Background · Web viewFacility/System LAYOUT (Blueprint Diagram) Include diagram as an attachment....
228
[Insert Company name/Logo] System Security Plan (SSP) Categorization: Moderate-Low-Low (M-L-L) System Name Click here to enter text. Unique ID Click here to enter text. Company Name Click here to enter text. Company Address Click here to enter text. CAGE Code Click here to enter text. Report Prepared By Click here to enter text. Date Click here to enter text. System Environment Click here to enter text. [Insert Document Classification]
Transcript of Background · Web viewFacility/System LAYOUT (Blueprint Diagram) Include diagram as an attachment....
[Insert Company name/Logo]
System Security Plan (SSP) Categorization:Moderate-Low-Low (M-L-L)
System Name Click here to enter text.Unique ID Click here to enter text.Company Name Click here to enter text.Company Address Click here to enter text.CAGE Code Click here to enter text.Report Prepared By Click here to enter text.Date Click here to enter text.System Environment Click here to enter text.
[Insert Document Classification]
[Insert Company name/Logo]
System/Document Change Record
SSP Revision Number Description of Change Changed Pages Date Entered BY
V1 Initial Document 1/25/16 JEM
V2 M-L-L with Overlay Changes
7/28/16 DSS HQ
V3 Streamlined the SSP to align documentation
with the NIST
5/9/17 DSS HQ
V4 Updated the SSP to align with DAAPM
Version 1.2
11/17/17 DSS HQ
ii[Insert Document Classification]
[Insert Company name/Logo]
Table of Contents
1 Background............................................................................................................................................................................12 Applicability............................................................................................................................................................................13 References..............................................................................................................................................................................14 Reciprocity.............................................................................................................................................................................15 System Identification..............................................................................................................................................................2
5.1 System Overview..........................................................................................................................................................25.2 Security Categorization.................................................................................................................................................25.2.1 Summary Results and Rationale..........................................................................................................................25.2.2 Categorization Detailed Results..........................................................................................................................25.2.2.1 Information Impact Categorization (Reference: CNSSI 1253 Section 3.1).........................................................................................................25.2.2.2 System Security Impact Categorization (Reference: CNSSI 1253 Section 3.1)...................................................................................................35.2.2.3 Risk Adjusted System Impact Categorization (Reference: CNSSI 1253 Section 3.1)..........................................................................................35.2.3 Control Selection.................................................................................................................................................3
6 Key Roles and Responsibilities................................................................................................................................................36.1 Risk Management.........................................................................................................................................................36.2 IA Support Personnel....................................................................................................................................................4
7 System Environment..............................................................................................................................................................47.1 Physical Environment....................................................................................................................................................47.2 Facility/System LAYOUT (Blueprint Diagram)................................................................................................................57.3 Personnel Authorizations..............................................................................................................................................57.4 System Classification Level(s) & Compartment(s).........................................................................................................57.5 Unique Data Handling Requirements............................................................................................................................57.6 Information Access Policies..........................................................................................................................................5
8 General System Description/Purpose.....................................................................................................................................58.1 Program/Contract Information.....................................................................................................................................58.2 System Description.......................................................................................................................................................58.3 System Architecture.....................................................................................................................................................58.4 Functional Architecture................................................................................................................................................58.5 User Roles and Access Privileges...................................................................................................................................6
9 Interconnections....................................................................................................................................................................69.1 Direct Network Connections.........................................................................................................................................69.2 Memoranda of Understanding (MOU), Memoranda of Agreement (MOA), Co-Utilization Agreements (CUA) and Interconnection Security Agreements (ISA)............................................................................................................................6
10 Security Assessment Plan.......................................................................................................................................................711 Baseline Security Controls Moderate – Low – Low (M-L-L)....................................................................................................8
11.1 Access Control (AC).......................................................................................................................................................811.1.1 AC-1 – Access Control Policy and Procedures......................................................................................................811.1.2 AC-2 – Account Management..............................................................................................................................811.1.2.1 AC-2 (1) – Account Management: Automated System Account Management..................................................................................................811.1.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts..............................................................................................911.1.2.3 AC-2(3) – Account Management: Disable Inactive Accounts.............................................................................................................................911.1.2.4 AC-2(4) – Account Management: Automated Audit Actions............................................................................................................................1011.1.2.5 AC-2(5) – Account Management: Inactivity Logout..........................................................................................................................................1011.1.2.6 AC-2(7) – Account Management: Role Based Schemes...................................................................................................................................1011.1.