CMMC assessments and certification require substantial evidence and documentation. The following tables outline general guidelines for collecting evidence to assess control requirements and objectives. While these guidelines provide a structured approach, they are not the only means of conducting an accurate assessment. Assessors should exercise professional judgment and may employ alternative methods appropriate to the specific organizational context and circumstances.
Evidence collection approaches are defined as:
- Documentation: Tangible materials containing information over which an organization has authority, including all types of written records and their copies.
- Artifacts: Tangible, reviewable records directly resulting from a practice or process being performed by a system or by personnel executing their role within that practice, control, or process.
- Physical Review: Direct on-site observation and examination of evidence.
- Screen Share: Real-time remote observation of a user demonstrating a task or process via shared computer screen, sometimes called "over-the-shoulder" review.
DISCLAIMER: Evidence requirements vary significantly across assessment types. The examples provided are illustrative only and should be tailored to meet the specific adequacy and sufficiency standards of your particular assessment context.
For inquiries and reporting errors on this wiki, please contact us. Thank you.
Access Control (AC)
AC.L2-3.1.1 – Authorized Access Control [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
|
| [a] authorized users are identified. |
Document |
Document defining account request, approval, provisioning.
|
| [b] processes acting on behalf of authorized users are identified. |
Document |
Document defining account request, approval, provisioning.
|
| [c] devices (and other systems) authorized to connect to the system are identified. |
Document |
Document defining account request, approval, provisioning.
|
| [d] system access is limited to authorized users. |
Screen Share |
Screen share showing login requirements are enforced. Example of an unauthorized user denied (unauthorized username entered at login).
|
| [e] system access is limited to processes acting on behalf of authorized users. |
Screen Share |
Screenshot showing that service accounts are assigned to authorized users only; no rogue accounts without an authorized user are active.
|
| [f] system access is limited to authorized devices (including other systems). |
Screen Share |
Screen share showing that all devices running are authorized; no rogue devices on the network.
|
AC.L2-3.1.2 – Transaction & Function Control [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
|
| [a] the types of transactions and functions that authorized users are permitted to execute are defined. |
Document |
SSP, AUP, or IAM document that defines what authorized users can execute.
|
| [b] system access is limited to the defined types of transactions and functions for authorized users. |
Screen Share |
Screenshot of security roles in AD or IAM or other directory-based identity-related services tool that shows transactions are as defined in the SSP or IAM document; privileged and non-privileged accounts need to be defined and identified in the artifact; screenshot of a non-privileged user trying to execute a privileged function.
|
AC.L2-3.1.3 – Control CUI Flow
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.3 Control the flow of CUI in accordance with approved authorizations.
|
| [a] information flow control policies are defined. |
Document |
SSP or other document describing the control of CUI on the network.
|
| [b] methods and enforcement mechanisms for controlling the flow of CUI are defined. |
Document |
Document that defines the networking devices that are on the CUI network and answers what measures are in place to control the flow. List of firewalls, border and internal layer 3 devices, IDS/IPS, DLP, that process CUI.
|
| [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified. |
Artifact |
Network diagram, data flow diagram, external system connection diagrams, document describing the policies for CUI on the network; listing of VLANs and subnets where CUI is authorized; document must describe source and authorized destinations.
|
| [d] authorizations for controlling the flow of CUI are defined. |
Document |
Document that defines how CUI is to be controlled, such as an InfoSec plan, and/or network management plan.
|
| [e] approved authorizations for controlling the flow of CUI are enforced. |
Screen Share |
Screenshots of firewall rules, ACLs, etc.
|
AC.L2-3.1.4 – Separation of Duties
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
|
| [a] the duties of individuals requiring separation are defined. |
Document |
Document, SSP, account management policy, defining separation of duties by person or role.
|
| [b] responsibilities for duties that require separation are assigned to separate individuals. |
Screen Share |
Screenshot showing that separation of duties is enforced by showing admin accounts are assigned to different people based on role.
|
| [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals. |
Screen Share |
Screen shot showing an example such as a security manager can not log into a network device and change ACLs, or network admins can not access security logs in the SIEM tool.
|
AC.L2-3.1.5 – Least Privilege
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
|
| [a] privileged accounts are identified. |
Document |
"SSP or policy (documentation) identify what is considered a privileged account."
|
| [b] access to privileged accounts is authorized in accordance with the principle of least privilege. |
Artifact |
An artifact that identifies the least amount of permissions associated with different types of privileged accounts are approved.
|
| [c] security functions are identified. |
Document |
"SSP or policy (documentation) identifies what is considered a security account."
|
| [d] access to security functions is authorized in accordance with the principle of least privilege. |
Artifact |
Artifact(s) that identify the least amount of permissions associated with different types of security accounts are approved.
|
AC.L2-3.1.6 – Non-Privileged Account Use
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
|
| [a] nonsecurity functions are identified. |
Document |
SSP or account management document, AUP, that defines non-security functions.
|
| [b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions. |
Screen Share |
Screenshot showing that a privileged user tried to use their admin account to access a non-security function, such as a browser or email (whatever is defined in their policy) and was blocked.
|
AC.L2-3.1.7 – Privileged Functions
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
|
| [a] privileged functions are defined. |
Document |
SSP or policy (documentation) that defines privileged functions.
|
| [b] non-privileged users are defined. |
Document |
SSP or policy (documentation) that defines non-privileged users.
|
| [c] non-privileged users are prevented from executing privileged functions. |
Screen Share |
Screen share that shows that a non-privileged user is not allowed to complete a privileged function (installing software).
|
| [d] the execution of privileged functions is captured in audit logs. |
Screen Share |
Screen share that shows logs being captured of the execution of privileged functions.
|
AC.L2-3.1.8 – Unsuccessful Logon Attempts
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.8 Limit unsuccessful logon attempts.
|
| [a] the means of limiting unsuccessful logon attempts is defined. |
Document |
SSP or policy (documentation) showing unsuccessful logon attempts settings and or policy.
|
| [b] the defined means of limiting unsuccessful logon attempts is implemented. |
Artifact |
Artifact showing GPO / Policy for limiting logon attempts.
|
AC.L2-3.1.9 – Privacy & Security Notices
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
|
| [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category. |
Document |
SSP or policy (documentation) showing CUI-specified rules are identified, consistent, and associated with the specific CUI category.
|
| [b] privacy and security notices are displayed. |
Artifact |
Artifact that shows a consent banner or screen that a user sees as they log in to the system.
|
AC.L2-3.1.10 – Session Lock
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
|
| [a] the period of inactivity after which the system initiates a session lock is defined. |
Document |
SSP or policy (documentation) that defines the period of inactivity and when a session lock is defined.
|
| [b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. |
Artifact |
Artifact that shows the setting of session lock (GPO or system policy or similar solution addressing the controls supporting centralized management and configuration of operating systems, applications, and users' settings for the working environment of user accounts and computer accounts).
|
| [c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. |
Artifact |
Screenshot of GPO setting and configuration settings, or similar solution addressing the controls supporting centralized management and configuration of operating systems, applications, and users' settings for the working environment of user accounts and computer accounts.
|
AC.L2-3.1.11 – Session Termination
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.11 Terminate (automatically) a user session after a defined condition.
|
| [a] conditions requiring a user session to terminate are defined. |
Document |
SSP or policy (documentation) that defines the conditions requiring a user session to be terminated.
|
| [b] a user session is automatically terminated after any of the defined conditions. |
Screen Share |
Screen share showing GPO / VPN Settings that show when a session would be terminated (Idle time, max connection time).
