DoD Memo on ODPs for 800-171 Revision 3
Overview
A key aspect of NIST Special Publication 800-171 Revision 3 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, May 2024) is the inclusion of organization-defined parameters (ODPs), which allow organizations to tailor select security controls to specific security requirements, as determined by unique organizational risk management strategies.
In preparation to implement NIST SP 800-171 Revision 3 as the minimum requirement for contractors, the Department of Defense (DoD) has defined as policy the values below for the ODPs identified in the source document.
ODP values found in existing federal frameworks served as the foundation for the initial values. Input was collected from DoD offices, external government agencies, and subject matter experts from University-Affiliated Research Centers and Federally Funded Research and Development Centers. Additional input from industry stakeholders was included where appropriate. In four instances, the ODP has been defined as guidance rather than a specified value. These ODP values represent a consensus position of DoD stakeholders and will be updated as necessary.
Reference: National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 3, May 2024.
Memorandum Signed By: David W. McKeown, Performing the Duties of the Deputy DoD CIO for Cybersecurity and DoD Chief Information Security Officer.
Note: Throughout this page, the term "significant" is defined as "having or likely to have influence or effect."
Access Control
3.1.1 System Account Management
Requirement text:
- Define the types of system accounts allowed and prohibited.
- Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria.
- Specify:
- Authorized users of the system,
- Group and role membership, and
- Access authorizations (i.e., privileges) for each account.
- Authorize access to the system based on:
- A valid access authorization and
- Intended system usage.
- Monitor the use of system accounts.
- Disable system accounts when:
- The accounts have expired,
- The accounts have been inactive for [Assignment: organization-defined time period] (03.01.01.f.02),
- The accounts are no longer associated with a user or individual,
- The accounts are in violation of organizational policy, or
- Significant risks associated with individuals are discovered.
- Notify account managers and designated personnel or roles within:
- [Assignment: organization-defined time period] (03.01.01.g.01) when accounts are no longer required,
- [Assignment: organization-defined time period] (03.01.01.g.02) when users are terminated or transferred, and
- [Assignment: organization-defined time period] (03.01.01.g.03) when system usage or the need-to-know changes for an individual.
- Require that users log out of the system after:
- [Assignment: organization-defined time period] (03.01.01.h.01) of expected inactivity, or
- When [Assignment: organization-defined circumstances] (03.01.01.h.02).
Related Controls: AC-02, AC-02(03), AC-02(05), AC-02(13)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.01.f.02 | organization-defined time period | at most 90 days |
| 03.01.01.g.01 | organization-defined time period | 24 hours |
| 03.01.01.g.02 | organization-defined time period | 24 hours |
| 03.01.01.g.03 | organization-defined time period | 24 hours |
| 03.01.01.h.01 | organization-defined time period | at most 24 hours |
| 03.01.01.h.02 | organization-defined circumstances | the work period ends, for privileged users at a minimum |
3.1.5 System Access Authorization
Requirement text:
- Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.
- Authorize access to:
- [Assignment: organization-defined security functions] (03.01.05.b.01), and
- [Assignment: organization-defined security-relevant information] (03.01.05.b.02).
- Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] (03.01.05.c) to validate the need for such privileges.
- Reassign or remove privileges, as necessary.
Related Controls: AC-06, AC-06(01), AC-06(07), AU-09(04)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.05.b.01 | organization-defined security functions | at a minimum and if applicable: establishing system accounts and assigning privileges, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, establishing intrusion detection parameters, and managing audit information |
| 03.01.05.b.02 | organization-defined security-relevant information | at a minimum and if applicable: threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, security architecture, access control lists, and audit information |
| 03.01.05.c | organization-defined frequency | at least every 12 months |
3.1.6 Privileged Account Management
Requirement text:
- Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles] (03.01.06.a).
- Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information.