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts........................................................................................1111.1.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination.......................................................................................1111.1.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical Usage............................................................................................................1211.1.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals...............................................................................................1211.1.3 AC-3 – Access Enforcement...............................................................................................................................1211.1.3.1 AC-3(2) – Access Enforcement: Dual Authorization.........................................................................................................................................1311.1.3.2 AC-3(4) – Access Enforcement: Discretionary Access Control..........................................................................................................................1311.1.4 AC-4 – Information Flow Enforcement..............................................................................................................1311.1.5 AC-5 – Separation of Duties...............................................................................................................................1411.1.6 AC-6 – Least Privilege........................................................................................................................................1411.1.6.1 AC-6(1) – Least Privilege: Authorize Access to Security Functions...................................................................................................................1511.1.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions.................................................................................................1511.1.6.3 AC-6(5) – Least Privilege: Privileged Accounts..................................................................................................................................................1511.1.6.4 AC-6(7) – Least Privilege: Review of User Privileges.........................................................................................................................................1611.1.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution.........................................................................................................................1611.1.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions.......................................................................................................................16
iii[Insert Document Classification]
[Insert Company name/Logo]
11.1.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions.....................................................................1711.1.7 AC-7 – Unsuccessful Login Attempts.................................................................................................................1711.1.8 AC-8 – System Use Notification.........................................................................................................................1811.1.9 AC-10 – Concurrent Session Control.................................................................................................................1811.1.10 AC-11 – Session Lock.........................................................................................................................................1811.1.10.1 AC-11(1) – Session Lock: Pattern Hiding Displays.............................................................................................................................................1911.1.11 AC-12 – Session Termination.............................................................................................................................1911.1.11.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays....................................................................................................2011.1.12 AC-14 – Permitted Actions without Identification or Authentication................................................................2011.1.13 AC-16 – Security Attributes...............................................................................................................................2011.1.13.1 AC-16(5) – Security Attributes: Attribute Displays for Output Devices............................................................................................................2111.1.13.2 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization.................................................................................2111.1.13.3 AC-16(7) – Security Attributes: Consistent Attribute Interpretation................................................................................................................2111.1.14 AC-17 – Remote Access.....................................................................................................................................2211.1.14.1 AC-17(1) – Remote Access: Automated Monitoring/Control...........................................................................................................................2211.1.14.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption.....................................................................................2311.1.14.3 AC-17(3) - Remote Access: Managed Access Control Points............................................................................................................................2311.1.14.4 AC-17(4) – Remote Access: Privileged Commands/Access...............................................................................................................................2311.1.14.5 AC-17(6) – Remote Access: Protection of Information.....................................................................................................................................2411.1.14.6 AC-17(9) – Remote Access: Disconnect/Disable Access...................................................................................................................................2411.1.15 AC-18 – Wireless Access....................................................................................................................................2411.1.15.1 AC-18(1) – Wireless Access: Authentication & Encryption...............................................................................................................................2511.1.15.2 AC-18(3) – Wireless Access: Disable Wireless Networking..............................................................................................................................2511.1.15.3 AC-18(4) – Wireless Access: Restrict Configurations by Users.........................................................................................................................2611.1.16 AC-19 – Access Control for Mobile Devices.......................................................................................................2611.1.16.1 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption)..............................................................................2611.1.17 AC-20 – Use of External Information Systems...................................................................................................2711.1.17.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use...................................................................................................2711.1.17.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices...................................................................................................2711.1.17.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices...........................................2811.1.17.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices.................................................................................2811.1.18 AC-21 – Information Sharing.............................................................................................................................2911.1.19 AC-23 – Data Mining Protection........................................................................................................................2911.2 Awareness and Training (AT)......................................................................................................................................3011.2.1 AT-1 – Security Awareness & Training Policy and Procedures...........................................................................3011.2.2 AT-2 – Security Awareness Training..................................................................................................................3011.2.2.1 AT-2(2) – Security Awareness: Insider Threat..................................................................................................................................................3011.2.3 AT-3 – Role-Based Security Training..................................................................................................................3111.2.3.1 AT-3(2) – Security Training: Physical Security Controls....................................................................................................................................3111.2.