|
AC.L2-3.1.12 – Control Remote Access
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.12 Monitor and control remote access sessions.
|
| [a] remote access sessions are permitted. |
Document |
SSP or policy (documentation) that defines remote access sessions.
|
| [b] the types of permitted remote access are identified. |
Document |
SSP or policy (documentation) that defines remote access is permitted.
|
| [c] remote access sessions are controlled. |
Screen Share |
Screen share that shows how the remote access is controlled (access session, and or groups).
|
| [d] remote access sessions are monitored. |
Screen Share |
Screen share that shows how remote sessions are monitored (logs).
|
AC.L2-3.1.13 – Remote Access Confidentiality
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
|
| [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. |
Document |
SSP or policy (documentation) that discusses the CUI rules, consistent, and associated with the specific CUI category; FIPS Cert # of appliance or application.
|
| [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. |
Screen Share |
Screenshot of VPN concentration that shows encryption is on and enabled (point-to-point, etc.).
|
AC.L2-3.1.14 – Remote Access Routing
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.14 Route remote access via managed access control points.
|
| [a] managed access control points are identified and implemented. |
Screen Share |
Screen share that shows access control points (groups and/or users).
|
| [b] remote access is routed through managed network access control points. |
Screen Share |
Screen share that shows access control points and how they are managed.
|
AC.L2-3.1.15 – Privileged Remote Access
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
|
| [a] privileged commands authorized for remote execution are identified. |
Document |
SSP or policy (documentation) that defines what is authorized to be executed remotely and how that is handled.
|
| [b] security-relevant information authorized to be accessed remotely is identified. |
Document |
SSP or policy (documentation) that defines what can be accessed remotely and what procedures are implemented to allow this (RDP, jump box).
|
| [c] the execution of the identified privileged commands via remote access is authorized. |
Screen Share |
Screen share that shows who has access to perform privileged commands a remotely (access groups for privileged accounts).
|
| [d] access to the identified security-relevant information via remote access is authorized. |
Screen Share |
Screen share that shows the routing of remote access and how it is monitored and how many locations (Firewall, VPN Concentrator).
|
AC.L2-3.1.16 – Wireless Access Authorization
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.16 Authorize wireless access prior to allowing such connections.
|
| [a] wireless access points are identified. |
Document |
SSP, network administration document.
|
| [b] wireless access is authorized prior to allowing such connections. |
Screen Share |
Authorization profile(s) in Wireless Access Controller or Identity Manager (i.e. Cisco ISE).
|
AC.L2-3.1.17 – Wireless Access Protection
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.17 Protect wireless access using authentication and encryption.
|
| [a] wireless access to the system is protected using authentication. |
Screen Share |
Security page (or similar) of a Wireless Access Controller.
|
| [b] wireless access to the system is protected using encryption. |
Screen Share |
Security page (or similar) of a Wireless Access Controller.
|
AC.L2-3.1.18 – Mobile Device Connection
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.18 Control connection of mobile devices.
|
| [a] mobile devices that process, store, or transmit CUI are identified. |
Document |
SSP, Mobile Device Policy.
|
| [b] mobile device connections are authorized. |
Screen Share |
Authorization profile(s) in Wireless Access Controller or Identity Manager (i.e. Cisco ISE).
|
| [c] mobile device connections are monitored and logged. |
Screen Share |
Mobile device logs within the MDM, log intake (sources) configuration (within SIEM) showing MDM is feeding logs to the SIEM.
|
AC.L2-3.1.19 – Encrypt CUI on Mobile
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
|
| [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified. |
Document |
SSP, Mobile Device Policy.
|
| [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. |
Screen Share |
Security policy page in MDM showing how encryption are enforced on mobile device. If no MDM or MDM doesn't enforce encryption, then validate if the devices used are on the list of devices with native FIPS approved validation.
|
AC.L2-3.1.20 – External Connections [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.20 Verify and control/limit connections to and use of external information systems.
|
| [a] connections to external systems are identified. |
Document |
SSP, Systems Interconnection Agreements, SLA.
|
| [b] the use of external systems is identified. |
Document |
SSP, Systems Interconnection Agreements, SLA.
|
| [c] connections to external systems are verified. |
Artifact |
SLA for external systems, memorandum for interconnection, information to prove that any cloud solution is at FedRAMP impact level of moderate or higher (i.e. license information, screenshot of AWS cloud dashboard, purchase order document).
|
| [d] the use of external systems is verified. |
Artifact |
SLA for external systems, memorandum for interconnection, information to prove that any cloud solution is at FedRAMP impact level of moderate or higher (i.e. license information, screenshot of AWS cloud dashboard, purchase order document).
|
| [e] connections to external systems are controlled/limited. |
Screen Share |
Firewall ruleset for controlling access to cloud service or external system.
|
| [f] the use of external systems is controlled/limited. |
Screen Share |
Firewall ruleset for controlling access to cloud service or external system.
|
AC.L2-3.1.21 – Portable Storage Use
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.21 Limit use of portable storage devices on external systems.
|
| [a] the use of portable storage devices containing CUI on external systems is identified and documented. |
Document |
SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
|
| [b] limits on the use of portable storage devices containing CUI on external systems are defined. |
Document |
SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
|
| [c] the use of portable storage devices containing CUI on external systems is limited as defined. |
Document |
SSP, Removable Media Policy, Acceptable Use Policy (with emphasis on portable media use).
|
AC.L2-3.1.22 – Control Public Information [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AC.L2-3.1.22 Control information posted or processed on publicly accessible information systems.
|
| [a] individuals authorized to post or process information on publicly accessible systems are identified. |
Document |
SSP, Website Governance Plan, Information Release Document.
|
| [b] procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. |
Document |
SSP, Website Governance Plan, Information Release Document.
|
| [c] a review process is in place prior to posting of any content to publicly accessible systems. |
Artifact |
"Information release approval process, i.e. chain of email communication from originator, approver, and final decision (may or may not include individual authorized to post);
SharePoint/electronic or paper form/ ticket system showing information flow between requestor and approver (may or may not include individual authorized to post)."
|
| [d] content on publicly accessible systems is reviewed to ensure that it does not include CUI. |
Artifact |
Incident response process, web design/update/modification SOP etc.
|
| [e] mechanisms are in place to remove and address improper posting of CUI. |
Artifact |
Incident response process, web design/update/modification SOP etc.
|
Awareness and Training (AT)
AT.L2-3.2.1 – Role-Based Risk Awareness
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AT.L2-3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
|
| [a] security risks associated with organizational activities involving CUI are identified. |
Document |
Policy of Security Awareness Training; Security Awareness Training Briefing.
|
| [b] policies, standards, and procedures related to the security of the system are identified. |
Document |
Acceptable Use Policy, Policy/Procedures/Instruction related to the security of the system.
|
| [c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities. |
Artifact |
Security Training Brief, training records.
|
| [d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system. |
Artifact |
Policies, standards and procedures for employees within training (completed training report).
|
AT.L2-3.2.2 – Role-Based Training
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AT.L2-3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-
|
| [a] information security-related duties, roles, and responsibilities are defined. |
Document |
Policy/Procedures/Instruction, Job Role Matrix, Position Descriptions, User Roles.
|
| [b] information security-related duties, roles, and responsibilities are assigned to designated personnel. |
Artifact |
Screenshot of breakout of different roles/permissions assigned to individuals (i.e. ActiveDirectory); Privilege Access Agreement.
|
| [c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. |
Artifact |
Screenshot of tool and/or training specifying security specific roles, duties and responsibilities; Screenshot of required certifications (i.e. Sec+, CISSP).
