Level 1 Assessment Guide

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

[a] authorized users are identified;

[b] processes acting on behalf of authorized users are identified;

[c] devices (and other systems) authorized to connect to the system are identified;

[d] system access is limited to authorized users;

[e] system access is limited to processes acting on behalf of authorized users; and

[f] system access is limited to authorized devices (including other systems).

Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

[a] the types of transactions and functions that authorized users are permitted to execute are defined; and

[b] system access is limited to the defined types of transactions and functions for authorized users.

Verify and control/limit connections to and use of external information systems.

[a] connections to external systems are identified;

[b] the use of external systems is identified;

[c] connections to external systems are verified;

[d] the use of external systems is verified;

[e] connections to external systems are controlled/limited; and

[f] the use of external systems is controlled/limited.

Control information posted or processed on publicly accessible information systems.

[a] individuals authorized to post or process information on publicly accessible systems are identified;

[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;

[c] a review process is in place prior to posting of any content to publicly accessible systems;

[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and

[e] mechanisms are in place to remove and address improper posting of FCI.

Identify information system users, processes acting on behalf of users, or devices.

[a] system users are identified;

[b] processes acting on behalf of users are identified; and

[c] devices accessing the system are identified.

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

[a] the identity of each user is authenticated or verified as a prerequisite to system access;

[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and

[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

[a] system media containing FCI is sanitized or destroyed before disposal; and

[b] system media containing FCI is sanitized before it is released for reuse.

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

[a] authorized individuals allowed physical access are identified;

[b] physical access to organizational systems is limited to authorized individuals;

[c] physical access to equipment is limited to authorized individuals; and

[d] physical access to operating environments is limited to authorized.

Escort visitors and monitor visitor activity.

[a] visitors are escorted; and

[b] visitor activity is monitored.

Maintain audit logs of physical access.

[a] audit logs of physical access are maintained.

Control and manage physical access devices.

[a] physical access devices are identified;

[b] physical access devices are controlled; and

[c] physical access devices are managed.

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

[a] the external system boundary is defined;

[b] key internal system boundaries are defined;

[c] communications are monitored at the external system boundary;

[d] communications are monitored at key internal boundaries;

[e] communications are controlled at the external system boundary;

[f] communications are controlled at key internal boundaries;

[g] communications are protected at the external system boundary; and

[h] communications are protected at key internal boundaries.

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

[a] publicly accessible system components are identified; and

[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Identify, report, and correct information and information system flaws in a timely manner.

[a] the time within which to identify system flaws is specified;

[b] system flaws are identified within the specified time frame;

[c] the time within which to report system flaws is specified;

[d] system flaws are reported within the specified time frame;

[e] the time within which to correct system flaws is specified; and

[f] system flaws are corrected within the specified time frame.

Provide protection from malicious code at appropriate locations within organizational information systems.

[a] designated locations for malicious code protection are identified; and

[b] protection from malicious code at designated locations is provided.

Update malicious code protection mechanisms when new releases are available.

[a] malicious code protection mechanisms are updated when new releases are available.

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

[a] the frequency for malicious code scans is defined;

[b] malicious code scans are performed with the defined frequency; and

[c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.