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior..........................................................................3111.2.4 AT-4 – Security Training Records.......................................................................................................................3211.3 Audit and Accountability (AU).....................................................................................................................................3311.3.1 AU-1 – Audit and Accountability Policy and Procedures...................................................................................3311.3.2 AU-2 – Audit Events..........................................................................................................................................3311.3.2.1 AU-2(3) – Audit Events: Reviews and Updates.................................................................................................................................................3311.3.3 AU-3 – Content of Audit Records......................................................................................................................3411.3.3.1 AU-3(1) – Content of Audit Records: Additional Audit Information.................................................................................................................3411.3.4 AU-4 – Audit Storage Capacity..........................................................................................................................3411.3.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage...................................................................................................................................3511.3.5 AU-5 – Response to Audit Processing Failures..................................................................................................3511.3.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity......................................................................................................3611.3.6 AU-6 – Audit Review, Analysis and Reporting...................................................................................................3611.3.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration.............................................................................................................3611.3.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories -...........................................................................................3711.3.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis..............................................................................................3711.3.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities...............................................................................3811.3.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands........................................................................3811.3.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources...............................................3811.3.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment....................................................................................................3911.3.7 AU-7 – Audit Reduction and Report Generation...............................................................................................3911.3.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing.....................................................................................................3911.3.8 AU-8 – Time Stamps..........................................................................................................................................4011.3.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source.................................................................................................4011.3.9 AU-9 – Protection of Audit Information............................................................................................................4111.3.9.1 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users..........................................................................................4111.3.10 AU-11 – Audit Record Retention.......................................................................................................................4111.3.10.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability..............................................................................................................42
iv[Insert Document Classification]
[Insert Company name/Logo]
11.3.11 AU-12 – Audit Generation.................................................................................................................................4211.3.11.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail..........................................................................................................4211.3.11.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals..................................................................................................................4311.3.12 AU-16 – Cross-Organizational Auditing.............................................................................................................4311.3.12.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation....................................................................................................................4411.3.12.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information........................................................................................................4411.4 Security Assessment and Authorization (CA)..............................................................................................................4511.4.1 CA-1 – Security Assessment and Authorization Policies & Procedures..............................................................4511.4.2 CA-2 – Security Assessments.............................................................................................................................4511.4.2.1 CA-2(1) – Security Assessments: Independent Assessors................................................................................................................................4511.4.3 CA-3 – System Interconnections........................................................................................................................4611.4.3.1 CA-3(2) – System Interconnections: Classified National Security System Connections...................................................................................4611.4.3.2 CA-3(5) – System Interconnections: Restrictions on External Network Connections......................................................................................4611.4.4 CA-5 – Plan of Action & Milestones...................................................................................................................4711.4.5 CA-6 – Security Authorization...........................................................................................................................4711.4.6 CA-7 – Continuous Monitoring..........................................................................................................................4811.4.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment..........................................................................................................................4811.4.7 CA-9 – Internal System Connections.................................................................................................................4811.5 Configuration Management (CM)...............................................................................................................................5011.5.1 CM-1 – Configuration Management Policy and Procedures..............................................................................5011.5.2 CM-2 – Baseline Configuration..........................................................................................................................5011.5.2.1 CM-2(1) – Baseline Configuration: Reviews & Updates...................................................................................................................................5011.5.2.2 CM-2(2) – Baseline Configuration: Automation Support for Accuracy/Currency............................................................................................5111.5.3 CM-3 – Configuration Change Control...............................................................................................................5111.5.3.1 CM-3(4) – Configuration Change Control: Security Representative.................................................................................................................5111.5.3.2 CM-3(6) – Configuration Change Control: Cryptography Management...........................................................................................................5211.5.4 CM-4 – Security Impact Analysis.......................................................................................................................5211.5.5 CM-5 – Access Restrictions for Change.............................................................................................................5311.5.