Level 2 Assessment Guide: Difference between revisions

Control the flow of CUI in accordance with approved authorizations.

[a] information flow control policies are defined;

[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;

[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;

[d] authorizations for controlling the flow of CUI are defined; and

[e] approved authorizations for controlling the flow of CUI are enforced.

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

[a] the duties of individuals requiring separation are defined;

[b] responsibilities for duties that require separation are assigned to separate individuals; and

[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.

Employ the principle of least privilege, including for specific security functions and privileged accounts.

[a] privileged accounts are identified;

[b] access to privileged accounts is authorized in accordance with the principle of least privilege;

[c] security functions are identified; and

[d] access to security functions is authorized in accordance with the principle of least privilege.

Use non-privileged accounts or roles when accessing nonsecurity functions.

[a] nonsecurity functions are identified; and

[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.

Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

[a] privileged functions are defined;

[b] non-privileged users are defined;

[c] non-privileged users are prevented from executing privileged functions; and

[d] the execution of privileged functions is captured in audit logs.

Limit unsuccessful logon attempts.

[a] the means of limiting unsuccessful logon attempts is defined; and

[b] the defined means of limiting unsuccessful logon attempts is implemented.

Provide privacy and security notices consistent with applicable CUI rules.

[a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and

[b] privacy and security notices are displayed.

Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

[a] the period of inactivity after which the system initiates a session lock is defined;

[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and

[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.

Terminate (automatically) a user session after a defined condition.

[a] conditions requiring a user session to terminate are defined; and

[b] a user session is automatically terminated after any of the defined conditions

Monitor and control remote access sessions.

[a] remote access sessions are permitted;

[b] the types of permitted remote access are identified;

[c] remote access sessions are controlled; and

[d] remote access sessions are monitored.

Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and

[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.

Route remote access via managed access control points.

[a] managed access control points are identified and implemented; and

[b] remote access is routed through managed network access control points.

Authorize remote execution of privileged commands and remote access to security-relevant information.

[a] privileged commands authorized for remote execution are identified;

[b] security-relevant information authorized to be accessed remotely is identified;

[c] the execution of the identified privileged commands via remote access is authorized; and

[d] access to the identified security-relevant information via remote access is authorized.

Authorize wireless access prior to allowing such connections.

[a] wireless access points are identified; and

[b] wireless access is authorized prior to allowing such connections.

Protect wireless access using authentication and encryption.

[a] wireless access to the system is protected using authentication; and

[b] wireless access to the system is protected using encryption.

Control connection of mobile devices.

[a] mobile devices that process, store, or transmit CUI are identified;

[b] mobile device connections are authorized; and

[c] mobile device connections are monitored and logged.

Encrypt CUI on mobile devices and mobile computing platforms.

[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and

[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.

Limit use of portable storage devices on external systems.

[a] the use of portable storage devices containing CUI on external systems is identified and documented;

[b] limits on the use of portable storage devices containing CUI on external systems are defined; and

[c] the use of portable storage devices containing CUI on external systems is limited as defined.

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

[a] security risks associated with organizational activities involving CUI are identified;

[b] policies, standards, and procedures related to the security of the system are identified;

[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and

[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.|-

[a] information security-related duties, roles, and responsibilities are defined;

[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and

[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

[a] potential indicators associated with insider threats are identified; and

[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.

Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;

[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;

[c] audit records are created (generated);

[d] audit records, once created, contain the defined content;

[e] retention requirements for audit records are defined; and

[f] audit records are retained as defined.

Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and

[b] audit records, once created, contain the defined content.

Review and update logged events.

[a] a process for determining when to review logged events is defined;

[b] event types being logged are reviewed in accordance with the defined review process; and

[c] event types being logged are updated based on the review.

Alert in the event of an audit logging process failure.

[a] personnel or roles to be alerted in the event of an audit logging process failure are identified;

[b] types of audit logging process failures for which alert will be generated are defined; and

[c] identified personnel or roles are alerted in the event of an audit logging process failure.

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and

[b] defined audit record review, analysis, and reporting processes are correlated.

Provide audit record reduction and report generation to support on-demand analysis and reporting.

[a] an audit record reduction capability that supports on-demand analysis is provided; and

[b] a report generation capability that supports on-demand reporting is provided.

Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

[a] internal system clocks are used to generate time stamps for audit records;

[b] an authoritative source with which to compare and synchronize internal system clocks is specified; and

[c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.

Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

[a] audit information is protected from unauthorized access;

[b] audit information is protected from unauthorized modification;

[c] audit information is protected from unauthorized deletion;

[d] audit logging tools are protected from unauthorized access;

[e] audit logging tools are protected from unauthorized modification; and

[f] audit logging tools are protected from unauthorized deletion.

Limit management of audit logging functionality to a subset of privileged users.

[a] a subset of privileged users granted access to manage audit logging functionality is defined; and

[b] management of audit logging functionality is limited to the defined subset of privileged users.

Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

[a] a baseline configuration is established;

[b] the baseline configuration includes hardware, software, firmware, and documentation;

[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;

[d] a system inventory is established;

[e] the system inventory includes hardware, software, firmware, and documentation; and

[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.

Establish and enforce security configuration settings for information technology products employed in organizational systems.

[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and

[b] security configuration settings for information technology products employed in the system are enforced.

Track, review, approve or disapprove, and log changes to organizational systems.

[a] changes to the system are tracked;

[b] changes to the system are reviewed;

[c] changes to the system are approved or disapproved; and

[d] changes to the system are logged.

Analyze the security impact of changes prior to implementation.

[a] the security impact of changes to the system is analyzed prior to implementation.

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

[a] physical access restrictions associated with changes to the system are defined;

[b] physical access restrictions associated with changes to the system are documented;

[c] physical access restrictions associated with changes to the system are approved;

[d] physical access restrictions associated with changes to the system are enforced;

[e] logical access restrictions associated with changes to the system are defined;

[f] logical access restrictions associated with changes to the system are documented;

[g] logical access restrictions associated with changes to the system are approved; and

[h] logical access restrictions associated with changes to the system are enforced.

Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

[a] essential system capabilities are defined based on the principle of least functionality; and

[b] the system is configured to provide only the defined essential capabilities.

Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

[a] essential programs are defined;

[b] the use of nonessential programs is defined;

[c] the use of nonessential programs is restricted, disabled, or prevented as defined;

[d] essential functions are defined;

[e] the use of nonessential functions is defined;

[f] the use of nonessential functions is restricted, disabled, or prevented as defined;

[g] essential ports are defined;

[h] the use of nonessential ports is defined;

[i] the use of nonessential ports is restricted, disabled, or prevented as defined;

[j] essential protocols are defined;

[k] the use of nonessential protocols is defined;

[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;

[m] essential services are defined;

[n] the use of nonessential services is defined; and

[o] the use of nonessential services is restricted, disabled, or prevented as defined.

Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;

[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and

[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.

Control and monitor user-installed software.

[a] a policy for controlling the installation of software by users is established;

[b] installation of software by users is controlled based on the established policy; and

[c] installation of software by users is monitored.

Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

[a] privileged accounts are identified;

[b] multifactor authentication is implemented for local access to privileged accounts;

[c] multifactor authentication is implemented for network access to privileged accounts; and

[d] multifactor authentication is implemented for network access to non-privileged accounts.

Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.

[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.