":"information is deleted when no longer needed."},{"id":"E-03.14.05E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.05E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for ensuring that information is and remains non-persistent\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.05E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for ensuring that information is and remains non-persistent\n\nautomated mechanisms supporting and/or implementing component and service refreshes"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.05E"},{"name":"label","value":"03.14.05E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Non-Persistent Information","params":[{"id":"A.03.14.05E.ODP.01","label":"SELECTED PARAMETER VALUE","props":[{"name":"label","value":"A.03.14.05E.ODP[01]"}],"select":{"choice":["Refresh {{ insert: param, A.03.14.05E.ODP.02 }} {{ insert: param, A.03.14.05E.ODP.03 }} ","Generate {{ insert: param, A.03.14.05E.ODP.04 }} on demand "],"how-many":"one"}},{"id":"A.03.14.05E.ODP.02","label":"information","props":[{"name":"label","value":"A.03.14.05E.ODP[02]"}],"usage":"organization-defined information","guidelines":[{"prose":"the information to be refreshed is defined (if selected)."}]},{"id":"A.03.14.05E.ODP.03","label":"frequency","props":[{"name":"label","value":"A.03.14.05E.ODP[03]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to refresh information is defined (if selected)."}]},{"id":"A.03.14.05E.ODP.04","label":"information","props":[{"name":"label","value":"A.03.14.05E.ODP[04]"}],"usage":"organization-defined information on demand","guidelines":[{"prose":"the information to be generated on demand is defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.14.06E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.11.02E"},{"rel":"incorporated_into","href":"03.11.09E"}],"props":[{"name":"sort-id","value":"03.14.06E"},{"name":"label","value":"03.14.06E"},{"name":"status","value":"withdrawn"}],"title":"03.14.06E"},{"id":"SP_800_172_3_0_0_03.14.07E","class":"security_requirement","links":[{"rel":"incorporated_into","href":"03.14.08E"},{"rel":"incorporated_into","href":"03.14.10E"},{"rel":"incorporated_into","href":"03.14.14E"},{"rel":"incorporated_into","href":"03.17.03E"},{"rel":"external_reference","href":"#bc9414f9-b22d-4945-8949-7f0d02441f6f"},{"rel":"external_reference","href":"03.16.01"}],"props":[{"name":"sort-id","value":"03.14.07E"},{"name":"label","value":"03.14.07E"},{"name":"status","value":"withdrawn"}],"title":"03.14.07E"},{"id":"SP_800_172_3_0_0_03.14.08E","class":"security_requirement","links":[{"rel":"external_reference","href":"#1459a6a5-b679-4bdc-ab0b-4ddd92428c0a"}],"parts":[{"id":"ES-03.14.08E","name":"statement","prose":"Perform an integrity check of {{ insert: param, A.03.14.08E_prm_1 }} {{ insert: param, A.03.14.08E.ODP.02 }}. "},{"id":"D-03.14.08E","name":"guidance","class":"discussion","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.08E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.08E-2-effect","name":"item","class":"Preclude-AE-03.14.08E-2","parts":[{"id":"AE-03.14.08E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.08E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.08E-3-effect","name":"item","class":"Impede-AE-03.14.08E-3","parts":[{"id":"AE-03.14.08E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.08E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.14.08E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.08E"}],"prose":"an integrity check of {{ insert: param, A.03.14.08E.ODP.01 }} is performed {{ insert: param, A.03.14.08E.ODP.02 }}. "},{"id":"DS-A.03.14.08E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.08E"}],"prose":"an integrity check of {{ insert: param, A.03.14.08E.ODP.05 }} is performed {{ insert: param, A.03.14.08E.ODP.06 }}. "},{"id":"DS-A.03.14.08E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.08E"}],"prose":"an integrity check of {{ insert: param, A.03.14.08E.ODP.09 }} is performed {{ insert: param, A.03.14.08E.ODP.10 }}. "},{"id":"E-03.14.08E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.08E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for software, firmware, and/or information integrity\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.08E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.08E"},{"name":"label","value":"03.14.08E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Integrity Checks","params":[{"id":"A.03.14.08E_prm_1","label":"organization-defined software, firmware, and information","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[01]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[05]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[09]"}]},{"id":"A.03.14.08E_prm_2","label":"organization-defined transitional states or security-relevant events","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[03]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[07]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[11]"}]},{"id":"A.03.14.08E_prm_3","label":"organization-defined frequency","props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[04]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[08]"},{"ns":"http://csrc.nist.gov/ns/rmf","name":"aggregates","value":"A.03.14.08E.ODP[12]"}]},{"id":"A.03.14.08E.ODP.01","label":"software","props":[{"name":"label","value":"A.03.14.08E.ODP[01]"}],"usage":"organization-defined software, firmware, and information","guidelines":[{"prose":"software on which an integrity check is to be performed is defined."}]},{"id":"A.03.14.08E.ODP.02","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.14.08E.ODP[02]"}],"select":{"choice":["at startup","at {{ insert: param, A.03.14.08E.ODP.03 }} "," {{ insert: param, A.03.14.08E.ODP.04 }} "],"how-many":"one-or-more"}},{"id":"A.03.14.08E.ODP.05","label":"firmware","props":[{"name":"label","value":"A.03.14.08E.ODP[05]"}],"usage":"organization-defined software, firmware, and information","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined."}]},{"id":"A.03.14.08E.ODP.06","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.14.08E.ODP[06]"}],"select":{"choice":["at startup","at {{ insert: param, A.03.14.08E.ODP.07 }} "," {{ insert: param, A.03.14.08E.ODP.08 }} "],"how-many":"one-or-more"}},{"id":"A.03.14.08E.ODP.09","label":"information","props":[{"name":"label","value":"A.03.14.08E.ODP[09]"}],"usage":"organization-defined software, firmware, and information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined."}]},{"id":"A.03.14.08E.ODP.10","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.14.08E.ODP[10]"}],"select":{"choice":["at startup","at {{ insert: param, A.03.14.08E.ODP.11 }} "," {{ insert: param, A.03.14.08E.ODP.12 }} "],"how-many":"one-or-more"}},{"id":"A.03.14.08E.ODP.03","label":"transitional states or security-relevant events","props":[{"name":"label","value":"A.03.14.08E.ODP[03]"}],"usage":"organization-defined transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected)."}]},{"id":"A.03.14.08E.ODP.04","label":"frequency","props":[{"name":"label","value":"A.03.14.08E.ODP[04]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to perform an integrity check (on software) is defined (if selected)."}]},{"id":"A.03.14.08E.ODP.07","label":"transitional states or security-relevant events","props":[{"name":"label","value":"A.03.14.08E.ODP[07]"}],"usage":"organization-defined transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected)."}]},{"id":"A.03.14.08E.ODP.08","label":"frequency","props":[{"name":"label","value":"A.03.14.08E.ODP[08]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to perform an integrity check (on firmware) is defined (if selected)."}]},{"id":"A.03.14.08E.ODP.11","label":"transitional states or security-relevant events","props":[{"name":"label","value":"A.03.14.08E.ODP[11]"}],"usage":"organization-defined transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected)."}]},{"id":"A.03.14.08E.ODP.12","label":"frequency","props":[{"name":"label","value":"A.03.14.08E.ODP[12]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to perform an integrity check (of information) is defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.14.09E","class":"security_requirement","links":[{"rel":"external_reference","href":"#dd824f5a-d0bc-409d-bef9-6e1194f20aaa"}],"parts":[{"id":"ES-03.14.09E","name":"statement","prose":"Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."},{"id":"D-03.14.09E","name":"guidance","class":"discussion","prose":"Cryptographic mechanisms used to protect integrity include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Organizations that use cryptographic mechanisms also consider cryptographic key management solutions. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.14.09E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.09E-2-effect","name":"item","class":"Preclude-AE-03.14.09E-2","parts":[{"id":"AE-03.14.09E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.09E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.09E-3-effect","name":"item","class":"Impede-AE-03.14.09E-3","parts":[{"id":"AE-03.14.09E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.09E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.14.09E-4-effect","name":"item","class":"Expose-AE-03.14.09E-4","parts":[{"id":"AE-03.14.09E-4-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.09E-4-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.09E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.09E"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to software."},{"id":"DS-A.03.14.09E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.09E"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to firmware."},{"id":"DS-A.03.14.09E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.09E"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to information."