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges......................................................................................5311.5.5.2 CM-5(6) – Access Restrictions for Change: Limit Library Privileges..................................................................................................................5311.5.6 CM-6 – Configuration Settings...........................................................................................................................5411.5.7 CM-7 – Least Functionality................................................................................................................................5411.5.7.1 CM-7(1) – Least Functionality: Periodic Review...............................................................................................................................................5511.5.7.2 CM-7(2) – Least Functionality: Prevent Program Execution.............................................................................................................................5511.5.7.3 CM-7(3) – Least Functionality: Registration Compliance..................................................................................................................................5511.5.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting...................................................................................................................5611.5.8 CM-8 – Information System Component Inventory...........................................................................................5611.5.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance..........................................................................................5611.5.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection....................................................5711.5.9 CM-9 – Configuration Management Plan..........................................................................................................5711.5.10 CM-10 – Software Usage Restrictions...............................................................................................................5811.5.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software....................................................................................................................5811.5.11 CM-11 – User Installed Software.......................................................................................................................5811.5.11.1 CM-11(2) – User Installed Software: Prohibit Installation Without Privileged Status......................................................................................5911.6 Contingency Planning (CP)..........................................................................................................................................6011.6.1 CP-1 – Contingency Planning Policy and Procedures.........................................................................................6011.6.2 CP-2 – Contingency Plan....................................................................................................................................6011.6.3 CP-3 – Contingency Training..............................................................................................................................6011.6.4 CP-4 – Contingency Plan Testing.......................................................................................................................6111.6.5 CP-7 – Alternate Processing Site........................................................................................................................6111.6.6 CP-9 – Information System Backup...................................................................................................................6111.6.7 CP-10 – Information System Recovery and Reconstitution...............................................................................6211.7 Identification and Authentication (IA).........................................................................................................................6311.7.1 IA-1 – Identification and Authentication Policy and Procedures.......................................................................6311.7.2 IA-2 – Identification and Authentication (Organizational Users).......................................................................6311.7.2.1 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts...........................................................................................6311.7.2.2 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts...................................................................................6411.7.2.3 IA-2(5) – Identification and Authentication: Group Authentication.................................................................................................................6411.7.2.4 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant.......................................................6411.7.2.5 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay Resistant..........6511.7.2.6 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device.........................................................6511.7.3 IA-3 – Device Identification and Authentication................................................................................................6611.7.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bidirectional Authentication...................................................................6611.7.3.2 IA-4 – Identifier Management...........................................................................................................................................................................6611.7.3.3 IA-4(4) – Identifier Management: Identify User Status....................................................................................................................................67
v[Insert Document Classification]
[Insert Company name/Logo]
11.7.4 IA-5 – Authenticator Management....................................................................................................................6711.7.4.1 IA-5(1) – Authenticator Management: Password-Based Authentication.........................................................................................................6811.7.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication...................................................................................................................6811.7.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination..............................................................6811.7.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators............................................................................6911.7.4.5 IA-5(8) – Authenticator Management: Multiple Information System Accounts..............................................................................................6911.7.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication...........................................................................................6911.7.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators................................................................................................7011.7.