Related Controls: AC-06(02), AC-06(05)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.06.a | organization-defined personnel or roles | only defined and authorized personnel or administrative roles |
3.1.8 Invalid Logon Attempts
Requirement text:
- Enforce a limit of [Assignment: organization-defined number] (03.01.08.a.01) consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period] (03.01.08.a.02).
- Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] (03.01.08.b) when the maximum number of unsuccessful attempts is exceeded.
Related Controls: AC-07
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.08.a.01 | organization-defined number | at most five (5) |
| 03.01.08.a.02 | organization-defined time period | period of five (5) minutes |
| 03.01.08.b | organization-defined time period (selection) | lock the account or node for at least a 15-minute time period; lock the account or node until released by an administrator and notify a system administrator |
3.1.10 Device Lock
Requirement text:
- Prevent access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] (03.01.10.a) of inactivity; requiring the user to initiate a device lock before leaving the system unattended].
- Retain the device lock until the user reestablishes access using established identification and authentication procedures.
- Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
Related Controls: AC-11, AC-11(01)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.10.a | organization-defined time period | initiating a device lock after "at most 15 minutes" of inactivity and requiring the user to initiate a device lock before leaving the system unattended |
3.1.11 Session Termination
Requirement text: Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect] (03.01.11).
Related Controls: AC-12
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.11 | organization-defined conditions or trigger events requiring session disconnect | a specified duration (maximum of 24 hours) of inactivity, misbehavior (end the session due to an attempted policy violation), and maintenance (terminate sessions to prevent issues with an upgrade or service outage) |
3.1.20 Use of External Systems
Requirement text:
- Prohibit the use of external systems unless the systems are specifically authorized.
- Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: [Assignment: organization-defined security requirements] (03.01.20.b).
- Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after:
- Verifying that the security requirements on the external systems as specified in the organization's system security plans have been satisfied, and
- Retaining approved system connection or processing agreements with the organizational entities hosting the external systems.
- Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems.
Related Controls: AC-20, AC-20(01), AC-20(02)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.01.20.b | organization-defined security requirements | Guidance: Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems. If applicable, use NIST SP 800-47 as a guide for establishing information exchanges between organizations. |
Awareness and Training
3.2.1 Security Literacy Training
Requirement text:
- Provide security literacy training to system users:
- As part of initial training for new users and [Assignment: organization-defined frequency] (03.02.01.a.01) thereafter,
- When required by system changes or following [Assignment: organization-defined events] (03.02.01.a.02), and
- On recognizing and reporting indicators of insider threat, social engineering, and social mining.
- Update security literacy training content [Assignment: organization-defined frequency] (03.02.01.b.01) and following [Assignment: organization-defined events] (03.02.01.b.02).
Related Controls: AT-02, AT-02(02), AT-02(03)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.02.01.a.01 | organization-defined frequency | at least every 12 months |
| 03.02.01.a.02 | organization-defined events | significant, novel incidents, or significant changes to risks |
| 03.02.01.b.01 | organization-defined frequency | at least every 12 months |
| 03.02.01.b.02 | organization-defined events | significant, novel incidents, or significant changes to risks |
3.2.2 Role-Based Security Training
Requirement text:
- Provide role-based security training to organizational personnel:
- Before authorizing access to the system or CUI, before performing assigned duties, and [Assignment: organization-defined frequency] (03.02.02.a.01) thereafter,
- When required by system changes or following [Assignment: organization-defined events] (03.02.02.a.02).
- Update role-based training content [Assignment: organization-defined frequency] (03.02.02.b.01) and following [Assignment: organization-defined events] (03.02.02.b.02).
Related Controls: AT-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.02.02.a.01 | organization-defined frequency | at least every 12 months |
| 03.02.02.a.02 | organization-defined events | significant, novel incidents, or significant changes to risks |
| 03.02.02.b.01 | organization-defined frequency | at least every 12 months |
| 03.02.02.b.02 | organization-defined events | significant, novel incidents, or significant changes to risks |
Audit and Accountability
3.3.1 Event Logging
Requirement text:
- Specify the following event types selected for logging within the system: [Assignment: organization-defined event types] (03.03.01.a).