},{"id":"E-03.14.09E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\ncryptographic mechanisms and associated documentation\n\nrecords of detected unauthorized changes to software, firmware, and information\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.09E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for software, firmware, and/or information integrity\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.09E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\ncryptographic mechanisms implementing software, firmware, and information integrity"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.09E"},{"name":"label","value":"03.14.09E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Cryptographic Protection"},{"id":"SP_800_172_3_0_0_03.14.10E","class":"security_requirement","links":[{"rel":"external_reference","href":"#d793c207-dfae-49c1-a3fe-275357ccd5e0"}],"parts":[{"id":"ES-03.14.10E","name":"statement","prose":"Implement the following mechanisms to protect the integrity of boot firmware in {{ insert: param, A.03.14.10E.ODP.01 }}: {{ insert: param, A.03.14.10E.ODP.02 }}. "},{"id":"D-03.14.10E","name":"guidance","class":"discussion","prose":"Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur if the firmware is corrupted or malicious code is embedded in the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.14.10E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.10E-2-effect","name":"item","class":"Preclude-AE-03.14.10E-2","parts":[{"id":"AE-03.14.10E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.10E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.10E-3-effect","name":"item","class":"Impede-AE-03.14.10E-3","parts":[{"id":"AE-03.14.10E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.10E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.14.10E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.10E"}],"prose":" {{ insert: param, A.03.14.10E.ODP.01 }} are implemented to protect the integrity of boot firmware in {{ insert: param, A.03.14.10E.ODP.02 }}. "},{"id":"E-03.14.10E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nintegrity verification tools and associated documentation\n\nrecords of integrity verification scans\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.10E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for software, firmware, and/or information integrity\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developer"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.10E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and/or implementing protection of the integrity of boot firmware\n\nsafeguards implementing protection of the integrity of boot firmware"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.10E"},{"name":"label","value":"03.14.10E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Protection of Boot Firmware","params":[{"id":"A.03.14.10E.ODP.01","label":"mechanisms","props":[{"name":"label","value":"A.03.14.10E.ODP[01]"}],"usage":"organization-defined mechanisms","guidelines":[{"prose":"mechanisms to be implemented to protect the integrity of boot firmware in system components are defined."}]},{"id":"A.03.14.10E.ODP.02","label":"system components","props":[{"name":"label","value":"A.03.14.10E.ODP[02]"}],"usage":"organization-defined system components","guidelines":[{"prose":"system components requiring mechanisms to protect the integrity of boot firmware are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.11E","class":"security_requirement","links":[{"rel":"external_reference","href":"#9e227fcf-f52c-4041-b5b3-f1092eba1722"}],"parts":[{"id":"ES-03.14.11E","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, A.03.14.11E.ODP.01 }}. "},{"id":"D-03.14.11E","name":"guidance","class":"discussion","prose":"Integrating detection and response ensures that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.11E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.11E-2-effect","name":"item","class":"Expose-AE-03.14.11E-2","parts":[{"id":"AE-03.14.11E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.11E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.11E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.11E"}],"prose":"the detection of {{ insert: param, A.03.14.11E.ODP.01 }} are incorporated into the organizational incident response capability. "},{"id":"E-03.14.11E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.11E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for software, firmware, and/or information integrity\n\npersonnel with information security responsibilities\n\npersonnel with incident response responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.11E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nmechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.11E"},{"name":"label","value":"03.14.11E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Integration of Detection and Response","params":[{"id":"A.03.14.11E.ODP.01","label":"changes","props":[{"name":"label","value":"A.03.14.11E.ODP[01]"}],"usage":"organization-defined security-relevant changes to the system","guidelines":[{"prose":"security-relevant changes to the system are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.12E","class":"security_requirement","links":[{"rel":"external_reference","href":"#1e23e735-ce8a-4926-a059-62917d299f90"}],"parts":[{"id":"ES-03.14.12E","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, A.03.14.12E.ODP.01 }}. "},{"id":"D-03.14.12E","name":"guidance","class":"discussion","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform incorrect operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks, such as cross-site scripting and a variety of injection attacks. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.12E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.12E-2-effect","name":"item","class":"Preclude-AE-03.14.12E-2","parts":[{"id":"AE-03.14.12E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.12E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.14.12E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.12E"}],"prose":"the validity of the {{ insert: param, A.03.14.12E.ODP.01 }} is checked. "},{"id":"E-03.14.12E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.12E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for information input validation\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.12E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing validity checks on information inputs"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.12E"},{"name":"label","value":"03.14.12E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Information Input Validation","params":[{"id":"A.03.14.12E.ODP.01","label":"information inputs","props":[{"name":"label","value":"A.03.14.12E.ODP[01]"}],"usage":"organization-defined information inputs to the system","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.13E","class":"security_requirement","links":[{"rel":"external_reference","href":"#2a69a8f9-296d-45dc-bfc1-e8f665511f51"}],"parts":[{"id":"ES-03.14.13E","name":"statement","parts":[{"id":"ES-03.14.13E-a","name":"item","props":[{"name":"label","value":"ES-03.14.13E-a"}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited."},{"id":"ES-03.14.13E-b","name":"item","props":[{"name":"label","value":"ES-03.14.13E-b"}],"prose":"Reveal error messages only to {{ insert: param, A.03.14.13E.ODP.01 }}. "}]},{"id":"D-03.14.13E","name":"guidance","class":"discussion","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, Social Security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.13E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.13E-2-effect","name":"item","class":"Preclude-AE-03.14.13E-2","parts":[{"id":"AE-03.14.13E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.13E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."}]},{"id":"DS-A.03.14.13E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.13E-a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited."},{"id":"DS-A.03.14.13E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.13E-b"}],"prose":"error messages are revealed only to {{ insert: param, A.03.14.13E.ODP.01 }}. "},{"id":"E-03.14.13E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.13E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for information input validation\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.13E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for error handling\n\nautomated mechanisms supporting and/or implementing error handling\n\nautomated mechanisms supporting and/or implementing the management of error messages"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.13E"},{"name":"label","value":"03.14.13E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Error Handling","params":[{"id":"A.03.14.13E.ODP.01","label":"personnel or roles","props":[{"name":"label","value":"A.03.14.13E.ODP[01]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.14E","class":"security_requirement","links":[{"rel":"external_reference","href":"#c1f8b5b2-745f-4fad-866a-52c879617eb2"}],"parts":[{"id":"ES-03.14.14E","name":"statement","prose":"Implement the following safeguards to protect the system memory from unauthorized code execution: {{ insert: param, A.03.14.14E.ODP.01 }}. "},{"id":"D-03.14.14E","name":"guidance","class":"discussion","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. The safeguards used to protect memory include data execution prevention and address space layout randomization (ASLR). Data execution prevention safeguards can be hardware- or software-enforced with hardware enforcement providing the greater strength of mechanism. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.14E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.14E-2-effect","name":"item","class":"Preclude-AE-03.14.14E-2","parts":[{"id":"AE-03.14.14E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.14E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.14E-3-effect","name":"item","class":"Impede-AE-03.14.14E-3","parts":[{"id":"AE-03.14.14E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.14E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.14.14E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.14E"}],"prose":" {{ insert: param, A.03.14.14E.ODP.01 }} are implemented to protect the system memory from unauthorized code execution. "},{"id":"E-03.14.14E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.14E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for memory protection\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.14E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.14E"},{"name":"label","value":"03.14.14E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Memory Protection","params":[{"id":"A.03.14.14E.ODP.01","label":"safeguards","props":[{"name":"label","value":"A.03.14.14E.ODP[01]"}],"usage":"organization-defined safeguards","guidelines":[{"prose":"safeguards to be implemented to protect the system memory from unauthorized code execution are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.15E","class":"security_requirement","links":[{"rel":"external_reference","href":"#ae948168-1f68-4e95-a0da-72bd7287d7ed"}],"parts":[{"id":"ES-03.14.15E","name":"statement","parts":[{"id":"ES-03.14.15E-a","name":"item","props":[{"name":"label","value":"ES-03.14.15E-a"}],"prose":"Implement non-persistent {{ insert: param, A.03.14.15E.ODP.01 }}. "},{"id":"ES-03.14.15E-b","name":"item","props":[{"name":"label","value":"ES-03.14.15E-b"}],"prose":"Initiate non-persistent {{ insert: param, A.03.14.15E.ODP.01 }} from a known state. "},{"id":"ES-03.14.15E-c","name":"item","props":[{"name":"label","value":"ES-03.14.15E-c"}],"prose":"Terminate non-persistent {{ insert: param, A.03.14.15E.ODP.02 }} {{ insert: param, A.03.14.15E.ODP.01 }}. "}]},{"id":"D-03.14.15E","name":"guidance","class":"discussion","prose":"Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components and services, organizations can provide a trusted computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in their systems and operating environments. The use of non-persistent components and services mitigates risk by limiting the targeting capability of adversaries (i.e., reducing the window of opportunity and available attack surface) to initiate and complete attacks. Non-persistent system components and services are activated as required from a known (trusted) state and terminated periodically or at the end of sessions. The use of non-persistent system components and services also increases the work factor of adversaries.