|
AT.L2-3.2.3 – Insider Threat Awareness
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
|
| [a] potential indicators associated with insider threats are identified. |
Document |
Insidert Threat Policy/Procedures/Instruction; Insider Threat Training/Briefing.
|
| [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. |
Artifact |
Screenshot of training records showing completion of Insider Threat training, emails showing completion of Insider Threat training, Screenshot of certificate showing completion with individual's name.
|
Audit and Accountability (AU)
AU.L2-3.3.1 – System Auditing
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
|
| [a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. |
Document |
SSP, policy, or auditing and logging process that defines specific types of events to be logged.
|
| [b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. |
Document |
SSP, policy, or auditing and logging process that defines specific content of audit records/files.
|
| [c] audit records are created (generated). |
Screen Share |
Screen share of tool that shows logs are generated for all systems.
|
| [d] audit records, once created, contain the defined content. |
Screen Share |
Screen share of tool that shows logs contain defined content as defined in SSP, policy, or procedures.
|
| [e] retention requirements for audit records are defined. |
Document |
SSP, Polocy, or Auditing and logging process that describes how long records are kept.
|
| [f] audit records are retained as defined. |
Screen Share |
Screen share of tool that shows records and audit content retained at a minimum as defined.
|
AU.L2-3.3.2 – User Accountability
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
|
| [a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined. |
Document |
SSP, policy, or process that defines actions traced back to individuals.
|
| [b] audit records, once created, contain the defined content. |
Screen Share |
Screen share of tool that shows audit records traced to specific users/roles.
|
AU.L2-3.3.3 – Event Review
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.3 Review and update logged events.
|
| [a] a process for determining when to review logged events is defined. |
Document |
SSP, policy, or documented process that shows frequency of when to review types of logged events.
|
| [b] event types being logged are reviewed in accordance with the defined review process. |
Artifact |
Evidence through a documented method such as meeting minutes, CAB minutes, etc. of log sources and log events being logged at the defined frequency.
|
| [c] event types being logged are updated based on the review. |
Artifact |
Evidence of implementation based on the results of the review of logged events/sources through a ticket, meeting minutes, or screen share of the tool that shows changes implemented (finetuning).
|
AU.L2-3.3.4 – Audit Failure Alerting
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.4 Alert in the event of an audit logging process failure.
|
| [a] personnel or roles to be alerted in the event of an audit logging process failure are identified. |
Document |
SSP, policy, or procedure that shows who needs to be notified in case of an audit failure.
|
| [b] types of audit logging process failures for which alert will be generated are defined. |
Document |
SSP, policy, or procedure that shows what types of failure will generate notifications.
|
| [c] identified personnel or roles are alerted in the event of an audit logging process failure. |
Artifact |
Artifact such as email or ticket that shows the identified personnel were alerted of any audit/logging process failure as defined.
|
AU.L2-3.3.5 – Audit Correlation
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
|
| [a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. |
Document |
SSP, policy, or procedure covering audit logging, monitoring, and reporting.
|
| [b] defined audit record review, analysis, and reporting processes are correlated. |
Artifact |
Artifact showing an audit event and the resultant corrective action or actions to the event; this can be a Help Desk ticket, meeting notes, or a change control board items showing the event and any corrective action taken.
|
AU.L2-3.3.6 – Reduction & Reporting
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting.
|
| [a] an audit record reduction capability that supports on-demand analysis is provided. |
Screen Share |
Screen share of the logging environment where an event can be selected and traced back to a specific device, or dashboard showing realtime event analysis.
|
| [b] a report generation capability that supports on-demand reporting is provided. |
Screen Share |
Screen share showing the generation of an on demand report.
|
AU.L2-3.3.7 – Authoritative Time Source
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
|
| [a] internal system clocks are used to generate time stamps for audit records. |
Screen Share |
Screen share showing the NTP settings of a windows, Unix, Linux device; a screen share showing the NTP settings of network appliances.
|
| [b] an authoritative source with which to compare and synchronize internal system clocks is specified. |
Document |
SSP or policy indicating that devices need to be synched to a local authoritative time device that is synched with an authoritative time service.
|
| [c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. |
Screen Share |
Screen share showing device logging appliance time is point to the appropriate authoritative time server.
|
AU.L2-3.3.8 – Audit Protection
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
|
| [a] audit information is protected from unauthorized access. |
Screen Share |
Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
|
| [b] audit information is protected from unauthorized modification. |
Screen Share |
Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
|
| [c] audit information is protected from unauthorized deletion. |
Screen Share |
Screen share showing operating system permissions on the audit folders being restricted to appropriate users.
|
| [d] audit logging tools are protected from unauthorized access. |
Screen Share |
Artifact showing access permissions in the SIEM tool.
|
| [e] audit logging tools are protected from unauthorized modification. |
Screen Share |
Artifact showing update permissions in the SIEM tool.
|
| [f] audit logging tools are protected from unauthorized deletion. |
Screen Share |
Artifact showing delete permissions in the SIEM tool.
|
AU.L2-3.3.9 – Audit Management
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| AU.L2-3.3.9 Limit management of audit logging functionality to a subset of privileged users.
|
| [a] a subset of privileged users granted access to manage audit logging functionality is defined. |
Document |
SSP or policy indicating which users or groups have access to audit logs.
|
| [b] management of audit logging functionality is limited to the defined subset of privileged users. |
Screen Share |
Artifact showing SIEM or OS folder permissions (this should be limited to the assigned users or groups); artifact showing an ACL setting in SIEM tool in regards to logs.
|
Configuration Management (CM)
CM.L2-3.4.1 – System Baselining
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
|
| [a] a baseline configuration is established. |
Document |
Documentation showing or explaining standard imaging process (how standard images are deployed and where they are stored).
|
| [b] the baseline configuration includes hardware, software, firmware, and documentation. |
Artifact |
Screenshot of repository of where images are maintained and information relating to hardware, software, and firmware.
|
| [c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle. |
Artifact |
Screenshot/evidence displaying management of baseline configurations (how often they are being managed as stated).
|
| [d] a system inventory is established. |
Document |
Screenshot/evidence displaying inventory listing of approved products for use.
|
| [e] the system inventory includes hardware, software, firmware, and documentation. |
Artifact |
Screeenshot/evidence displaying inventory listing of approved products and versions permitted for use.
|
| [f] the inventory is maintained (reviewed and updated) throughout the system development life cycle. |
Artifact |
Screeenshot/evidence displaying management of baseline configurations (How often and are they being managed as stated.
|
CM.L2-3.4.2 – Security Configuration Enforcement
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
|
| [a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration. |
Document |
Documentation explaining methodology used by organization to create secure baselines (STIGs, benchmarks).
|
| [b] security configuration settings for information technology products employed in the system are enforced. |
Artifact |
Evidence of tool/s used to enforce security configurations to ensure images used are free from modification unless authorized.
|
CM.L2-3.4.3 – System Change Management
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
|
| [a] changes to the system are tracked. |
Artifact |
Evidence of IT Service Management tool / process used to track system changes.
|
| [b] changes to the system are reviewed. |
Artifact |
Evidence of IT Service Management tool / process used to review system changes.
|
| [c] changes to the system are approved or disapproved. |
Artifact |
Evidence of IT Service Management tool / process used to approve/disapprove system changes.
|
| [d] changes to the system are logged. |
Artifact |
Evidence of IT Service Management tool / process used to log system changes.