- Review and update the event types selected for logging [Assignment: organization-defined frequency] (03.03.01.b).
Related Controls: AU-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.03.01.a | organization-defined event types | At a minimum and where applicable:
For additional guidance, see: OMB 21-31 ML 1 |
| 03.03.01.b | organization-defined frequency | at least every 12 months and after any significant incidents or significant changes to risks |
3.3.4 Audit Logging Process Failure
Requirement text:
- Alert organizational personnel or roles within [Assignment: organization-defined time period] (03.03.04.a) in the event of an audit logging process failure.
- Take the following additional actions: [Assignment: organization-defined additional actions] (03.03.04.b).
Related Controls: AU-05
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.03.04.a | organization-defined time period | near real time or as soon as practicable upon discovery |
| 03.03.04.b | organization-defined additional actions | document the failure and resolution, troubleshoot, repair/restart the audit logging process, and report as incident if applicable |
3.3.5 Audit Record Review and Analysis
Requirement text:
- Review and analyze system audit records [Assignment: organization-defined frequency] (03.03.05.a) for indications and the potential impact of inappropriate or unusual activity.
- Report findings to organizational personnel or roles.
- Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
Related Controls: AU-06, AU-06(03)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.03.05.a | organization-defined frequency | at least weekly |
3.3.7 Time Stamps for Audit Records
Requirement text:
- Use internal system clocks to generate time stamps for audit records.
- Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] (03.03.07.b) and that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or include the local time offset as part of the time stamp.
Related Controls: AU-08
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.03.07.b | organization-defined granularity of time measurement | a granularity of one (1) second or smaller |
Configuration Management
3.4.1 Baseline Configuration
Requirement text:
- Develop and maintain under configuration control, a current baseline configuration of the system.
- Review and update the baseline configuration of the system [Assignment: organization-defined frequency] (03.04.01.b) and when system components are installed or modified.
Related Controls: CM-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.04.01.b | organization-defined frequency | at least every 12 months and after any significant incidents or significant changes occur |
3.4.2 Configuration Settings
Requirement text:
- Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: [Assignment: organization-defined configuration settings] (03.04.02.a).
- Identify, document, and approve any deviations from established configuration settings.
Related Controls: CM-06
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.04.02.a | organization-defined configuration settings | Apply the appropriate use of common security configurations available from the National Institute of Standards and Technology's National Checklist Program (NCP) website (https://ncp.nist.gov/repository) and prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other unauthorized connection to resources in external networks. Document any deviations from the published standard or source document. |
3.4.6 System Configuration
Requirement text:
- Configure the system to provide only mission-essential capabilities.
- Prohibit or restrict use of the following functions, ports, protocols, connections, and services: [Assignment: organization-defined functions, ports, protocols, connections, and services] (03.04.06.b).
- Review the system [Assignment: organization-defined frequency] (03.04.06.c) to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.
- Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure.
Related Controls: CM-07, CM-07(01)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.04.06.b | organization-defined functions, ports, protocols, connections, and services | Guidance: Where feasible, organizations should limit component functionality to a single function per component. Organizations should consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations should employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality should also be achieved as part of the fundamental design and development of the system. |
| 03.04.06.c | organization-defined frequency | at least every 12 months, when any system functions, ports, protocols, or services changes are made, and after any significant incidents or significant changes to risks |
3.4.8 Software Execution Authorization
Requirement text:
- Identify software programs authorized to execute on the system.
- Implement a deny-all, allow-by-exception policy for the execution of authorized software programs on the system.
- Review and update the list of authorized software programs [Assignment: organization-defined frequency] (03.04.08.c).