\n\nNon-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtual machines or as new instances of processes on physical machines (persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to determine in advance whether compromises have occurred, which may be difficult or impossible. The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks but not with such frequency that it makes the system unstable. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.14.15E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.15E-2-effect","name":"item","class":"Preclude-AE-03.14.15E-2","parts":[{"id":"AE-03.14.15E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.14.15E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.14.15E-3-effect","name":"item","class":"Impede-AE-03.14.15E-3","parts":[{"id":"AE-03.14.15E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.14.15E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.14.15E-4-effect","name":"item","class":"Limit-AE-03.14.15E-4","parts":[{"id":"AE-03.14.15E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.14.15E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.14.15E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.15E-a"}],"prose":" {{ insert: param, A.03.14.15E.ODP.01 }} are implemented. "},{"id":"DS-A.03.14.15E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.15E-b"}],"prose":" {{ insert: param, A.03.14.15E.ODP.01 }} are initiated from a known state. "},{"id":"DS-A.03.14.15E.c","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.15E-c"}],"prose":" {{ insert: param, A.03.14.15E.ODP.01 }} are terminated {{ insert: param, A.03.14.15E.ODP.02 }}. "},{"id":"E-03.14.15E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem design documentation\n\nprocedures addressing non-persistence for system components\n\nsystem security plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.15E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for non-persistence\n\npersonnel with information security responsibilities\n\nsystem/network administrators\n\nsystem developers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.15E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and/or implementing the initiation and termination of non-persistent components"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.15E"},{"name":"label","value":"03.14.15E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Non-Persistent System Components and Services","params":[{"id":"A.03.14.15E.ODP.01","label":"non-persistent system components and services","props":[{"name":"label","value":"A.03.14.15E.ODP[01]"}],"usage":"organization-defined system components and services","guidelines":[{"prose":"non-persistent system components and services to be implemented are defined."}]},{"id":"A.03.14.15E.ODP.02","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.14.15E.ODP[02]"}],"select":{"choice":["upon end of session of use"," {{ insert: param, A.03.14.15E.ODP.03 }} "],"how-many":"one-or-more"}},{"id":"A.03.14.15E.ODP.03","label":"frequency","props":[{"name":"label","value":"A.03.14.15E.ODP[03]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.14.16E","class":"security_requirement","links":[{"rel":"external_reference","href":"#53381f5b-db26-46ca-9d15-e87a315aacd2"}],"parts":[{"id":"ES-03.14.16E","name":"statement","prose":"Embed data or capabilities in the following systems or system components to determine if CUI has been exfiltrated or improperly removed from the organization: {{ insert: param, A.03.14.16E.ODP.01 }} . "},{"id":"D-03.14.16E","name":"guidance","class":"discussion","prose":"Many cyber-attacks target organizational information or information that the organization holds on behalf of other entities with the intent to exfiltrate that information. In addition, insider attacks and erroneous user procedures can remove information from the system in violation of organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach includes embedding false data or steganographic data in files to enable the data to be found via open-source analysis. An active tainting approach can include embedding software in the data that is able to \"call home,\" thereby alerting the organization to its capture and possibly its location and the path by which it was exfiltrated or removed. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets. "},{"id":"AE-03.14.16E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.16E-2-effect","name":"item","class":"Expose-AE-03.14.16E-2","parts":[{"id":"AE-03.14.16E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.16E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.16E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.16E"}],"prose":"data or capabilities are embedded in {{ insert: param, A.03.14.16E.ODP.01 }} to determine if CUI has been exfiltrated or improperly removed from the organization. "},{"id":"E-03.14.16E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npolicy and procedures addressing the systems security engineering technique of deception\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.16E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel responsible for detecting tainted data\n\npersonnel with systems security engineering responsibilities\n\npersonnel with information security responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.16E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Automated mechanisms for post-breach detection\n\ndecoys, traps, lures, and methods for deceiving adversaries\n\ndetection and notification mechanisms"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.16E"},{"name":"label","value":"03.14.16E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Tainting","params":[{"id":"A.03.14.16E.ODP.01","label":"systems or system components","props":[{"name":"label","value":"A.03.14.16E.ODP[01]"}],"usage":"organization-defined systems or system components","guidelines":[{"prose":"systems or system components with data or capabilities to be embedded are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.17E","class":"security_requirement","links":[{"rel":"external_reference","href":"#bfa6b5c5-af66-4636-9e43-81da8442debc"}],"parts":[{"id":"ES-03.14.17E","name":"statement","prose":"Alert {{ insert: param, A.03.14.17E.ODP.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, A.03.14.17E.ODP.02 }}. "},{"id":"D-03.14.17E","name":"guidance","class":"discussion","prose":"Alerts may be generated from different sources internal to the system, including audit records, inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Compromise indicators could include CUI being accessed by unauthorized users or when CUI traverses architecture outside of defined data flows. Alerts can be automated and transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners or stewards, chief information security officers, and system security officers. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.14.17E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.17E-2-effect","name":"item","class":"Expose-AE-03.14.17E-2","parts":[{"id":"AE-03.14.17E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.17E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.17E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.17E"}],"prose":" {{ insert: param, A.03.14.17E.ODP.01 }} are alerted when system-generated {{ insert: param, A.03.14.17E.ODP.02 }} occur. "},{"id":"E-03.14.17E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nsystem audit records\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nlist of personnel selected to receive alerts\n\nsystem configuration settings and associated documentation\n\ndocumentation of alerts generated based on compromise indicators\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.17E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security responsibilities\n\nsystem developers\n\npersonnel installing, configuring, and/or maintaining the system\n\npersonnel responsible for monitoring the system\n\npersonnel on the system alert notification list\n\npersonnel responsible for the intrusion detection system\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.17E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for intrusion detection and system monitoring\n\nmechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and/or implementing alerts for compromise indicators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.17E"},{"name":"label","value":"03.14.17E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"System-Generated Alerts","params":[{"id":"A.03.14.17E.ODP.01","label":"personnel or roles","props":[{"name":"label","value":"A.03.14.17E.ODP[01]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur are defined."}]},{"id":"A.03.14.17E.ODP.02","label":"indicators of compromise","props":[{"name":"label","value":"A.03.14.17E.ODP[02]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"compromise indicators are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.18E","class":"security_requirement","links":[{"rel":"external_reference","href":"#8ac7e0f0-2899-41c1-80a5-2edee2123d55"}],"parts":[{"id":"ES-03.14.18E","name":"statement","prose":"Alert {{ insert: param, A.03.14.18E.ODP.01 }} using {{ insert: param, A.03.14.18E.ODP.02 }} when the following indications of inappropriate or unusual activities with security implications occur: {{ insert: param, A.03.14.18E.ODP.03 }}. "},{"id":"D-03.14.18E","name":"guidance","class":"discussion","prose":"Organization-generated alerts are focused on information sources that are external to the system, such as suspicious activity reports and reports on potential insider threats. Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, chief information security officers, and system security officers. This requirement enhances SP 800-171 requirement 03.14.06."},{"id":"AE-03.14.18E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.18E-2-effect","name":"item","class":"Expose-AE-03.14.18E-2","parts":[{"id":"AE-03.14.18E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.18E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.18E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.18E"}],"prose":" {{ insert: param, A.03.14.18E.ODP.01 }} are alerted using {{ insert: param, A.03.14.18E.ODP.02 }} when {{ insert: param, A.03.14.18E.ODP.03 }} indicate inappropriate or unusual activities with security implications. "},{"id":"E-03.14.18E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nlist of inappropriate or unusual activities with security implications that trigger alerts\n\nsuspicious activity reports\n\nsystem monitoring tools and techniques documentation\n\nsystem design documentation\n\nprocedures addressing system monitoring tools and techniques\n\nalerts provided to security personnel\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.18E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security responsibilities\n\nsystem developers\n\npersonnel installing, configuring, and/or maintaining the system\n\npersonnel responsible for monitoring the system\n\npersonnel responsible for the intrusion detection system\n\nsystem/network administrators"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.18E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and/or implementing automated alerts to security personnel"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.18E"},{"name":"label","value":"03.14.18E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Automated Organization-Generated Alerts","params":[{"id":"A.03.14.18E.ODP.01","label":"personnel or roles","props":[{"name":"label","value":"A.03.14.18E.ODP[01]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of inappropriate or unusual activity with security implications occur are defined."}]},{"id":"A.03.14.18E.ODP.02","label":"automated mechanisms","props":[{"name":"label","value":"A.03.14.18E.ODP[02]"}],"usage":"organization-defined automated mechanisms","guidelines":[{"prose":"automated mechanisms used to alert personnel or roles are defined."}]},{"id":"A.03.14.18E.ODP.03","label":"activities","props":[{"name":"label","value":"A.03.14.18E.ODP[03]"}],"usage":"organization-defined activities that trigger alerts","guidelines":[{"prose":"activities that trigger alerts to personnel or roles are defined."}]}]},{"id":"SP_800_172_3_0_0_03.14.19E","class":"security_requirement","links":[{"rel":"external_reference","href":"#e3aa04eb-1005-43db-837a-edbd32169044"}],"parts":[{"id":"ES-03.14.19E","name":"statement","prose":"Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system"},{"id":"D-03.14.19E","name":"guidance","class":"discussion","prose":"Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems. This requirement enhances SP 800-171 requirement 03.14.06 and 03.01.16."},{"id":"AE-03.14.19E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.14.19E-2-effect","name":"item","class":"Expose-AE-03.14.19E-2","parts":[{"id":"AE-03.14.19E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.14.19E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.14.19E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.19E"}],"prose":"a wireless intrusion detection system is employed to identify rogue wireless devices."},{"id":"DS-A.03.14.19E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.19E"}],"prose":"a wireless intrusion detection system is employed to detect attack attempts on the system."},{"id":"DS-A.03.14.19E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.14.19E"}],"prose":"a wireless intrusion detection system is employed to detect a potential compromise or breach to the system."},{"id":"E-03.14.19E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.14.19E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.14.19E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection\n\nmechanisms supporting and/or implementing a wireless intrusion detection capability"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.14.19E"},{"name":"label","value":"03.14.19E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Wireless Intrusion Detection"}]},{"id":"SP_800_172_3_0_0_3.15","class":"family","props":[{"name":"sort-id","value":"03.15"},{"name":"label","value":"Planning (3.15)"}],"title":"Planning","controls":[{"id":"SP_800_172_3_0_0_03.15.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#9c48cab0-7fde-46f9-9f56-a15711c74640"}],"parts":[{"id":"ES-03.15.01E","name":"statement","parts":[{"id":"ES-03.15.01E-a","name":"item","parts":[{"id":"ES-03.15.01E-a-1","name":"item","props":[{"name":"label","value":"ES-03.15.01E-a-1"}],"prose":"Describes the security requirements and approach to be taken for protecting the confidentiality, integrity, and availability of CUI,"},{"id":"ES-03.15.01E-a-2","name":"item","props":[{"name":"label","value":"ES-03.15.01E-a-2"}],"prose":"Describes how the architecture is integrated into and supports the enterprise architecture, and"},{"id":"ES-03.15.01E-a-3","name":"item","props":[{"name":"label","value":"ES-03.15.01E-a-3"}],"prose":"Describes any assumptions about, and dependencies on, external systems and services."}],"props":[{"name":"label","value":"ES-03.15.01E-a"}],"prose":"Develop a security architecture for the system that:"},{"id":"ES-03.15.01E-b","name":"item","props":[{"name":"label","value":"ES-03.15.01E-b"}],"prose":"Review and update the security architecture {{ insert: param, A.03.15.01E.ODP.01 }} to reflect changes in the enterprise architecture. "},{"id":"ES-03.15.01E-c","name":"item","props":[{"name":"label","value":"ES-03.15.01E-c"}],"prose":"Reflect planned security architecture changes in system security plans, concept of operations, criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"D-03.15.01E","name":"guidance","class":"discussion","prose":"The security architecture at the system level is consistent with the organization-wide security architecture, which is integral to and developed as part of the enterprise architecture. The security architecture includes an architectural description, the allocation of security functionality (i.e., safeguards and countermeasures), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security requirements; types of information processed, stored, and transmitted by the system; cybersecurity supply chain risk management (CSCRM) requirements; restoration priorities of information and system services; and other protection needs.\n\nWith the use of modern computing technologies, it is becoming less common for organizations to control all information resources. There may be key dependencies on external services and service providers. Describing such dependencies as part of the security architecture is necessary for developing a comprehensive CUI protection strategy. Establishing, documenting, and maintaining a baseline configuration for organizational systems under configuration control is critical to implementing and maintaining an effective security architecture. Guidance on developing trustworthy, secure, and cyber-resilient systems using systems security engineering practices and security design concepts is provided in SP 800-160v2 .23. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.15.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.15.01E-2-effect","name":"item","class":"Preclude-AE-03.15.01E-2","parts":[{"id":"AE-03.15.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.15.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.15.01E-3-effect","name":"item","class":"Impede-AE-03.15.01E-3","parts":[{"id":"AE-03.15.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.15.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.15.01E.a.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.01E-a-1"}],"prose":"a security architecture for the system that describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of CUI is developed."},{"id":"DS-A.03.15.01E.a.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.01E-a-2"}],"prose":"a security architecture for the system that describes how the security architecture is integrated into and supports the enterprise architecture is developed."},{"id":"DS-A.03.15.01E.a.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.01E-a-3"}],"prose":"a security architecture for the system that describes any assumptions about and dependencies on external systems and services is developed."},{"id":"DS-A.03.15.01E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.01E-b"}],"prose":"the security architecture is reviewed and updated {{ insert: param, A.03.15.01E.ODP.01 }} to reflect changes in the enterprise architecture. "},{"id":"DS-A.03.15.01E.c","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.01E-c"}],"prose":"planned security architecture changes are reflected in system security plans, concept of operations, criticality analyses, organizational procedures, procurements, and acquisitions."},{"id":"E-03.15.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsystem security plan\n\nsecurity CONOPS for the system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.15.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with security planning and plan implementation responsibilities\n\npersonnel with information security responsibilities\n\npersonnel with information security architecture development responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.15.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and/or implementing the development, review, and update of the information security architecture\n\nprocesses for developing, reviewing, and updating the information security architecture"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.15.01E"},{"name":"label","value":"03.15.01E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Security Architecture","params":[{"id":"A.03.15.01E.ODP.01","label":"frequency","props":[{"name":"label","value":"A.03.15.01E.ODP[01]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency for reviewing and updating the security architecture to reflect changes in the enterprise architecture is defined."}]}]},{"id":"SP_800_172_3_0_0_03.15.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#1004e4bc-075b-405c-a0a6-d0dcc5c76ff2"}],"parts":[{"id":"ES-03.15.02E","name":"statement","parts":[{"id":"ES-03.15.02E-a","name":"item","props":[{"name":"label","value":"ES-03.15.02E-a"}],"prose":"Design the security architecture for the system using a defense-in-depth approach."