|
CM.L2-3.4.4 – Security Impact Analysis
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.4 Analyze the security impact of changes prior to implementation.
|
| [a] the security impact of changes to the system is analyzed prior to implementation. |
Artifact |
Document explaining that security impact analysis of proposed changes to a system is conducted prior to implementation.
|
CM.L2-3.4.5 – Access Restrictions for Change
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
|
| [a] physical access restrictions associated with changes to the system are defined. |
Document |
Document explaining the process of how physical access restrictions are defined for an individuals ability to make system changes.
|
| [b] physical access restrictions associated with changes to the system are documented. |
Document |
Document explaining the process of how physical access restrictions are defined for an individuals ability to make system changes are documented; access request process.
|
| [c] physical access restrictions associated with changes to the system are approved. |
Artifact |
Evidence of process of how physical access to systems are granted (i.e. physical access request sample).
|
| [d] physical access restrictions associated with changes to the system are enforced. |
Physical Review |
Evidence of process of how physical access to systems are enforced (physical access system).
|
| [e] logical access restrictions associated with changes to the system are defined. |
Document |
Document explaining the process of how logical access restrictions are defined for an individual's ability to make system changes.
|
| [f] logical access restrictions associated with changes to the system are documented. |
Document |
Document explaining the process of how logical access restrictions are defined for an individual's ability to make system changes are documented.
|
| [g] logical access restrictions associated with changes to the system are approved. |
Artifact |
Evidence of process of how logical access to systems are granted.
|
| [h] logical access restrictions associated with changes to the system are enforced. |
Artifact |
Evidence of process of how logical access to systems are enforced.
|
CM.L2-3.4.6 – Least Functionality
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
|
| [a] essential system capabilities are defined based on the principle of least functionality. |
Document |
Documentation explaining how systems are configured to utilize the principle of least functionality for designated users.
|
| [b] the system is configured to provide only the defined essential capabilities. |
Screen Share |
Evidence displaying how systems are configured to utilize the principle of least functionality for designated users; disabled service settings, accepted standards for hardening (CIS benchmarks, etc.).
|
CM.L2-3.4.7 – Nonessential Functionality
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
|
| [a] essential programs are defined. |
Document |
Documented essential programs specified; build documents; software center; SSP.
|
| [b] the use of nonessential programs is defined. |
Document |
Documented listing of nonessential programs (whatever is NOT specified in [a]); AUP/User Agreement may identify nonessential use/programs.
|
| [c] the use of nonessential programs is restricted, disabled, or prevented as defined. |
Screen Share |
Tool used to restrict nonessential programs displays restrictions as defined (McAfee ePO settings, Carbon Black rules, etc.).
|
| [d] essential functions are defined. |
Document |
Documented essential functions are specified.
|
| [e] the use of nonessential functions is defined. |
Document |
Documented nonessential functions are specified.
|
| [f] the use of nonessential functions is restricted, disabled, or prevented as defined. |
Screen Share |
Tool used to restrict essential/nonessential functions displays restrictions as defined.
|
| [g] essential ports are defined. |
Document |
Documented essential ports are specified.
|
| [h] the use of nonessential ports is defined. |
Document |
Documented nonessential ports functions are specified.
|
| [i] the use of nonessential ports is restricted, disabled, or prevented as defined. |
Screen Share |
Tool used to restrict essential/nonessential ports displays restrictions as defined (FW rules; McAfee; GPO, etc.).
|
| [j] essential protocols are defined. |
Document |
Documented essential protocols are specified.
|
| [k] the use of nonessential protocols is defined. |
Document |
Documented nonessential protocols functions are specified.
|
| [l] the use of nonessential protocols is restricted, disabled, or prevented as defined. |
Screen Share |
Tool used to restrict essential/nonessential protocols displays restrictions as defined (FW rules; GPO, etc.).
|
| [m] essential services are defined. |
Document |
Documented essential services specified.
|
| [n] the use of nonessential services is defined. |
Document |
Documented nonessential services functions are specified.
|
| [o] the use of nonessential services is restricted, disabled, or prevented as defined. |
Screen Share |
Tool used to restrict essential/nonessential services displays restrictions as defined.
|
CM.L2-3.4.8 – Application Execution Policy
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
|
| [a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified. |
Document |
Documentation explaining whitelisting or blacklisting process.
|
| [b] the software allowed to execute under whitelisting or denied use under blacklisting is specified. |
Document |
Documentation explaining whitelisting or blacklisting process for software.
|
| [c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. |
Screen Share |
Tool used for whitelisting or blacklisting for software shows capability of restricting/authorizing software (Carbon Black dashboard, "SW Store", web proxies, DNS Blackhole, etc.).
|
CM.L2-3.4.9 – User-Installed Software
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CM.L2-3.4.9 Control and monitor user-installed software.
|
| [a] a policy for controlling the installation of software by users is established. |
Document |
Documented software authorization process or methodology for approval.
|
| [b] installation of software by users is controlled based on the established policy. |
Screen Share |
Evidence that approval/restriction in installation of software by authorized personnel is implemented as specified (AUP, GPO, etc.).
|
| [c] installation of software by users is monitored. |
Screen Share |
Evidence that installation of software by authorized personnel is monitored (SCCM groups, SW Center, etc.).
|
Identification and Authentication (IA)
IA.L2-3.5.1 – Identification [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.1 Identify information system users, processes acting on behalf of users, or devices.
|
| [a] system users are identified. |
Document |
Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of non-privileged/privileged users in AD OU group (overlaps with 3.1.1 and 3.1.5).
|
| [b] processes acting on behalf of users are identified. |
Screen Share |
Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of service accounts in AD OU group (overlaps with 3.1.1 and 3.1.5).
|
| [c] devices accessing the system are identified. |
Screen Share |
Based on what is defined in their documentation (SSP, AUP, Policy, SOP), request to see a sample of domain-joined workstation & servers in AD OU group (overlaps with 3.1.1 and 3.1.5). For network devices, request screen share/artifact to show how they are identified on the enterprise network.
|
IA.L2-3.5.2 – Authentication [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
|
| [a] the identity of each user is authenticated or verified as a prerequisite to system access. |
Screen Share |
If the user logs in with non-privileged account during other demoes and then a privileged account, then this should be satisfied. If screen share is unavailable, request logs to show successful and unsuccessful login by privileged and non-privilged users.
|
| [b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. |
Screen Share |
Request a log that shows successful/unsuccessful service account trying to log on to company's asset.
|
| [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. |
Screen Share |
Request a log that shows domain-joined workstation/server authenticating to AD (focus on the MAC/IP address/hostname).
|
IA.L2-3.5.3 – Multifactor Authentication
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
|
| [a] privileged accounts are identified. |
Screen Share |
Based on what is defined in their documentation, request to see a sample of privileged users in AD OU group. Overlaps with 3.1.5. Screenshot/screen share to show implementation is enforced.
|
| [b] multifactor authentication is implemented for local access to privileged accounts. |
Document |
SSP, AUP, Policy, SOP that defines that MFA is needed for privileged local access.
|
| [c] multifactor authentication is implemented for network access to privileged accounts. |
Screen Share |
Within the MFA implementation mechanism, show that privileged users are forced to use MFA; Screenshot/Screen share to show implementation is enforced.
|
| [d] multifactor authentication is implemented for network access to non-privileged accounts. |
Screen Share |
Within the MFA implementation mechanism, show that non-privileged users are forced to use MFA; Screenshot/Screen share to show implementation is enforced.