Related Controls: CM-07(05)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.04.08.c | organization-defined frequency | at least quarterly |
3.4.10 System Component Inventory
Requirement text:
- Develop and document an inventory of system components.
- Review and update the system component inventory [Assignment: organization-defined frequency] (03.04.10.b).
- Update the system component inventory as part of installations, removals, and system updates.
Related Controls: CM-08, CM-08(01)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.04.10.b | organization-defined frequency | at least quarterly |
3.4.12 System Configurations for High-Risk Locations
Requirement text:
- Issue systems or system components with the following configurations to individuals traveling to high-risk locations: [Assignment: organization-defined system configurations] (03.04.12.a).
- Apply the following security requirements to the systems or components when the individuals return from travel: [Assignment: organization-defined security requirements] (03.04.12.b).
Related Controls: CM-02(07)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.04.12.a | organization-defined system configurations | a configuration that has no CUI or FCI stored on the system and prevents the processing, storing, and transmission of CUI and FCI, unless a specific exception is granted in writing by the Contracting Officer |
| 03.04.12.b | organization-defined security requirements | examine the system for signs of physical tampering and take the appropriate actions, and then either purge and reimage all storage media or destroy the system |
Identification and Authentication
3.5.1 User Identification and Authentication
Requirement text:
- Uniquely identify and authenticate system users, and associate that unique identification with processes acting on behalf of those users.
- Re-authenticate users when [Assignment: organization-defined circumstances or situations requiring re-authentication] (03.05.01.b).
Related Controls: IA-02, IA-11
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.05.01.b | organization-defined circumstances or situations requiring re-authentication | roles, authenticators, or credentials change (including modification of user privilege); when security categories of systems change; when the execution of privileged functions occurs; and after a session termination |
3.5.2 Device Identification and Authentication
Requirement text: Uniquely identify and authenticate [Assignment: organization-defined devices or types of devices] (03.05.02) before establishing a system connection.
Related Controls: IA-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.05.02 | organization-defined devices or types of devices | all devices for identification, where feasible for authentication, and document when not feasible |
3.5.5 Identifier Management
Requirement text:
- Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier.
- Select and assign an identifier that identifies an individual, group, role, service, or device.
- Prevent the reuse of identifiers for [Assignment: organization-defined time period] (03.05.05.c).
- Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status] (03.05.05.d).
Related Controls: IA-04, IA-04(04)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.05.05.c | organization-defined time period | at least ten (10) years |
| 03.05.05.d | organization-defined characteristic identifying individual status | privileged or non-privileged users; contractors, foreign nationals, and/or non-organizational users |
3.5.7 Password Management
Requirement text:
- Maintain a list of commonly used, expected, or compromised passwords, and update the list [Assignment: organization-defined frequency] (03.05.07.a) and when organizational passwords are suspected to have been compromised.
- Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords.
- Transmit passwords only over cryptographically protected channels.
- Store passwords in a cryptographically protected form.
- Select a new password upon first use after account recovery.
- Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules] (03.05.07.f).
Related Controls: IA-05(01)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.05.07.a | organization-defined frequency | at least quarterly |
| 03.05.07.f | organization-defined composition and complexity rules | 1) Must have a minimum length of 16 characters. 2) Contains a string of characters that does not include the user's account name or full name. |
3.5.12 Authenticator Management
Requirement text:
- Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.
- Establish initial authenticator content for any authenticators issued by the organization.
- Establish and implement administrative procedures for initial authenticator distribution; for lost, compromised, or damaged authenticators; and for revoking authenticators.
- Change default authenticators at first use.
- Change or refresh authenticators [Assignment: organization-defined frequency] (03.05.12.e.01) or when the following events occur: [Assignment: organization-defined events] (03.05.12.e.02).
- Protect authenticator content from unauthorized disclosure and modification.