},{"id":"ES-03.15.02E-b","name":"item","props":[{"name":"label","value":"ES-03.15.02E-b"}],"prose":"Allocate {{ insert: param, A.03.15.02E.ODP.01 }} to {{ insert: param, A.03.15.02E.ODP.02 }}. "},{"id":"ES-03.15.02E-c","name":"item","props":[{"name":"label","value":"ES-03.15.02E-c"}],"prose":"Ensure that the allocated requirements operate in a coordinated and mutually reinforcing manner."}]},{"id":"D-03.15.02E","name":"guidance","class":"discussion","prose":"Organizations strategically allocate security requirements and the associated protection mechanisms in the security architecture so that adversaries must overcome multiple defensive layers to achieve their objective. Requiring adversaries to defeat multiple defensive layers makes it more difficult to attack systems by increasing the work factor of the adversary. It also increases the likelihood of detection. Defense-in-depth architectural approaches include modularity and layering, the separation of system and user functionality, and security function isolation.\n\nThe coordination of allocated security requirements is essential to help ensure that an attack that involves one requirement does not create adverse, unintended consequences (e.g., system lockout and cascading alarms) by interfering with other requirements. The value of organizational assets and the impacts or consequences of loss are important considerations in providing additional defensive layers. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.15.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.15.02E-2-effect","name":"item","class":"Preclude-AE-03.15.02E-2","parts":[{"id":"AE-03.15.02E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.15.02E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.15.02E-3-effect","name":"item","class":"Impede-AE-03.15.02E-3","parts":[{"id":"AE-03.15.02E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.15.02E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.15.02E-4-effect","name":"item","class":"Limit-AE-03.15.02E-4","parts":[{"id":"AE-03.15.02E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.15.02E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.15.02E.a","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.02E-a"}],"prose":"the security architecture for the system is designed using a defense-in-depth approach."},{"id":"DS-A.03.15.02E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.02E-b"}],"prose":" {{ insert: param, A.03.15.02E.ODP.01 }} are allocated to {{ insert: param, A.03.15.02E.ODP.02 }} . "},{"id":"DS-A.03.15.02E.c","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.02E-c"}],"prose":"the security requirements allocated to the architectural layers and locations are coordinated and mutually reinforcing."},{"id":"E-03.15.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsystem security plan\n\nsecurity CONOPS for the system\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.15.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with information security responsibilities\n\npersonnel with information security architecture development responsibilities\n\npersonnel with security planning and plan implementation responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.15.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for designing the information security architecture\n\nmechanisms supporting and/or implementing the design of the information security architecture"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.15.02E"},{"name":"label","value":"03.15.02E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Defense In Depth","params":[{"id":"A.03.15.02E.ODP.01","label":"security requirements","props":[{"name":"label","value":"A.03.15.02E.ODP[01]"}],"usage":"organization-defined security requirements","guidelines":[{"prose":"safeguards to be allocated to architectural layers and locations are defined."}]},{"id":"A.03.15.02E.ODP.02","label":"architectural layers and locations","props":[{"name":"label","value":"A.03.15.02E.ODP[02]"}],"usage":"organization-defined architectural layers and locations","guidelines":[{"prose":"architectural layers and locations are defined."}]}]},{"id":"SP_800_172_3_0_0_03.15.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#725c61c7-e7f0-4267-8180-98e775bbe618"}],"parts":[{"id":"ES-03.15.03E","name":"statement","prose":"Require that {{ insert: param, A.03.15.03E.ODP.01 }} allocated to {{ insert: param, A.03.15.03E.ODP.02 }} are obtained from different suppliers. "},{"id":"D-03.15.03E","name":"guidance","class":"discussion","prose":"Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors that offer malicious code protection typically update their products at different times and develop solutions for known viruses, Trojans, or worms based on their priorities and development schedules. Deploying different types of products from a diversity of suppliers at different locations increases the likelihood that at least one of the products will detect the malicious code. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.15.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.15.03E-2-effect","name":"item","class":"Preclude-AE-03.15.03E-2","parts":[{"id":"AE-03.15.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.15.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt and negate)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.15.03E-3-effect","name":"item","class":"Impede-AE-03.15.03E-3","parts":[{"id":"AE-03.15.03E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.15.03E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."},{"id":"AE-03.15.03E-4-effect","name":"item","class":"Limit-AE-03.15.03E-4","parts":[{"id":"AE-03.15.03E-4-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.15.03E-4-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.15.03E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.15.03E"}],"prose":" {{ insert: param, A.03.15.03E.ODP.01 }} that are allocated to {{ insert: param, A.03.15.03E.ODP.02 }} are obtained from different suppliers. "},{"id":"E-03.15.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsystem security plan\n\nsecurity CONOPS for the system\n\nIT acquisitions policy\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.15.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with acquisition responsibilities personnel with information security responsibilities\n\npersonnel with security planning and plan implementation responsibilities\n\npersonnel with information security architecture development responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.15.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for obtaining information security safeguards from different suppliers"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.15.03E"},{"name":"label","value":"03.15.03E"},{"name":"marking","class":"protection_strategy","value":"PS-CRS","remarks":"Cyber Resiliency"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Supplier Diversity","params":[{"id":"A.03.15.03E.ODP.01","label":"safeguards","props":[{"name":"label","value":"A.03.15.03E.ODP[01]"}],"usage":"organization-defined safeguards","guidelines":[{"prose":"safeguards to be allocated to architectural layers and locations are defined."}]},{"id":"A.03.15.03E.ODP.02","label":"architectural layers and locations","props":[{"name":"label","value":"A.03.15.03E.ODP[02]"}],"usage":"organization-defined safeguards","guidelines":[{"prose":"architectural layers and locations are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.16","class":"family","props":[{"name":"sort-id","value":"03.16"},{"name":"label","value":"System and Services Acquisition (3.16)"}],"title":"System and Services Acquisition","controls":[{"id":"SP_800_172_3_0_0_03.16.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#c731fad4-9153-42f4-a0ef-814f9c1ef808"}],"parts":[{"id":"ES-03.16.01E","name":"statement","prose":"Employ {{ insert: param, A.03.16.01E.ODP.01 }} on {{ insert: param, A.03.16.01E.ODP.02 }} supporting mission-essential services or functions to increase the trustworthiness in those systems or components. "},{"id":"D-03.16.01E","name":"guidance","class":"discussion","prose":"Systems or system components that support mission-essential services or functions can be enhanced or strengthened to maximize the trustworthiness of the resource. Sometimes, this enhancement or strengthening is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance critical resources that depend on organization-defined resources. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.16.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.16.01E-2-effect","name":"item","class":"Preclude-AE-03.16.01E-2","parts":[{"id":"AE-03.16.01E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.16.01E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.16.01E-3-effect","name":"item","class":"Impede-AE-03.16.01E-3","parts":[{"id":"AE-03.16.01E-3-effect-impact","name":"item","class":"I-Impede","prose":"Reduce likelihood of impact and reduce level of impact."},{"id":"AE-03.16.01E-3-effect-expected_result-1","name":"item","class":"ER-Impede-1","prose":"Adversary activities are restricted in scope, fail to achieve full effect, do not take place in accordance with adversary timeline, or require greater resources than adversary had planned."}],"prose":"(includes exert)\n\nMake it more difficult for threat events to cause adverse impacts or consequences."}]},{"id":"DS-A.03.16.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.16.01E"}],"prose":" {{ insert: param, A.03.16.01E.ODP.01 }} is/are employed to {{ insert: param, A.03.16.01E.ODP.02 }} supporting mission-essential services or functions to increase the trustworthiness in those systems or components. "},{"id":"E-03.16.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing design modification, augmentation, or reconfiguration of systems or system components\n\ndocumented evidence of design modification, augmentation, or reconfiguration\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.16.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system and service acquisition responsibilities\n\npersonnel with information security responsibilities\n\npersonnel with security architecture responsibilities\n\npersonnel with configuration management responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.16.