|
IA.L2-3.5.4 – Replay-Resistant Authentication
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
|
| [a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts. |
Screen Share |
Show the GPO setting that enforces Kerberos within AD. If MFA is used, show the implementation to enforce replay resistant techniques. For non-windows, show the technical solution to enforce replay resistant attacks.
|
IA.L2-3.5.5 – Identifier Reuse
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.5 Prevent reuse of identifiers for a defined period.
|
| [a] a period within which identifiers cannot be reused is defined. |
Document |
SSP, policies, or SOP that defines identifier reuse.
|
| [b] reuse of identifiers is prevented within the defined period. |
Screen Share |
Show the GPO setting/technical solution that enforces what is defined in policy/documentation (this can be automated or manual process; screen share/artifacts can be presented to satisfy this requirement.
|
IA.L2-3.5.6 – Identifier Handling
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.6 Disable identifiers after a defined period of inactivity.
|
| [a] a period of inactivity after which an identifier is disabled is defined. |
Document |
SSP, policy that defines the period of inactivity after which an identifier is disabled.
|
| [b] identifiers are disabled after the defined period of inactivity. |
Screen Share |
Screen share AD or similar tool supporting directory-based identity-related services for disabled accounts (can be done by hand or script).
|
IA.L2-3.5.7 – Password Complexity
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
|
| [a] password complexity requirements are defined. |
Document |
SSP, policy that defines password complexity requirements.
|
| [b] password change of character requirements are defined. |
Document |
SSP, policy that defines change of character requirements are defined.
|
| [c] minimum password complexity requirements as defined are enforced when new passwords are created. |
Screen Share |
Screen share of AD or similar directory-based identity-related service tool to show complexity requirements.
|
| [d] minimum password change of character requirements as defined are enforced when new passwords are created. |
Screen Share |
Screen share of Group Policy configuration or similar tool providing centralized management and configuration of operating systems, applications, and users' settings to show that characters must be changed.
|
IA.L2-3.5.8 – Password Reuse
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.8 Prohibit password reuse for a specified number of generations.
|
| [a] the number of generations during which a password cannot be reused is specified. |
Document |
SSP, policy that specifies the number of generations during which a password cannot be reused is specified.
|
| [b] reuse of passwords is prohibited during the specified number of generations. |
Screen Share |
Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show reuse of passwords is prohibited.
|
IA.L2-3.5.9 – Temporary Passwords
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
|
| [a] an immediate change to a permanent password is required when a temporary password is used for system logon. |
Screen Share |
Screen share of Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show "change password at first logon."
|
IA.L2-3.5.10 – Cryptographically-Protected Passwords
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.1 Store and transmit only cryptographically-protected passwords.
|
| [a] passwords are cryptographically protected in storage. |
Screen Share |
Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration that Kerberos, or a similar network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, is enabled.
|
| [b] passwords are cryptographically protected in transit. |
Screen Share |
Screen share Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration that Kerberos, or a similar network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner, is enabled.
|
IA.L2-3.5.11 – Obscure Feedback
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IA.L2-3.5.10 Obscure feedback of authentication information.
|
| [a] authentication information is obscured during the authentication process. |
Screen Share |
Screen share of Group Policy or similar tool providing centralized management and configuration of operating systems, applications, and users' settings in a directory-based identity-related service tool's configuration to show that passwords are obscured.
|
Incident Response (IR)
IR.L2-3.6.1 – Incident Handling
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IR.L2-3.6.1 Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
|
| [a] an operational incident-handling capability is established. |
Document |
Incident Response SOP/Plan.
|
| [b] the operational incident-handling capability includes preparation. |
Document |
Incident Response SOP/Plan, prior incident report, training, COOP plan.
|
| [c] the operational incident-handling capability includes detection. |
Document |
Incident Response SOP/Plan; definition of tools used to detect; artifacts showing tools used; prior incident report.
|
| [d] the operational incident-handling capability includes analysis. |
Document |
Incident Response SOP/Plan; Definition of tools used to analyze potential incidents; artifacts showing tools used for analysis; prior incident report.
|
| [e] the operational incident-handling capability includes containment. |
Document |
Incident Response SOP/Plan; isolation/quarantine process; user training.
|
| [f] the operational incident-handling capability includes recovery. |
Document |
Incident Response SOP/Plan; COOP Plan; prior incident reports, re-baselining impacted devices.
|
| [g] the operational incident-handling capability includes user response. |
Document |
Incident Response SOP/Plan; user awareness training; Help Desk process.
|
IR.L2-3.6.2 – Incident Reporting
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IR.L2-3.6.2 Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
|
| [a] incidents are tracked. |
Artifact |
Incident Response SOP/Plan; ITSM artifact; technical implementation for incident tracking.
|
| [b] incidents are documented. |
Artifact |
Incident Response SOP/Plan; ITSM artifact; technical implementation for incident tracking.
|
| [c] authorities to whom incidents are to be reported are identified. |
Document |
Incident Response SOP/Plan.
|
| [d] organizational officials to whom incidents are to be reported are identified. |
Document |
Incident Response SOP/Plan.
|
| [e] identified authorities are notified of incidents. |
Screen Share |
Prior incident report; DIBNET login; prior email notifications.
|
| [f] identified organizational officials are notified of incidents. |
Artifact |
Prior incident report; prior email notifications; tabletop exercises.
|
IR.L2-3.6.3 – Incident Response Testing
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| IR.L2-3.6.3 Test the organizational incident response capability.
|
| [a] the incident response capability is tested. |
Artifact |
Incident response table top/scheduled or unscheduled test or penetration test.
|
Maintenance (MA)
MA.L2-3.7.1 – Perform Maintenance
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MA.L2-3.7.1 Perform maintenance on organizational systems.
|
| [a] system maintenance is performed. |
Artifact |
Establish typical maintenance activities (HVAC, UPS, power distribution, generators, copier maintenance) that are performed; maintenance agreements or contracts detailing these types of activities are acceptable; interview responses should be considered. This requirement should not be confused with 3.14.1 - report, remediate, and correct system flaws in a timely manner (patch management).
|
MA.L2-3.7.2 – System Maintenance Control
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MA.L2-3.7.2 Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
|
| [a] tools used to conduct system maintenance are controlled. |
Artifact |
Tools may largely depend on the assessed environment; discussion examples include network diagnostic and monitoring tools (including hardware and software); artifacts could demonstrate secured locations/areas for these tools (photos) or checkout sheets/rosters (documents) depicting responsible personnel and the dates/times of checkout.
|
| [b] techniques used to conduct system maintenance are controlled. |
Artifact |
Processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system.
|
| [c] mechanisms used to conduct system maintenance are controlled. |
Artifact |
Processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system.
|
| [d] personnel used to conduct system maintenance are controlled. |
Physical Review |
Screenshot of who is authorized to conduct maintenance; maintenance personnel training program.
|
MA.L2-3.7.3 – Equipment Sanitization
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MA.L2-3.7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
|
| [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI. |
Artifact |
Document or artifact; record if equipment sanitized; categories of sanitization/destruction defined; sanitization procedural document.
|
MA.L2-3.7.4 – Media Inspection
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MA.L2-3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
|
| [a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI. |
Artifact |
Screenshot of diagnostic/test program being used (such as Symantec and McAfee on access scans…).
|
MA.L2-3.7.5 – Nonlocal Maintenance
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MA.L2-3.7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
|
| [a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections. |
Screen Share |
Describe MFA used to remote from external service to organizational systems for maintenance and screenshot of MFA (3.5.3)(points associated with admin).
|
| [b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. |
Screen Share |
Screenshot VPN session timeout.