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores..............................................................................................7011.7.5 IA-6 – Authenticator Feedback..........................................................................................................................7111.7.6 IA-7 – Cryptographic Module Authentication....................................................................................................7111.7.7 IA-8 – Identification and Authentication (Non-Organizational Users)...............................................................7111.7.7.1 IA-8(1) – Identification and Authentication: Acceptance of PIV Credentials from Other Agencies................................................................7211.7.7.2 IA-8(2) – Identification and Authentication: Acceptance of Third-Party Credentials.......................................................................................7211.7.7.3 IA-8(3) – Identification and Authentication: Use of FICAM Approved Products..............................................................................................7211.7.7.4 IA-8(4) - Identification and Authentication: Use of FICAM-Issued Profiles.....................................................................................................7311.8 Incident Response (IR)................................................................................................................................................7411.8.1 IR-1 – Incident Response Policy and Procedures...............................................................................................7411.8.2 IR-2 – Incident Response Training.....................................................................................................................7411.8.3 IR-3 – Incident Response Testing.......................................................................................................................7411.8.3.1 IR-3(2) – Incident Response Testing: Coordination with Related Plans...........................................................................................................7511.8.4 IR-4 – Incident Handling....................................................................................................................................7511.8.4.1 IR-4(1) – Incident Handling: Automated Incident Handling Processes.............................................................................................................7511.8.4.2 IR-4(3) – Incident Handling: Continuity of Operations.....................................................................................................................................7611.8.4.3 IR-4(4) – Incident Handling: Information Correlation.......................................................................................................................................7611.8.4.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities.................................................................................................................7711.8.4.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination.............................................................................................7711.8.4.6 IR-4(8) – Incident Handling: Correlation with External Organization...............................................................................................................7711.8.5 IR-5 – Incident Monitoring................................................................................................................................7811.8.6 IR-6 – Incident Reporting...................................................................................................................................7811.8.6.1 IR-6(1) – Incident Reporting: Automated Reporting.........................................................................................................................................7911.8.6.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents...................................................................................................................7911.8.7 IR-7 – Incident Response Assistance..................................................................................................................7911.8.7.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information Support..........................................................8011.8.7.2 IR-7(2) – Incident Response Assistance: Coordination with External Providers..............................................................................................8011.8.8 IR-8 – Incident Response Plan...........................................................................................................................8011.8.9 IR-9 – Information Spillage Response................................................................................................................8111.8.9.1 IR-9(1) – Information Spillage Response: Responsible Personnel....................................................................................................................8111.8.9.2 IR-9(2) – Information Spillage Response: Training...........................................................................................................................................8211.8.9.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel.............................................................................................8211.8.10 IR-10 – Integrated Information Security Analysis Team....................................................................................8211.9 Maintenance (MA)......................................................................................................................................................8411.9.1 MA-1 – System Maintenance Policy and Procedures........................................................................................8411.9.2 MA-2 – Controlled Maintenance.......................................................................................................................8411.9.3 MA-3 – Maintenance Tools...............................................................................................................................8411.9.3.1 MA-3(2) – Maintenance Tools: Inspect Media.................................................................................................................................................8511.9.3.2 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal......................................................................................................................8511.9.4 MA-4 – Non-Local Maintenance........................................................................................................................8511.9.4.1 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization..........................................................................................................8611.9.4.2 MA-4(6) – Non-Local Maintenance: Cryptographic Protection........................................................................................................................8611.9.4.3 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification.............................................................................................................8711.9.5 MA-5 – Maintenance Personnel........................................................................................................................8711.9.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access.................................................................................................8711.10 Media Protection (MP)...............................................................................................................................................8911.10.1 MP-1 – Media Protection Policy and Procedures..............................................................................................8911.10.2 MP-2 – Media Access........................................................................................................................................8911.10.3 MP-3 – Media Marking......................................................................................................................................8911.10.4 MP-4 – Media Storage.......................................................................................................................................9011.10.5 MP-5 – Media Transport...................................................................................................................................9011.10.5.1 MP-5(3) – Media Transport: Custodians...........................................................................................................................................................9011.10.5.2 MP-5(4) – Media Transport: Cryptographic Protection....................................................................................................................................9111.10.6 MP-6 – Media Sanitization................................................................................................................................9111.10.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify......................................................................................................9211.10.6.2 MP-6(2) – Media Sanitization: Equipment Testing...........................................................................................................................................9211.10.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques...........................................................................................................................9211.10.7 MP-7 – Media Use.............................................................................................................................................9311.10.7.1 MP-7(1) – Media Use: Prohibit Use without Owner.........................................................................................................................................93
vi[Insert Document Classification]
[Insert Company name/Logo]