Related Controls: IA-05
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.05.12.e.01 | organization-defined frequency | never for passwords where MFA is employed, at least every five (5) years for hard tokens and identification badges, and at least every three (3) years for all other authenticators |
| 03.05.12.e.02 | organization-defined events | after a relevant security incident or any evidence of compromise or loss |
Incident Response
3.6.2 Incident Tracking and Reporting
Requirement text:
- Track and document system security incidents.
- Report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period] (03.06.02.b).
- Report incident information to [Assignment: organization-defined authorities] (03.06.02.c).
- Provide an incident response support resource that offers advice and assistance to system users on handling and reporting incidents.
Related Controls: IR-05, IR-06, IR-07
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.06.02.b | organization-defined time period | near real time or as soon as practicable upon discovery |
| 03.06.02.c | organization-defined authorities | all applicable personnel and entities as specified by the contract, and in accordance with any incident response plan notification procedures |
3.6.3 Incident Response Testing
Requirement text: Test the effectiveness of the incident response capability [Assignment: organization-defined frequency] (03.06.03).
Related Controls: IR-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.06.03 | organization-defined frequency | at least every 12 months |
3.6.4 Incident Response Training
Requirement text:
- Provide incident response training to system users consistent with assigned roles and responsibilities:
- Within [Assignment: organization-defined time period] (03.06.04.a.01) of assuming an incident response role or responsibility or acquiring system access,
- When required by system changes, and
- [Assignment: organization-defined frequency] (03.06.04.a.03) thereafter.
- Review and update incident response training content [Assignment: organization-defined frequency] (03.06.04.b.01) and following [Assignment: organization-defined events] (03.06.04.b.02).
Related Controls: IR-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.06.04.a.01 | organization-defined time period | ten (10) days for privileged users, thirty (30) days for all other roles |
| 03.06.04.a.03 | organization-defined frequency | at least every 12 months |
| 03.06.04.b.01 | organization-defined frequency | at least every 12 months |
| 03.06.04.b.02 | organization-defined events | significant, novel incidents, or significant changes to risks |
Media Protection
3.8.7 System Media Restrictions
Requirement text:
- Restrict or prohibit the use of [Assignment: organization-defined types of system media] (03.08.07.a).
- Prohibit the use of removable system media without an identifiable owner.
Related Controls: MP-07
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.08.07.a | organization-defined types of system media | any removable media not managed by or on behalf of the organization |
Personnel Security
3.9.1 Screening and Rescreening
Requirement text:
- Screen individuals prior to authorizing access to the system.
- Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening] (03.09.01.b).
Related Controls: PS-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.09.01.b | organization-defined conditions requiring rescreening | an organizational policy requiring rescreening when there is a significant incident, or change in status, related to an individual |
3.9.2 Employment Termination and Reassignment
Requirement text:
- When individual employment is terminated:
- Disable system access within [Assignment: organization-defined time period] (03.09.02.a.01),
- Terminate or revoke authenticators and credentials associated with the individual, and
- Retrieve security-related system property.
- When individuals are reassigned or transferred to other positions in the organization:
- Review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility, and
- Modify access authorization to correspond with any changes in operational need.
Related Controls: PS-04, PS-05
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.09.02.a.01 | organization-defined time period | four (4) hours |
Physical Protection
3.10.1 Facility Access Control
Requirement text:
- Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides.
- Issue authorization credentials for facility access.
- Review the facility access list [Assignment: organization-defined frequency] (03.10.01.c).
- Remove individuals from the facility access list when access is no longer required.
Related Controls: PE-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.10.01.c | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
3.10.2 Physical Access Monitoring and Review
Requirement text:
- Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.
- Review physical access logs [Assignment: organization-defined frequency] (03.10.02.b.01) and upon occurrence of [Assignment: organization-defined events or potential indications of events] (03.10.02.b.02).