|
MA.L2-3.7.6 – Maintenance Personnel
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MA.L2-3.7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.
|
| [a] maintenance personnel without required access authorization are supervised during maintenance activities. |
Document |
System maintenance policy; list of authorized personnel; maintenance records or, contracts/SLAs; WebEx.
|
Media Protection (MP)
MP.L2-3.8.1 – Media Protection
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
|
| [a] paper media containing CUI is physically controlled. |
Document |
Policy showing CUI paper media is controlled; artifact showing who has access; artifacts/records of inventories conducted; media check out procedures (i.e. file cabinets, encryption, password protection).
|
| [b] digital media containing CUI is physically controlled. |
Document |
Policy showing CUI digital media is controlled; artifact showing who has access; artifacts/records of inventories conducted; media check out procedures (i.e. file cabinets, external drives, USBs, encryption, password protection).
|
| [c] paper media containing CUI is securely stored. |
Physical Review |
Check out/sign out sheets; possible photo of storage container/video walk through of storage area; badge reader logs or access lists for keys for secured areas; interview response considered (i.e. file cabinets, encryption, password protection).
|
| [d] digital media containing CUI is securely stored. |
Physical Review |
Check out/sign out sheets; possible photo of storage container/video walk through of storage area; badge reader logs or access lists for keys for secured areas; interview response considered (i.e. file cabinets, external drives, USBs, encryption, password protection).
|
MP.L2-3.8.2 – Media Access
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.2 Limit access to CUI on system media to authorized users.
|
| [a] access to CUI on system media is limited to authorized users. |
Artifact |
Document describing how CUI is limited AND artifact showing principle of least access is implemented.
|
MP.L2-3.8.3 – Media Disposal [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.3 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
|
| [a] system media containing CUI is sanitized or destroyed before disposal. |
Document |
Policy or artifact of media destruction logs; certificates of destruction; SLAs or contracts.
|
| [b] system media containing CUI is sanitized before it is released for reuse. |
Document |
Policy or artifact describing method to sanitize, software used (i.e. DoD Wipe, ShredIT and Iron Mountain; Blancco; GDisk, DBAN).
|
MP.L2-3.8.4 – Media Markings
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations.
|
| [a] media containing CUI is marked with applicable CUI markings. |
Physical Review |
Document or artifact showing CUI markings (i.e. labeling standards ).
|
| [b] media containing CUI is marked with distribution limitations. |
Physical Review |
Document or artifact showing distro limitations (i.e. labeling standards ).
|
MP.L2-3.8.5 – Media Accountability
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
|
| [a] access to media containing CUI is controlled. |
Document |
Policy, artifact of audit logs showing tracking, Access Control Lists, records of transport activities (i.e. USB drives, CDs, chain of custody.
|
| [b] accountability for media containing CUI is maintained during transport outside of controlled areas. |
Artifact |
Artifact of audit logs showing tracking, Access Control Lists, records of transport activities (i.e. USB drives, CDs; chain of custody.
|
MP.L2-3.8.6 – Portable Storage Encryption
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
|
| [a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. |
Artifact |
Artifact showing crypto mechanisms used to protect (are they FIPS 140-2 [13.11]); artifact showing what alternative physical safeguards are in place (i.e. encryption; BitLocker; McAfee ).
|
MP.L2-3.8.7 – Removable Media
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.7 Control the use of removable media on system components.
|
| [a] the use of removable media on system components is controlled. |
Artifact |
Policy showing if removable media is allowed; writable removable media is restricted; tracking artifacts; what tools are used (i.e. Carbon Black, Crowd Strike, GPO, Zoho Desktop Central); procedure/process describing what happens if it is lost; what mechanisms are in place to control/restrict removable media (i.e. Active Directory Groups and Group Policy artifact showing restriction).
|
MP.L2-3.8.8 – Shared Media
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.ASSESSMENT OBJECTIVES
|
| [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. |
Artifact |
Policy and/or artifact showing company stance on portable storage devices if there is no owner (are personal USB devices allowed or are they company-issued; artifact showing alerts if device is connected to network (i.e. external HDD, Carbon Black, Crowd Strike, GPO, Zoho Desktop Central.
|
MP.L2-3.8.9 – Protect Backups
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations.
|
| [a] the confidentiality of backup CUI is protected at storage locations. |
Artifact |
Policy on system backups; artifact showing media labeling; artifact showing encyption (is it FIPS 140-2 [13.11]); Access Control List artifact (i.e. backup tapes, Tivoli Storage Manager).
|
Personnel Security (PS)
PS.L2-3.9.1 – Screen Individuals
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PS.L2-3.9.1 Screen individuals prior to authorizing access to organizational systems containing CUI.
|
| [a] individuals are screened prior to authorizing access to organizational systems containing CUI. |
Artifact |
Screenshot of records of screened personnel/background checks.
|
PS.L2-3.9.2 – Personnel Actions
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PS.L2-3.9.2 Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
|
| [a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established. |
Document |
Personnel security policy/procedures/instruction; Access control policy/procedure/instruction.
|
| [b] system access and credentials are terminated consistent with personnel actions such as termination or transfer. |
Artifact |
Screenshot of records of personnel transfer and termination actions.
|
| [c] the system is protected during and after personnel transfer actions. |
Artifact |
Completed outprocessing checklist.
|
Physical Protection (PE)
PE.L2-3.10.1 – Limit Physical Access [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PE.L2-3.10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
|
| [a] authorized individuals allowed physical access are identified. |
Artifact |
Authorized personnel (names) access list.
|
| [b] physical access to organizational systems is limited to authorized individuals. |
Physical Review |
Badge reader logs, audit logs, and/or card swipe test.
|
| [c] physical access to equipment is limited to authorized individuals. |
Physical Review |
Badge reader logs, audit logs, and/or card swipe test.
|
| [d] physical access to operating environments is limited to authorized. |
Physical Review |
Badge reader logs, audit logs, and/or card swipe test.
|
PE.L2-3.10.2 – Monitor Facility
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PE.L2-3.10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.
|
| [a] the physical facility where organizational systems reside is protected. |
Physical Review |
Physical security measures and barriers into the physical facility (cameras/locks/gates/guards, etc.).
|
| [b] the support infrastructure for organizational systems is protected. |
Physical Review |
Physical barriers to entries into computer spaces, server rooms, etc.
|
| [c] the physical facility where organizational systems reside is monitored. |
Physical Review |
Audit logs/how the physical facility is being monitored (cameras/access system/guards, etc.).
|
| [d] the support infrastructure for organizational systems is monitored. |
Physical Review |
Audit logs/how the physical facility is being monitored (cameras/access system/guards, etc.).
|
PE.L2-3.10.3 – Escort Visitors [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PE.L2-3.10.3 Escort visitors and monitor visitor activity.
|
| [a] visitors are escorted. |
Physical Review |
Policy/procedures/instruction on methodology for handling non-authorized personnel (entry to exit).
|
| [b] visitor activity is monitored. |
Physical Review |
Policy/procedures/instructio on methodology for handling non-authorized personnel (entry to exit).
|
PE.L2-3.10.4 – Physical Access Logs [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PE.L2-3.10.4 Maintain audit logs of physical access.
|
| [a] audit logs of physical access are maintained. |
Artifact |
Log or report from badging system.
|
PE.L2-3.10.5 – Manage Physical Access [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PE.L2-3.10.5 Control and manage physical access devices.
|
| [a] physical access devices are identified. |
Document |
Physical access control systems description, guard force contract/policy, key locks, logical systems specifications, etc.