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for the modification, design, augmentation, or reconfiguration of systems or system components\n\nmechanisms supporting and/or implementing design modification, augmentation, or reconfiguration of systems or system components"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.16.01E"},{"name":"label","value":"03.16.01E"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Specialization","params":[{"id":"A.03.16.01E.ODP.01","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.16.01E.ODP[01]"}],"select":{"choice":["design","modification","augmentation","reconfiguration"],"how-many":"one-or-more"}},{"id":"A.03.16.01E.ODP.02","label":"systems or system components","props":[{"name":"label","value":"A.03.16.01E.ODP[02]"}],"usage":"organization-defined systems or system components","guidelines":[{"prose":"systems or system components supporting mission-essential services or functions are defined."}]}]}]},{"id":"SP_800_172_3_0_0_3.17","class":"family","props":[{"name":"sort-id","value":"03.17"},{"name":"label","value":"Supply Chain Risk Management (3.17)"}],"title":"Supply Chain Risk Management","controls":[{"id":"SP_800_172_3_0_0_03.17.01E","class":"security_requirement","links":[{"rel":"external_reference","href":"#749c52bb-59bc-49c9-9cfa-42c58d857a76"}],"parts":[{"id":"ES-03.17.01E","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, A.03.17.01E.ODP.01 }}. "},{"id":"D-03.17.01E","name":"guidance","class":"discussion","prose":"Establishing agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that may adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.17.01E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.17.01E-2-effect","name":"item","class":"Expose-AE-03.17.01E-2","parts":[{"id":"AE-03.17.01E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.17.01E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."},{"id":"AE-03.17.01E-3-effect","name":"item","class":"Limit-AE-03.17.01E-3","parts":[{"id":"AE-03.17.01E-3-effect-impact","name":"item","class":"I-Limit","prose":"Reduce level of impact and reduce likelihood of impact of subsequent events in the same threat scenario."},{"id":"AE-03.17.01E-3-effect-expected_result-1","name":"item","class":"ER-Limit-1","prose":"The adversary’s effectiveness is restricted."}],"prose":"(includes shorten and reduce)\n\nRestrict the consequences of realized threat events by limiting the damage or effects they cause in terms of time, system resources, and/or mission or business impacts."}]},{"id":"DS-A.03.17.01E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.01E"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, A.03.17.01E.ODP.01 }}. "},{"id":"E-03.17.01E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nacquisition contracts for the system, system component, or system service\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice-level agreements\n\nsystem security plan\n\ninter-organizational agreements and procedures\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.17.01E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system and service acquisition responsibilities\n\npersonnel with information security responsibilities\n\npersonnel with supply chain risk management responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.17.01E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for establishing inter-organizational agreements and procedures with supply chain entities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.17.01E"},{"name":"label","value":"03.17.01E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Notification Agreements","params":[{"id":"A.03.17.01E.ODP.01","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.17.01E.ODP[01]"}],"select":{"choice":["notification of supply chain compromises","results of assessments or audits"," {{ insert: param, A.03.17.01E.ODP.02 }} "],"how-many":"one-or-more"}},{"id":"A.03.17.01E.ODP.02","label":"information","props":[{"name":"label","value":"A.03.17.01E.ODP[02]"}],"usage":"organization-defined information","guidelines":[{"prose":"information for which agreements and procedures are to be established is defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.17.02E","class":"security_requirement","links":[{"rel":"external_reference","href":"#1ce8d129-4368-4bfb-ae43-20904a8599c2"}],"parts":[{"id":"ES-03.17.02E","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, A.03.17.02E.ODP.01 }} to detect tampering: {{ insert: param, A.03.17.02E.ODP.02 }}. "},{"id":"D-03.17.02E","name":"guidance","class":"discussion","prose":"Inspecting systems or systems components for evidence of tampering addresses physical and logical tampering and is applied to systems and system components that are removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations. This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.17.02E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.17.02E-2-effect","name":"item","class":"Expose-AE-03.17.02E-2","parts":[{"id":"AE-03.17.02E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.17.02E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.17.02E","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.02E"}],"prose":" {{ insert: param, A.03.17.02E.ODP.01 }} are inspected {{ insert: param, A.03.17.02E.ODP.02 }} to detect tampering. "},{"id":"E-03.17.02E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports or results\n\nassessment reports or results\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nservice-level agreements\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.17.02E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system and services acquisition responsibilities\n\npersonnel with information security responsibilities\n\npersonnel with supply chain risk management responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.17.02E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for establishing inter-organizational agreements and procedures with supply chain entities\n\nprocesses to inspect for tampering"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.17.02E"},{"name":"label","value":"03.17.02E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Inspection of Systems or Components","params":[{"id":"A.03.17.02E.ODP.01","label":"systems or system components","props":[{"name":"label","value":"A.03.17.02E.ODP[01]"}],"usage":"organization-defined systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined."}]},{"id":"A.03.17.02E.ODP.02","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.17.02E.ODP[02]"}],"select":{"choice":["at random"," {{ insert: param, A.03.17.02E.ODP.03 }} ","upon {{ insert: param, A.03.17.02E.ODP.04 }} "],"how-many":"one-or-more"}},{"id":"A.03.17.02E.ODP.03","label":"frequency","props":[{"name":"label","value":"A.03.17.02E.ODP[03]"}],"usage":"organization-defined frequency","guidelines":[{"prose":"the frequency at which to inspect systems or system components is defined (if selected)."}]},{"id":"A.03.17.02E.ODP.04","label":"indications of the need for inspection","props":[{"name":"label","value":"A.03.17.02E.ODP[04]"}],"usage":"organization-defined indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.17.03E","class":"security_requirement","links":[{"rel":"external_reference","href":"#593bf3f6-43f1-43ba-8e43-b5758be3bb22"}],"parts":[{"id":"ES-03.17.03E","name":"statement","parts":[{"id":"ES-03.17.03E-a","name":"item","props":[{"name":"label","value":"ES-03.17.03E-a"}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system."},{"id":"ES-03.17.03E-b","name":"item","props":[{"name":"label","value":"ES-03.17.03E-b"}],"prose":"Report counterfeit system components to {{ insert: param, A.03.17.03E.ODP.01 }}. "}]},{"id":"D-03.17.03E","name":"guidance","class":"discussion","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include the Cybersecurity and Infrastructure Security Agency (CISA). This requirement is sourced to a control tailored out of the SP 800-53B .13 moderate baseline in SP 800-171."},{"id":"AE-03.17.03E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.17.03E-2-effect","name":"item","class":"Preclude-AE-03.17.03E-2","parts":[{"id":"AE-03.17.03E-2-effect-impact","name":"item","class":"I-Preclude","prose":"Reduce likelihood of occurrence and/or reduce likelihood of impact."},{"id":"AE-03.17.03E-2-effect-expected_result-1","name":"item","class":"ER-Preclude-1","prose":"The adversary’s efforts or resources cannot be applied or are wasted."}],"prose":"(includes preempt)\n\nEnsure that the threat event does not have an impact."},{"id":"AE-03.17.03E-3-effect","name":"item","class":"Expose-AE-03.17.03E-3","parts":[{"id":"AE-03.17.03E-3-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.17.03E-3-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.17.03E.a.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.03E-a"}],"prose":"an anti-counterfeit policy is developed and implemented."},{"id":"DS-A.03.17.03E.a.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.03E-a"}],"prose":"anti-counterfeit procedures are developed and implemented."},{"id":"DS-A.03.17.03E.a.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.03E-a"}],"prose":"the anti-counterfeit policy and procedures include the means to detect counterfeit components entering the system."},{"id":"DS-A.03.17.03E.a.04","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.03E-a"}],"prose":"the anti-counterfeit policy and procedures include the means to prevent counterfeit components from entering the system."},{"id":"DS-A.03.17.03E.b","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.03E-b"}],"prose":"counterfeit system components are reported to {{ insert: param, A.03.17.03E.ODP.01 }}. "},{"id":"E-03.17.03E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.17.03E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Personnel with system and service acquisition responsibilities\n\npersonnel with information security responsibilities\n\npersonnel with supply chain risk management responsibilities\n\npersonnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.17.03E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.17.03E"},{"name":"label","value":"03.17.03E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Component Authenticity","params":[{"id":"A.03.17.03E.ODP.01","label":"SELECTED PARAMETER VALUE(S)","props":[{"name":"label","value":"A.03.17.03E.ODP[01]"}],"select":{"choice":["source of counterfeit component"," {{ insert: param, A.03.17.03E.ODP.02 }} "," {{ insert: param, A.03.17.03E.ODP.03 }} "],"how-many":"one-or-more"}},{"id":"A.03.17.03E.ODP.02","label":"external reporting organizations","props":[{"name":"label","value":"A.03.17.03E.ODP[02]"}],"usage":"organization-defined external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported are defined (if selected)."