11.10.8 MP-8 – Media Downgrading..............................................................................................................................9411.10.8.1 MP-8(1) – Media Downgrading: Documentation of Process............................................................................................................................9411.10.8.2 MP-8(2) – Media Downgrading: Equipment Testing........................................................................................................................................9411.10.8.3 MP-8(4) – Media Downgrading: Classified Information...................................................................................................................................9511.11 Physical and Environment Protection (PE)..................................................................................................................9611.11.1 PE-1 – Physical and Environmental Protection Policy and Procedures..............................................................9611.11.2 PE-2 – Physical Access Authorizations...............................................................................................................9611.11.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access............................................................................................................9611.11.3 PE-3 – Physical Access Control..........................................................................................................................9711.11.3.1 PE-3(1) – Physical Access Control: Information System Access........................................................................................................................9711.11.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries...................................................................................................9711.11.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring....................................................................................................9811.11.4 PE-4 – Access Control for Transmission Medium..............................................................................................9811.11.5 PE-5 – Access Control for Output Devices.........................................................................................................9911.11.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices..........................................................................................................9911.11.6 PE-6 – Monitoring Physical Access....................................................................................................................9911.11.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment........................................................................................10011.11.7 PE-8 – Visitor Access Records..........................................................................................................................10011.11.8 PE-12 – Emergency Lighting............................................................................................................................10111.11.9 PE-13 – Fire Protection....................................................................................................................................10111.11.10 PE-14 – Temperature and Humidity Controls..................................................................................................10111.11.11 PE-15 – Water Damage Protection..................................................................................................................10211.11.12 PE-16 – Delivery and Removal.........................................................................................................................10211.11.13 PE-17 – Alternate Work Site............................................................................................................................10211.11.14 PE-19 – Information Leakage...........................................................................................................................10311.11.14.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures.............................................................................10311.12 Planning (PL).............................................................................................................................................................10511.12.1 PL-1 – Security Planning Policy and Procedures..............................................................................................10511.12.2 PL-2 – System Security Plan.............................................................................................................................10511.12.2.1 PL-2(3) – System Security Plan: Coordinate with other Organization Entities...............................................................................................10511.12.3 PL-4 – Rules of Behavior..................................................................................................................................10611.12.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions........................................................................................................10611.12.4 PL-8 – Information Security Architecture........................................................................................................10611.12.4.1 PL-8(1) – Information Security Architecture: Defense in Depth.....................................................................................................................10711.12.4.2 PL-8(2) – Information Security Architecture: Supplier Diversity....................................................................................................................10711.13 Program Management (PM).....................................................................................................................................10911.13.1 PM-1 – Information Security Program Plan.....................................................................................................10911.13.2 PM-3 – Information Security Resources..........................................................................................................10911.13.3 PM-4 – Plan of Action and Milestones Process...............................................................................................10911.13.4 PM-5 – Information System Inventory............................................................................................................11011.13.5 PM-6 – Information Security Measures of Performance.................................................................................11011.13.6 PM-7 – Enterprise Architecture.......................................................................................................................11011.13.7 PM-8 – Critical Infrastructure Plan..................................................................................................................11111.13.8 PM-9 – Risk Management Strategy.................................................................................................................11111.13.9 PM-10 – Security Authorization Process.........................................................................................................11211.13.10 PM-11 – Mission/Business Process Definition.................................................................................................11211.13.11 PM-12 – Insider Threat Program.....................................................................................................................11211.13.12 PM-13 – Information Security Workforce.......................................................................................................11311.13.13 PM-14 – Testing, Training, and Monitoring.....................................................................................................11311.13.14 PM-15 – Contact with Security Groups and Associations................................................................................11411.13.15 PM-16 – Threat Awareness Program...............................................................................................................11411.14 Personnel Security (PS).............................................................................................................................................11511.14.1 PS-1 – Personnel Security Policy and Procedures............................................................................................11511.14.2 PS-2 – Position Risk Designation......................................................................................................................11511.14.3 PS-3 – Personnel Screening.............................................................................................................................11511.14.3.1 PS-3(1) – Personnel Screening: Classified Information...................................................................................................................................11611.14.4 PS-4 – Personnel Termination.........................................................................................................................11611.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements..............................................................................................................11611.14.5 PS-5 – Personnel Transfer...............................................................................................................................11711.14.6 PS-6 – Access Agreements...............................................................................................................................11711.14.6.1 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection.....................................................................................11811.14.6.2 PS-6(3) – Access Agreements: Post-Employment Requirements...................................................................................................................118