|
| [b] physical access devices are controlled. |
Physical Review |
Inventory records of physical access control devices (e.g. keys, locks, card readers, locks, etc.).
|
| [c] physical access devices are managed. |
Physical Review |
List of security safeguards controlling access to the facility (e.g. cameras, monitoring by guards, isolation of IT systems equiment and or system components).
|
PE.L2-3.10.6 – Alternative Work Sites
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| PE.L2-3.10.6 Enforce safeguarding measures for CUI at alternate work sites.
|
| [a] safeguarding measures for CUI are defined for alternate work sites. |
Document |
Telework agreement, Acceptable Use Policy and SOP for alternate work locations; user security training validation which includes physical/logical/technical protections of system at alternate work sites.
|
| [b] safeguarding measures for CUI are enforced for alternate work sites. |
Artifact |
Monitoring/audit log of user activity and logical/physical/technical mechanisms in place to preclude unauthorized activity (telework agreement , AUP?).
|
Risk Assessment (RA)
RA.L2-3.11.1 – Risk Assessments
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| RA.L2-3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
|
| [a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined. |
Document |
Risk assessment policy.
|
| [b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. |
Artifact |
Copy of last risk assessment done within defined frequency.
|
RA.L2-3.11.2 – Vulnerability Scan
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| RA.L2-3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
|
| [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined. |
Document |
Policy/procedures/instruction addressing vulnerability scanning records.
|
| [b] vulnerability scans are performed on organizational systems with the defined frequency. |
Screen Share |
System configuration settings of vulnerability scanning scheduling and vulnerability scan results of systems within defined frequency.
|
| [c] vulnerability scans are performed on applications with the defined frequency. |
Screen Share |
System configuration settings of vulnerability scanning scheduling and vulnerability scan results of applications within defined frequency.
|
| [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified. |
Screen Share |
View signatures in scanning tool/ad hoc scan performed as a result.
|
| [e] vulnerability scans are performed on applications when new vulnerabilities are identified. |
Screen Share |
View signatures in scanning tool/ad hoc scan performed as a result.
|
RA.L2-3.11.3 – Vulnerability Remediation
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| RA.L2-3.11.3 Remediate vulnerabilities in accordance with risk assessments.
|
| [a] vulnerabilities are identified. |
Artifact |
Scan results showing vulnerabilities identified.
|
| [b] vulnerabilities are remediated in accordance with risk assessments. |
Artifact |
Screenshot/document of scan results of remediated vulnerabilities in accordance to risk assessments.
|
Security Assessment (CA)
CA.L2-3.12.1 – Security Control Assessment
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CA.L2-3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
|
| [a] the frequency of security control assessments is defined. |
Document |
SSP.
|
| [b] security controls are assessed with the defined frequency to determine if the controls are effective in their application. |
Artifact |
Copy of last security control assessment done within defined frequency.
|
CA.L2-3.12.2 – Operational Plan of Action
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CA.L2-3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
|
| [a] deficiencies and vulnerabilities to be addressed by the plan of action are identified. |
Artifact |
Plan of Action (POA).
|
| [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. |
Artifact |
Plan of Action (POA).
|
| [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. |
Artifact |
Plan of Action (POA)/previously completed POAs.
|
CA.L2-3.12.3 – Security Control Monitoring
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CA.L2-3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
|
| [a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. |
Artifact |
Collection of risk assessment results, internal or third-party audits/security assessments and/or continuous monitoring reports/alerts (SIEM tool, etc.).
|
CA.L2-3.12.4 – System Security Plan =
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| CA.L2-3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
|
| [a] a system security plan is developed. |
Document |
SSP.
|
| [b] the system boundary is described and documented in the system security plan. |
Document |
SSP and any supporting documentation.
|
| [c] the system environment of operation is described and documented in the system security plan. |
Document |
SSP and any supporting documentation.
|
| [d] the security requirements identified and approved by the designated authority as non-applicable are identified. |
Document |
SSP and required adjudication from DoD CIO.
|
| [e] the method of security requirement implementation is described and documented in the system security plan. |
Document |
SSP and any supporting documentation.
|
| [f] the relationship with or connection to other systems is described and documented in the system security plan. |
Document |
SSP and any supporting documentation.
|
| [g] the frequency to update the system security plan is defined. |
Document |
SSP.
|
| [h] system security plan is updated with the defined frequency. |
Document |
SSP/any previous versions.
|
System and Communications Protection (SC)
SC.L2-3.13.1 – Boundary Protection [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
|
| [a] the external system boundary is defined. |
Document |
SSP, network diagrams, CUI flow, cloud provider FedRAMP Moderate.
|
| [b] key internal system boundaries are defined. |
Document |
SSP, network diagrams, CUI flow.
|
| [c] communications are monitored at the external system boundary. |
Screen Share |
SSP, logging server, boundary device configurations, monitoring policy.
|
| [d] communications are monitored at key internal boundaries. |
Screen Share |
SSP, logging server, boundary device configurations, monitoring policy.
|
| [e] communications are controlled at the external system boundary. |
Screen Share |
SSP, boundary device configurations, ACL, subnets, DMZ.
|
| [f] communications are controlled at key internal boundaries. |
Screen Share |
SSP, boundary device configurations, ACL, subnets.
|
| [g] communications are protected at the external system boundary. |
Screen Share |
Configurations for IPS/IDS, email gateway, VLAN, proxy, firewall, malware protection, DNS, TSL.
|
| [h] communications are protected at key internal boundaries. |
Screen Share |
Configurations for IPS/IDS, VLAN, firewall, malware protection, SSL.
|
SC.L2-3.13.2 – Security Engineering
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
|
| [a] architectural designs that promote effective information security are identified. |
Document |
SSP, config management policy, network diagram, CCB minutes, enterprise architecture process.
|
| [b] software development techniques that promote effective information security are identified. |
Document |
SSP, config management policy, SDLC, CCB minutes.
|
| [c] systems engineering principles that promote effective information security are identified. |
Document |
SSP, config management policy, CCB minutes, security architecture engineering.
|
| [d] identified architectural designs that promote effective information security are employed. |
Artifact |
CCB minutes, Network diagrams and configurations, Project Plans.
|
| [e] identified software development techniques that promote effective information security are employed. |
Artifact |
CCB minutes, SDLC, code scanner results, code management tracking.
|
| [f] identified systems engineering principles that promote effective information security are employed. |
Artifact |
CCB minutes, configuration management, ITSM, patch management, lifecycle replacement processes.
|
SC.L2-3.13.3 – Role Separation
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.3 Separate user functionality from system management functionality.
|
| [a] user functionality is identified. |
Document |
SSP, AUP.
|
| [b] system management functionality is identified. |
Document |
SSP, Privileged Account Agreement.
|
| [c] user functionality is separated from system management functionality. |
Screen Share |
Active Directory, Jump Boxes, GPO, VM, RDP.
|
SC.L2-3.13.4 – Shared Resource Control
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.4 Prevent unauthorized and unintended information transfer via shared system resources.
|
| [a] unauthorized and unintended information transfer via shared system resources is prevented. |
Screen Share |
SSP, OS configurations, Linux containers, system/media reuse policies, certificate management policies, media destruction policies, printer configs, VDI configuration.
|
SC.L2-3.13.5 – Public-Access System Separation [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
|
| [a] publicly accessible system components are identified. |
Document |
SSP, network diagram, DMZ inventory/roles.
|
| [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. |
Artifact |
Network diagram, IPAM, VLAN, DHCP, DMZ.