}]},{"id":"A.03.17.03E.ODP.03","label":"personnel or roles","props":[{"name":"label","value":"A.03.17.03E.ODP[03]"}],"usage":"organization-defined personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported are defined (if selected)."}]}]},{"id":"SP_800_172_3_0_0_03.17.04E","class":"security_requirement","links":[{"rel":"external_reference","href":"#129dab69-a27f-4387-a9db-4057f20775e4"}],"parts":[{"id":"ES-03.17.04E","name":"statement","prose":"Document, monitor, and maintain valid provenance of the following systems, system components, and associated CUI: {{ insert: param, A.03.17.04E.ODP.01 }}. "},{"id":"D-03.17.04E","name":"guidance","class":"discussion","prose":"Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.17.04E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.17.04E-2-effect","name":"item","class":"Expose-AE-03.17.04E-2","parts":[{"id":"AE-03.17.04E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.17.04E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.17.04E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.04E"}],"prose":"valid provenance is documented for {{ insert: param, A.03.17.04E.ODP.01 }}. "},{"id":"DS-A.03.17.04E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.04E"}],"prose":"valid provenance is monitored for {{ insert: param, A.03.17.04E.ODP.01 }}. "},{"id":"DS-A.03.17.04E.03","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.04E"}],"prose":"valid provenance is maintained for {{ insert: param, A.03.17.04E.ODP.01 }}. "},{"id":"E-03.17.04E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\ndocumentation of critical systems, critical system components, and associated data\n\ndocumentation showing the history of ownership, custody, and location of and changes to critical systems or critical system components\n\nsystem architecture\n\ninter-organizational agreements and procedures\n\ncontracts\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.17.04E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.17.04E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying the provenance of critical systems and critical system components\n\nmechanisms used to document, monitor, or maintain provenance"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.17.04E"},{"name":"label","value":"03.17.04E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"},{"name":"marking","class":"protection_strategy","value":"PS-PRA","remarks":"Penetration-Resistant Architecture"}],"title":"Provenance","params":[{"id":"A.03.17.04E.ODP.01","label":"systems, system components, and associated CUI","props":[{"name":"label","value":"A.03.17.04E.ODP[01]"}],"usage":"organization-defined systems, system components, and associated CUI","guidelines":[{"prose":"systems, system components, and associated CUI that require valid provenance are defined."}]}]},{"id":"SP_800_172_3_0_0_03.17.05E","class":"security_requirement","links":[{"rel":"external_reference","href":"#375fe16f-ac94-4eef-b536-c5f2122e6bd7"}],"parts":[{"id":"ES-03.17.05E","name":"statement","prose":"Employ {{ insert: param, A.03.17.05E.ODP.01 }} and conduct {{ insert: param, A.03.17.05E.ODP.02 }} to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services. "},{"id":"D-03.17.05E","name":"guidance","class":"discussion","prose":"Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes the material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research, development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of technology, products, and services. Evidentiary artifacts include software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware. This requirement does not enhance a specific requirement in SP 800-171 but can be used to strengthen the protection of CUI associated with critical programs or high value assets."},{"id":"AE-03.17.05E-1","name":"statement","class":"adversary_effect","links":[{"rel":"external_reference","href":"#8e2f7423-3e0d-4759-8560-2f35f555111b"}],"parts":[{"id":"AE-03.17.05E-2-effect","name":"item","class":"Expose-AE-03.17.05E-2","parts":[{"id":"AE-03.17.05E-2-effect-impact","name":"item","class":"I-Expose","prose":"Reduce likelihood of impact."},{"id":"AE-03.17.05E-2-effect-expected_result-1","name":"item","class":"ER-Expose-1","prose":"The adversary loses the advantage of stealth as defenders are better prepared by developing and sharing threat intelligence."}],"prose":"(includes detect)\n\nReduce risk due to ignorance of threat events and possible replicated or similar threat events in the same or similar environments."}]},{"id":"DS-A.03.17.05E.01","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.05E"}],"prose":" {{ insert: param, A.03.17.05E.ODP.01 }} are employed to ensure the integrity of the system and system components. "},{"id":"DS-A.03.17.05E.02","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#ES-03.17.05E"}],"prose":" {{ insert: param, A.03.17.05E.ODP.02 }} is conducted to ensure the integrity of the system and system components. "},{"id":"E-03.17.05E_assessment-method_examine","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nbill of materials for critical systems or system components\n\nacquisition documentation\n\nsoftware identification tags\n\nmanufacturer declarations of platform attributes (e.g., serial numbers, hardware component inventory) and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself\n\nsystem security plan\n\nother relevant documents or records"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"EXAMINE"}]},{"id":"I-03.17.05E_assessment-method_interview","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"INTERVIEW"}]},{"id":"T-03.17.05E_assessment-method_test","name":"assessment-method","parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying pedigree information\n\norganizational processes to determine and validate the integrity of the internal composition of critical systems and critical system components\n\nmechanisms to determine and validate the integrity of the internal composition of critical systems and critical system components"}],"props":[{"ns":"http://csrc.nist.gov/ns/rmf","name":"method","value":"TEST"}]}],"props":[{"name":"sort-id","value":"03.17.05E"},{"name":"label","value":"03.17.05E"},{"name":"marking","class":"protection_strategy","value":"PS-DLO","remarks":"Damage-Limiting Operations"}],"title":"Supply Chain Integrity – Pedigree","params":[{"id":"A.03.17.05E.ODP.01","label":"safeguards","props":[{"name":"label","value":"A.03.17.05E.ODP[01]"}],"usage":"organization-defined safeguards","guidelines":[{"prose":"safeguards employed to ensure the integrity of the system and system component are defined."}]},{"id":"A.03.17.05E.ODP.02","label":"analysis method","props":[{"name":"label","value":"A.03.17.05E.ODP[02]"}],"usage":"organization-defined safeguards","guidelines":[{"prose":"an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined."}]}]}]}],"back-matter":{"resources":[{"uuid":"666de17a-c620-4fa2-a8bf-3f7cd62aca72","rlinks":[{"href":"https://csrc.nist.gov/pubs/sp/800/172/r3/final","media-type":"application/html"}]},{"uuid":"56515ab3-80b5-4e50-a2ed-270cb67bd5bd","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt","media-type":"application/html"}]},{"uuid":"8e2f7423-3e0d-4759-8560-2f35f555111b","title":"SP-800-160-2-Rev-1","rlinks":[{"href":"https://doi.org/10.6028/NIST.SP.800-160v2r1"}],"citation":{"text":"Ross RS, Graubart R, Bodeau D, McQuaid R (2021) Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2, Rev. 1."}},{"uuid":"31bf29e8-67f8-4379-b08e-f6f9deab7809","title":"AC-03(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-03(02)"}]},{"uuid":"bd81756e-61ac-44e9-bc3d-5b3aa015d3cb","title":"AC-20(03)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-20(03)"}]},{"uuid":"bc9414f9-b22d-4945-8949-7f0d02441f6f","title":"SP_800_171_3_0_0","rlinks":[{"href":"https://csrc.nist.gov/pubs/sp/800/171/r3/final"}]},{"uuid":"c3bd8782-2f5d-4d24-8b91-b88afab25422","title":"AC-10","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-10"}]},{"uuid":"2d6f9d4f-b674-453e-8171-eaacf15ddc28","title":"AC-17(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-17(01)"}]},{"uuid":"5058b05d-bee9-4d3a-ab17-1c62f1f51d4b","title":"AC-17(06)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-17(06)"}]},{"uuid":"7286bffd-83a1-4461-83f4-97405be5f159","title":"AC-02(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-02(04)"}]},{"uuid":"24d416a8-ac05-4776-960a-c47ca1d8dd4e","title":"AC-02(12)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-02(12)"}]},{"uuid":"2348e420-57fb-4675-9ae2-5ed8e703af2a","title":"AC-03(13)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-03(13)"}]},{"uuid":"19071bfa-b136-4df5-9f64-eed511ed4f1d","title":"AC-04(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(01)"}]},{"uuid":"51cbc70e-d163-43c6-822a-7b7b86266e3d","title":"AC-03(07)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-03(07)"}]},{"uuid":"b2875d20-46a1-4d35-9fce-87946fa192dc","title":"AC-04(21)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(21)"}]},{"uuid":"845c9b4b-0491-4b5b-a8a7-4d4a6b8619f0","title":"AC-04(06)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(06)"}]},{"uuid":"3d199491-8b9e-49ae-8b31-b61a347ddc38","title":"AC-04(08)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(08)"}]},{"uuid":"e46a035a-76a4-4b73-b89b-3d884550b205","title":"AC-04(12)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(12)"}]},{"uuid":"58950fbc-6437-4e7b-b044-2ef2da2a6fd2","title":"AC-04(13)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(13)"}]},{"uuid":"d5f32471-6f9b-4f4e-8c57-2baab5efdbdb","title":"AC-04(15)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AC-04(15)"}]},{"uuid":"27df5e44-bda8-4e2a-a39e-3521844585f8","title":"PE-06(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PE-06(01)"}]},{"uuid":"21977c72-de9e-4f80-8a66-8671a3bfd6d8","title":"PE-16","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PE-16"}]},{"uuid":"36284636-2ecc-4526-92d0-d15290590a46","title":"PM-16","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PM-16"}]},{"uuid":"72f28255-3454-4891-96f7-1605cf0947ed","title":"RA-10","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=RA-10"}]},{"uuid":"b59cd2f1-e57b-4e7c-88dd-aafa1d82d364","title":"RA-03(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=RA-03(04)"}]},{"uuid":"af1f6523-8f19-41a1-bda6-97453f0e98c4","title":"RA-03(03)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=RA-03(03)"}]},{"uuid":"fe4ddff3-fafc-4de7-9dc2-76027d796507","title":"SI-04(24)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-04(24)"}]},{"uuid":"490d4b64-4f60-4516-b1e4-1a4d642e624a","title":"RA-09","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=RA-09"}]},{"uuid":"269bc7f2-4333-48cd-a2fe-b440