vii[Insert Document Classification]
[Insert Company name/Logo]
11.14.7 PS-7 – Third-Party Personnel Security.............................................................................................................11811.14.8 PS-8 - Personnel Sanctions..............................................................................................................................11911.15 Risk Assessment (RA)................................................................................................................................................12011.15.1 RA-1 – Risk Assessment Policy and Procedures...............................................................................................12011.15.2 RA-2 – Security Categorization........................................................................................................................12011.15.3 RA-3 – Risk Assessment...................................................................................................................................12011.15.4 RA-5 – Vulnerability Scanning.........................................................................................................................12111.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool Capability.............................................................................................................................12111.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified.....................................................................12111.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable Information.........................................................................................................................12211.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged Access.......................................................................................................................................12211.15.5 RA-6 – Technical Surveillance Countermeasures Survey.................................................................................12311.16 System and Services Acquisition...............................................................................................................................12411.16.1 SA-1 – System and Services Acquisition Policy and Procedures.......................................................................12411.16.2 SA-2 – Allocation of Resources........................................................................................................................12411.16.3 SA-3 – System Development Life Cycle...........................................................................................................12411.16.4 SA-4 – Acquisition Process...............................................................................................................................12511.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls....................................................................................................12511.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls..........................................................................12511.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products........................................................................................................12611.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles................................................................................................................12611.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use...................................................................................................12711.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products.....................................................................................................................12711.16.5 SA-5 – Information System Documentation....................................................................................................12711.16.6 SA-8 – Security Engineering Principles............................................................................................................12811.16.7 SA-9 – External Information System Services..................................................................................................12811.16.7.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals......................................................................12911.16.7.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services......................................................12911.16.8 SA-10 – Developer Configuration Management..............................................................................................12911.16.8.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification....................................................................13011.16.9 SA-11 – Developer Security Testing and Evaluation........................................................................................13011.16.10 SA-12 – Supply Chain Protection.....................................................................................................................13011.16.11 SA-15 – Development Process, Standards and Tools.......................................................................................13111.16.11.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data.....................................................................................................13111.16.12 SA-19 – Component Authenticity....................................................................................................................13211.16.13 SA-22 – Unsupported System Components.....................................................................................................13211.17 Systems and Communications Protection (SC).........................................................................................................13311.17.1 SC-1 – Systems and Communications Protection Policy and Procedures........................................................13311.17.2 SC-2 – Application Partitioning........................................................................................................................13311.17.3 SC-3 – Security Function Isolation...................................................................................................................13311.17.4 SC-4 – Information in Shared Resources.........................................................................................................13411.17.4.1 SC-4(2) – Information in Shared Resources: Periods Processing....................................................................................................................13411.17.5 SC-5 – Denial of Service Protection.................................................................................................................13411.17.5.1 SC-5(1) – Denial of Service Protection: Restrict Internal Users......................................................................................................................13511.17.6 SC-7 – Boundary Protection............................................................................................................................13511.17.6.1 SC-7(3) – Boundary Protection: Access Points................................................................................................................................................13611.17.6.2 SC-7(4) – Boundary Protection: External Telecommunications Services.......................................................................................................13611.17.6.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception...........................................................................................................13611.17.6.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices...............................................................................................13711.17.6.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers.............................................................................................13711.17.6.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic.............................................................................13811.17.6.