Related Controls: PE-06
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.10.02.b.01 | organization-defined frequency | at least every 45 days |
| 03.10.02.b.02 | organization-defined events or potential indications of events | significant, novel incidents, or significant changes to risks |
3.10.6 Alternate Work Sites
Requirement text:
- Determine alternate work sites allowed for use by employees.
- Employ the following security requirements at alternate work sites: [Assignment: organization-defined security requirements] (03.10.06.b).
Related Controls: PE-17
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.10.06.b | organization-defined security requirements | adequate security, comparable to organizational security requirements at the primary work site where practical, documented in policy, and covered by training |
Risk Assessment
3.11.1 Risk Assessment
Requirement text:
- Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI.
- Update risk assessments [Assignment: organization-defined frequency] (03.11.01.b).
Related Controls: RA-03, RA-03(01), SR-06
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.11.01.b | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
3.11.2 System Vulnerability Management
Requirement text:
- Monitor and scan the system for vulnerabilities [Assignment: organization-defined frequency] (03.11.02.a) and when new vulnerabilities affecting the system are identified.
- Remediate system vulnerabilities within [Assignment: organization-defined response times] (03.11.02.b).
- Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] (03.11.02.c) and when new vulnerabilities are identified and reported.
Related Controls: RA-05, RA-05(02)
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.11.02.a | organization-defined frequency | at least monthly, or when there are significant incidents or significant changes to risks |
| 03.11.02.b | organization-defined response times | thirty (30) days from date of discovery for high-risk vulnerabilities (including both critical and high); 90 days from date of discovery for moderate-risk vulnerabilities; and 180 days from date of discovery for low-risk vulnerabilities |
| 03.11.02.c | organization-defined frequency | no more than 24 hours prior to running the scans |
Security Assessment and Monitoring
3.12.1 Security Requirements Assessment
Requirement text: Assess the security requirements for the system and its environment of operation [Assignment: organization-defined frequency] (03.12.01) to determine if the requirements have been satisfied.
Related Controls: CA-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.12.01 | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
3.12.5 Exchange of Controlled Unclassified Information (CUI)
Requirement text:
- Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; non-disclosure agreements; other types of agreements] (03.12.05.a).
- Document interface characteristics, security requirements, and responsibilities for each system as part of the exchange agreements.
- Review and update the exchange agreements [Assignment: organization-defined frequency] (03.12.05.c).
Related Controls: CA-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.12.05.a | selection (one or more): types of agreements | requirements as described in the contract |
| 03.12.05.c | organization-defined frequency | at least every 12 months |
System and Communications Protection
3.13.9 Termination of Network Connections
Requirement text: Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] (03.13.09) of inactivity.
Related Controls: SC-10
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.13.09 | organization-defined time period | no longer than 15 minutes |
3.13.10 Cryptographic Key Management
Requirement text: Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction] (03.13.10).
Related Controls: SC-12
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.13.10 | organization-defined requirements for key generation, distribution, storage, access, and destruction | Guidance: At a minimum, establish a policy and procedure in line with the latest Cryptographic key management guidance |
3.13.11 Cryptography for Confidentiality of CUI
Requirement text: Implement the following types of cryptography to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography] (03.13.11).
Related Controls: SC-13
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.13.11 | organization-defined types of cryptography | FIPS Validated Cryptography (https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Validated-Modules) |
3.13.12 Remote Activation of Collaborative Computing Devices
Requirement text:
- Prohibit the remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed] (03.13.12.a).
- Provide an explicit indication of use to users physically present at the devices.
Related Controls: SC-15
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.13.12.a | organization-defined exceptions where remote activation is to be allowed | only as enumerated and justified in the System Security Plan before such remote activation occurs, and only when there are no other options, and the remote activation is operationally critical |
System and Information Integrity
3.14.1 System Flaw Remediation
Requirement text:
- Identify, report, and correct system flaws.
- Install security-relevant software and firmware updates within [Assignment: organization-defined time period] (03.14.01.b) of the release of the updates.