|
SC.L2-3.13.6 – Network Communication by Exception
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
|
| [a] network communications traffic is denied by default. |
Screen Share |
Host and network firewall rules, SIEM logs, hit counts.
|
| [b] network communications traffic is allowed by exception. |
Screen Share |
Host and network firewall rules, SIEM logs, hit counts.
|
SC.L2-3.13.7 – Split Tunneling
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
|
| [a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). |
Screen Share |
VPN appliance/server configuration, endpoint VPN software configuration.
|
SC.L2-3.13.8 – Data in Transit
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
|
| [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. |
Document |
SSP, PKI policies, configuration processes, config management, email attachment encryption policy, removable media policy, data at rest policy.
|
| [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. |
Document |
SSP, physical security policy.
|
| [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission. |
Screen Share |
TLS settings, SSL settings, VPN/Wireless Access Points/Mobile Devices cryptographic settings, ODBC connector settings, SAN configuration, IPSec/MPLS, backup configuration, physical security.
|
SC.L2-3.13.9 – Connections Termination
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
|
| [a] a period of inactivity to terminate network connections associated with communications sessions is defined. |
Document |
SSP, network communications policy.
|
| [b] network connections associated with communications sessions are terminated at the end of the sessions. |
Screen Share |
VPN appliance/server logs, VPN configurations, web server configurations, firewall connection settings.
|
| [c] network connections associated with communications sessions are terminated after the defined period of inactivity. |
Screen Share |
VPN appliance/server logs, VPN configurations, web server configurations, frewall connection settings.
|
SC.L2-3.13.10 – Key Management
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems.
|
| [a] cryptographic keys are established whenever cryptography is employed. |
Artifact |
SSP, PKI/certificate management policy, configuration management.
|
| [b] cryptographic keys are managed whenever cryptography is employed. |
Artifact |
SSP, PKI/certificate management policy, configuration management, access control policy.
|
SC.L2-3.13.11 – CUI Encryption
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
|
| [a] FIPS-validated cryptography is employed to protect the confidentiality of CUI. |
Screen Share |
VPN, wireless, mobile devices, client certificates, server certificates, disk encryption, Outlook plugin, external mail, backup media, ePO server, removable storage, SAN, file compression; look for FIPS mode enabled on appliances.
|
SC.L2-3.13.12 – Collaborative Device Control
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
|
| [a] collaborative computing devices are identified. |
Document |
SSP, network diagrams.
|
| [b] collaborative computing devices provide indication to users of devices in use. |
Physical Review |
Physical inspection of device.
|
| [c] remote activation of collaborative computing devices is prohibited. |
Screen Share |
Collaboration device configuration/console.
|
SC.L2-3.13.13 – Mobile Code
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.13 Control and monitor the use of mobile code.
|
| [a] use of mobile code is controlled. |
Screen Share |
GPO settings, malware protection, software agent configurations, software development policies, code scanners, MDM configuration, firewall/secure web gateway/proxy config.
|
| [b] use of mobile code is monitored. |
Screen Share |
SIEM/console monitoring.
|
SC.L2-3.13.14 – Voice over Internet Protocol
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
|
| [a] use of Voice over Internet Protocol (VoIP) technologies is controlled. |
Artifact |
VLAN, ACL, firewall config, VoIP gateway/condenser configuration.
|
| [b] use of Voice over Internet Protocol (VoIP) technologies is monitored. |
Artifact |
SIEM/VoIP console monitoring, session border controller.
|
SC.L2-3.13.15 – Communications Authenticity
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.15 Protect the authenticity of communications sessions.
|
| [a] the authenticity of communications sessions is protected. |
Screen Share |
SSL, TLS, SMB3, SFTP, IPSec, SSH, Kerberos configs, MPLS, Network Access Control.
|
SC.L2-3.13.16 – Data at Rest
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SC.L2-3.13.16 Protect the confidentiality of CUI at rest.
|
| [a] the confidentiality of CUI at rest is protected. |
Artifact |
Full disk encryption, removable media encryption, SAN encryption, digital backups, mobile device encryption, third party offsite backup storage, cloud virtualization encryption, physical media storage policies.
|
System and Information Integrity (SI)
SI.L2-3.14.1 – Flaw Remediation [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
|
| [a] the time within which to identify system flaws is specified. |
Document |
SSP, patch management policy.
|
| [b] system flaws are identified within the specified time frame. |
Screen Share |
Vulnerability management scanner output and scan policy configuration.
|
| [c] the time within which to report system flaws is specified. |
Document |
SSP, patch management policy.
|
| [d] system flaws are reported within the specified time frame. |
Screen Share |
ITSM/trouble tickets, vulnerability management scanner output.
|
| [e] the time within which to correct system flaws is specified. |
Document |
SSP, patch management policy.
|
| [f] system flaws are corrected within the specified time frame. |
Screen Share |
Vulnerability management scanner output and scan policy configuration.
|
SI.L2-3.14.2 – Malicious Code ProTection [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.2 Provide protection from malicious code at appropriate locations within organizational information systems.
|
| [a] designated locations for malicious code protection are identified. |
Document |
SSP, system protection policy, network diagrams, security architecture documents.
|
| [b] protection from malicious code at designated locations is provided. |
Screen Share |
Endpoint security settings, email/web proxy gateways, firewall, IPS sensor, MDM configuration, Network Access Control.
|
SI.L2-3.14.3 – Security Alerts & Advisories
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.3 Monitor system security alerts and advisories and take action in response.
|
| [a] response actions to system security alerts and advisories are identified. |
Document |
SSP, vulnerability management policy, Incident Response Plan.
|
| [b] system security alerts and advisories are monitored. |
Artifact |
Threat intelligence subscriptions, email advisories.
|
| [c] actions in response to system security alerts and advisories are taken. |
Artifact |
ITSM/trouble tickets, user notifications, updates to firewall/IPS, etc.
|
SI.L2-3.14.4 – Update Malicious Code Protection [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.4 Update malicious code protection mechanisms when new releases are available.
|
| [a] malicious code protection mechanisms are updated when new releases are available. |
Screen Share |
Antivirus console dashboard, firewall AV, Email gateway signatures,proxy, IPS updates.
|
SI.L2-3.14.5 – System & File Scanning [CUI Data]
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
|
| [a] the frequency for malicious code scans is defined. |
Document |
SSP, vulnerability management policy.
|
| [b] malicious code scans are performed with the defined frequency. |
Screen Share |
Consoles for AV (endpoints, servers, and file shares), firewall, email gateway, proxy, IPS, MDM configurations.
|
| [c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. |
Screen Share |
Consoles for AV (endpoints, servers, and file shares), firewall, email gateway, proxy, IPS, MDM configurations.
|
SI.L2-3.14.6 – Monitor Communications for Attacks
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
|
| [a] the system is monitored to detect attacks and indicators of potential attacks. |
Screen Share |
Firewall, IPS, endpoint protection, SIEM alerts and reports.
|
| [b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks. |
Screen Share |
Firewall, IPS, endpoint protection, SIEM alerts and reports.
|
| [c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks. |
Screen Share |
Firewall, IPS, endpoint protection, SIEM alerts and reports.
|
SI.L2-3.14.7 – Identify Unauthorized Use
| Assessment Objectives
|
Collection Approach
|
Evidence Examples
|
| SI.L2-3.14.7 Identify unauthorized use of organizational systems.
|
| [a] authorized use of the system is defined. |
Document |
AUP, SSP.
|
| [b] unauthorized use of the system is identified. |
Artifact |
SIEM logs, endpoint protection console, IPS, Firewall.
|