894c5a17","title":"RA-05(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=RA-05(04)"}]},{"uuid":"d3395183-d092-4fae-9ca2-0540d9d2b224","title":"PM-16(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PM-16(01)"}]},{"uuid":"c3565db2-c3e1-4be8-a9d0-0ea9b2734ebd","title":"CA-08","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CA-08"}]},{"uuid":"c826cde3-fb29-42e1-911a-5df0dd0194a4","title":"CA-02(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CA-02(01)"}]},{"uuid":"4fb7756f-35ce-4d1f-9bce-ee6c2ef2a645","title":"CA-07(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CA-07(04)"}]},{"uuid":"82899f04-4f03-4d78-955e-34ed4314830a","title":"CA-09","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CA-09"}]},{"uuid":"8a04b6e3-2555-4529-82e5-901d5d48bf9f","title":"SC-29","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-29"}]},{"uuid":"a588e5c9-bbbd-44b0-9ce7-ad3f63a1b70a","title":"SC-30(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-30(02)"}]},{"uuid":"21be8a83-d199-4135-836a-5261bf4f9819","title":"SC-30","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-30"}]},{"uuid":"138ce585-a7aa-4547-8240-fd0afdaa9f12","title":"SC-07(21)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-07(21)"}]},{"uuid":"3051df2e-43ae-488c-a681-011a26e0295d","title":"SC-30(03)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-30(03)"}]},{"uuid":"f74165ba-b4e4-4db1-ac19-920c1bae3755","title":"SC-27","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-27"}]},{"uuid":"ebf73c4c-2ed3-4bf6-9622-3f478ea2de19","title":"SC-29(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-29(01)"}]},{"uuid":"dd18d1f4-4dc0-4905-b420-87d0554b161f","title":"SC-26","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-26"}]},{"uuid":"95fb039d-3545-402c-a17a-86e1e6e87eac","title":"SC-07(13)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-07(13)"}]},{"uuid":"effd14dc-1623-49e6-91ef-80b6cbb39810","title":"SC-07(22)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-07(22)"}]},{"uuid":"9b7ff92a-3a53-41b7-a650-32aa59e68dc6","title":"SC-25","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-25"}]},{"uuid":"ac3ee5df-95ed-4249-9798-9db701a6d335","title":"SC-05","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-05"}]},{"uuid":"04a6063a-dd8c-4551-a37c-671fac148ada","title":"SC-41","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-41"}]},{"uuid":"18665b72-8cbf-407d-b989-476eeebfcb94","title":"SC-44","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-44"}]},{"uuid":"e4c82123-b3ae-4c4c-98f6-ea4bea002bb3","title":"SC-07(29)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-07(29)"}]},{"uuid":"117fcbce-07f0-43fb-a079-e7dab1db227d","title":"SC-32","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SC-32"}]},{"uuid":"8d199f79-e4f0-45c2-b0f7-26e5cabfe9a5","title":"SI-07","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-07"}]},{"uuid":"adf73f5c-2f89-46a2-a396-0de1155d5ba2","title":"SI-14(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-14(01)"}]},{"uuid":"beff0086-196f-4989-aeb3-6e2178ac04b9","title":"SI-14(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-14(02)"}]},{"uuid":"1459a6a5-b679-4bdc-ab0b-4ddd92428c0a","title":"SI-07(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-07(01)"}]},{"uuid":"dd824f5a-d0bc-409d-bef9-6e1194f20aaa","title":"SI-07(06)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-07(06)"}]},{"uuid":"d793c207-dfae-49c1-a3fe-275357ccd5e0","title":"SI-07(10)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-07(10)"}]},{"uuid":"9e227fcf-f52c-4041-b5b3-f1092eba1722","title":"SI-07(07)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-07(07)"}]},{"uuid":"1e23e735-ce8a-4926-a059-62917d299f90","title":"SI-10","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-10"}]},{"uuid":"2a69a8f9-296d-45dc-bfc1-e8f665511f51","title":"SI-11","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-11"}]},{"uuid":"c1f8b5b2-745f-4fad-866a-52c879617eb2","title":"SI-16","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-16"}]},{"uuid":"ae948168-1f68-4e95-a0da-72bd7287d7ed","title":"SI-14","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-14"}]},{"uuid":"53381f5b-db26-46ca-9d15-e87a315aacd2","title":"SI-20","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-20"}]},{"uuid":"bfa6b5c5-af66-4636-9e43-81da8442debc","title":"SI-04(05)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-04(05)"}]},{"uuid":"8ac7e0f0-2899-41c1-80a5-2edee2123d55","title":"SI-04(12)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-04(12)"}]},{"uuid":"e3aa04eb-1005-43db-837a-edbd32169044","title":"SI-04(14)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SI-04(14)"}]},{"uuid":"9c48cab0-7fde-46f9-9f56-a15711c74640","title":"PL-08","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PL-08"}]},{"uuid":"1004e4bc-075b-405c-a0a6-d0dcc5c76ff2","title":"PL-08(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PL-08(01)"}]},{"uuid":"725c61c7-e7f0-4267-8180-98e775bbe618","title":"PL-08(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PL-08(02)"}]},{"uuid":"c731fad4-9153-42f4-a0ef-814f9c1ef808","title":"SA-23","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SA-23"}]},{"uuid":"749c52bb-59bc-49c9-9cfa-42c58d857a76","title":"SR-08","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SR-08"}]},{"uuid":"1ce8d129-4368-4bfb-ae43-20904a8599c2","title":"SR-10","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SR-10"}]},{"uuid":"593bf3f6-43f1-43ba-8e43-b5758be3bb22","title":"SR-11","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SR-11"}]},{"uuid":"129dab69-a27f-4387-a9db-4057f20775e4","title":"SR-04","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SR-04"}]},{"uuid":"375fe16f-ac94-4eef-b536-c5f2122e6bd7","title":"SR-04(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SR-04(04)"}]},{"uuid":"65e14c03-9208-4680-b275-53003145e734","title":"AT-02(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AT-02(04)"}]},{"uuid":"f8d5d73a-5d42-46de-a5bd-65c35e9404cd","title":"AT-02(05)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AT-02(05)"}]},{"uuid":"d4be10bd-54c9-4f40-9d14-69feb1448df9","title":"AT-02(06)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AT-02(06)"}]},{"uuid":"32e00cee-426c-4841-ad3d-987c40ea2c3e","title":"AT-02(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AT-02(01)"}]},{"uuid":"4e91e018-7f06-4b35-9e11-82ec63730a82","title":"AT-06","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AT-06"}]},{"uuid":"b78d8b19-021f-4995-8805-d7d7236472b7","title":"SR-11(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=SR-11(01)"}]},{"uuid":"ff799542-1361-4545-a8fc-8ece62932b59","title":"AU-09(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AU-09(02)"}]},{"uuid":"a4e9d937-ba64-4e9e-af1f-52d7c0a8236b","title":"AU-05(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AU-05(02)"}]},{"uuid":"ff8de932-aeb4-44e4-bcdd-dd64f65b296c","title":"AU-09(05)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AU-09(05)"}]},{"uuid":"4b4b1f2b-40f9-4240-a2dc-8d222dc6a562","title":"AU-06(05)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=AU-06(05)"}]},{"uuid":"aa1e16f2-50e4-4419-a3ef-16e4863a9c04","title":"CM-06(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-06(01)"}]},{"uuid":"42c89468-dda2-4995-a012-7939becfb06a","title":"CM-06(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-06(02)"}]},{"uuid":"6d45f8f9-3d6d-4dd9-9e09-a26d6ede6665","title":"CM-08(03)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-08(03)"}]},{"uuid":"773926cc-773e-46ac-945d-92478081b511","title":"CM-08(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-08(02)"}]},{"uuid":"2c095e86-5096-41fa-9017-f008ff84b4da","title":"CM-02(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-02(02)"}]},{"uuid":"dfd91a2e-cacc-4a41-82ca-4f313cfd5ace","title":"CM-05(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-05(04)"}]},{"uuid":"3ad9454b-7a02-42b7-b90c-d4920bb18777","title":"CM-02(03)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-02(03)"}]},{"uuid":"d3537fba-0209-4c9f-848f-26e0fa322534","title":"CM-03(02)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-03(02)"}]},{"uuid":"5f03da20-db03-4b94-ab6d-3f8658650949","title":"CM-08(07)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CM-08(07)"}]},{"uuid":"a6207520-295d-4c60-9450-949356317cac","title":"IA-03(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-03(01)"}]},{"uuid":"3ff9cd9a-11cc-44f1-b3dc-8a8f7830f3b0","title":"IA-05(18)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-05(18)"}]},{"uuid":"7f33ea69-e0a7-4ffd-a405-559bfce23674","title":"IA-03(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-03(04)"}]},{"uuid":"d7037019-eefb-4537-b789-aaa4446d72a2","title":"IA-05(07)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-05(07)"}]},{"uuid":"625e2402-ce8d-48d6-b4a9-00bd50b980e3","title":"IA-05(13)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-05(13)"}]},{"uuid":"3d24f5c5-be95-4586-8420-5498354b2df7","title":"IA-12","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-12"}]},{"uuid":"99879d5e-31a2-431b-938d-1363b026de07","title":"IA-13","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IA-13"}]},{"uuid":"edfd3867-107d-49ae-b7bd-55a10093e944","title":"IR-04(14)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IR-04(14)"}]},{"uuid":"6549e81c-17b2-4153-8e2a-90b49cc149f5","title":"IR-04(11)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IR-04(11)"}]},{"uuid":"f180ad71-6c1c-4756-bb93-b80767a52f98","title":"IR-04(13)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IR-04(13)"}]},{"uuid":"93b92a8b-bca2-44dd-a915-e4d7735c3e75","title":"IR-05(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=IR-05(01)"}]},{"uuid":"19a24db1-344e-4041-9542-161d48af64f4","title":"MA-03(06)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=MA-03(06)"}]},{"uuid":"e1fde113-1bf1-4822-a218-d81be0b790be","title":"MP-06(07)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=MP-06(07)"}]},{"uuid":"a6892981-eb36-48a1-8a1b-3ee95e9afe59","title":"CP-09(07)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CP-09(07)"}]},{"uuid":"ca993761-8fd9-47e8-931a-8d83ba6b3080","title":"CP-09(01)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CP-09(01)"}]},{"uuid":"83ab460d-592c-41d8-99d1-9a20351c55d4","title":"CP-10","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=CP-10"}]},{"uuid":"34863225-1727-4394-9f3c-d2a61148ccc6","title":"PS-06","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PS-06"}]},{"uuid":"6266bc38-a0e8-450d-a231-843c87fb28ef","title":"PS-03(04)","rlinks":[{"href":"https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_2_0/home?element=PS-03(04)"}]}]}}}