Related Controls: SI-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.14.01.b | organization-defined time period | thirty (30) days for high-risk flaws (including both critical and high), 90 days for moderate-risk flaws, and 180 days for low-risk flaws |
3.14.2 Malicious Code Protection
Requirement text:
- Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
- Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures.
- Configure malicious code protection mechanisms to:
- Perform scans of the system [Assignment: organization-defined frequency] (03.14.02.c.01) and real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed; and
- Block malicious code, quarantine malicious code, or take other mitigation actions in response to malicious code detection.
Related Controls: SI-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.14.02.c.01 | organization-defined frequency | at least weekly |
Planning
3.15.1 Policy and Procedure Development
Requirement text:
- Develop, document, and disseminate to organizational personnel or roles the policies and procedures needed to satisfy the security requirements for the protection of CUI.
- Review and update policies and procedures [Assignment: organization-defined frequency] (03.15.01.b).
Related Controls: AC-01, AT-01, AU-01, CA-01, CM-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.15.01.b | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
3.15.2 System Security Plan
Requirement text:
- Develop a system security plan that:
- Defines the constituent system components;
- Identifies the information types processed, stored, and transmitted by the system;
- Describes specific threats to the system that are of concern to the organization;
- Describes the operational environment for the system and any dependencies on or connections to other systems or system components;
- Provides an overview of the security requirements for the system;
- Describes the safeguards in place or planned for meeting the security requirements;
- Identifies individuals that fulfill system roles and responsibilities; and
- Includes other relevant information necessary for the protection of CUI.
- Review and update the system security plan [Assignment: organization-defined frequency] (03.15.02.b).
- Protect the system security plan from unauthorized disclosure.
Related Controls: PL-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.15.02.b | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
3.15.3 Rules of Behavior
Requirement text:
- Establish rules that describe the responsibilities and expected behavior for system usage and protecting CUI.
- Provide rules to individuals who require access to the system.
- Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system.
- Review and update the rules of behavior [Assignment: organization-defined frequency] (03.15.03.d).
Related Controls: PL-04
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.15.03.d | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
System and Services Acquisition
3.16.1 Systems Security Engineering Principles
Requirement text: Apply the following systems security engineering principles to the development or modification of the system and system components: [Assignment: organization-defined systems security engineering principles] (03.16.01).
Related Controls: SA-08
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.16.01 | organization-defined systems security engineering principles | Guidance: At a minimum, documentation that provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation should be based on the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement. |
3.16.3 External System Services
Requirement text:
- Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: [Assignment: organization-defined security requirements] (03.16.03.a).
- Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers.
- Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis.
Related Controls: SA-09
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.16.03.a | organization-defined security requirements | 1. For cloud service providers: (i) FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or (ii) meets security requirements established by the government equivalent to the FedRAMP Moderate (or higher) baseline. 2. All other external service providers[1] must meet NIST SP 800-171 R2. |
Supply Chain Risk Management
3.17.1 Supply Chain Risk Management Plan
Requirement text:
- Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services.
- Review and update the supply chain risk management plan [Assignment: organization-defined frequency] (03.17.01.b).
- Protect the supply chain risk management plan from unauthorized disclosure.
Related Controls: SR-02
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.17.01.b | organization-defined frequency | at least every 12 months, or when there are significant incidents or significant changes to risks |
3.17.3 Supply Chain Security Requirements
Requirement text:
- Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.
- Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined security requirements] (03.17.03.b).
Related Controls: SR-03
| ODP Identifier | ODP Assignment Text | ODP Value |
|---|---|---|
| 03.17.03.b | organization-defined security requirements | at a minimum, integrate Supply Chain Risk Management (SCRM) into acquisition/procurement policies, provide adequate SCRM resources, define the SCRM control baseline, establish processes to ensure suppliers disclose significant vulnerabilities and significant incidents |
Notes
- ↑ External Service Providers (ESP): External people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.