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration.............................................................................................................13811.17.6.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic................................................................................................13811.17.6.9 SC-7(12) – Boundary Protection: Host-Based Protection...............................................................................................................................13911.17.6.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components................................................................13911.17.6.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections...............................................................................13911.17.7 SC-8 – Transmission Confidentiality and Integrity...........................................................................................14011.17.7.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection........................................................14011.17.7.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling................................................................................14111.17.7.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals......................................................14111.17.7.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications.......................................................................14111.17.8 SC-10 – Network Disconnect...........................................................................................................................14211.17.9 SC-12 – Cryptographic Key Establishment and Management..........................................................................14211.17.9.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys........................................................................................14211.17.9.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys......................................................................................14311.17.10 SC-13 – Cryptographic Protection...................................................................................................................143
viii[Insert Document Classification]
[Insert Company name/Logo]
11.17.11 SC-15 – Collaborative Computing Devices.......................................................................................................14411.17.11.1 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas.............................................................................14411.17.12 SC-17 – Public Key Infrastructure Certificates.................................................................................................14411.17.13 SC-18 – Mobile Code.......................................................................................................................................14511.17.13.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions............................................................................................14511.17.13.2 SC-18(2) – Mobile Code: Acquisition/Development/Use...............................................................................................................................14611.17.13.3 SC-18(3) – Mobile Code: Prevent Downloading/Execution............................................................................................................................14611.17.13.4 SC-18(4) – Mobile Code: Prevent Automatic Execution.................................................................................................................................14611.17.14 SC-19 – Voice over Internet Protocol (VoIP)....................................................................................................14711.17.15 SC-20 – Secure Name/Address Resolution Service (Authoritative Source)......................................................14711.17.16 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver).......................................14711.17.17 SC-22 – Architecture and Provisioning for Name/Address Resolution Service................................................14811.17.18 SC-23 – Session Authenticity...........................................................................................................................14811.17.18.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout.....................................................................................................14911.17.18.2 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization..........................................................................................14911.17.18.3 SC-23(5) – Session Authenticity: Allowed Certificate Authorities..................................................................................................................14911.17.19 SC-28 – Protection of Information at Rest.......................................................................................................15011.17.19.1 SC-28(1) – Protection of Information at Rest: Cryptographic Protection.......................................................................................................15011.17.20 SC-38 – Operations Security............................................................................................................................15011.17.21 SC-39 – Process Isolation.................................................................................................................................15111.17.22 SC-42 – Sensor Capability and Data.................................................................................................................15111.17.22.1 SC-42(3) – Sensor Capability and Data: Prohibit Use of Services...................................................................................................................15211.18 System and Information Integrity (SI).......................................................................................................................15311.18.1 SI-1 – System and Information Integrity Policy and Procedures......................................................................15311.18.2 SI-2 – Flaw Remediation..................................................................................................................................15311.18.2.1 SI-2(1) – Flaw Remediation: Central Management.........................................................................................................................................15311.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status................................................................................................................15411.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions........................................................................15411.18.2.4 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware......................................................................................15411.18.3 SI-3 – Malicious Code Protection.....................................................................................................................15511.18.3.1 SI-3(1) – Malicious Code Protection: Central Management...........................................................................................................................15511.18.3.2 SI-3(2) – Malicious Code Protection: Automatic Updates..............................................................................................................................15611.18.3.3 SI-3(10) – Malicious Code Protection: Malicious Code Analysis.....................................................................................................................15611.18.4 SI-4 – Information System Monitoring............................................................................................................15611.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System..................................................................................15711.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis....................................................................................15711.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic........................................................................15811.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts.............................................................................................................15811.18.4.5 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications...................................................................................15811.18.4.6 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies.............................................................................15911.18.4.7 SI-4(12) – Information System Monitoring: Automated Alerts......................................................................................................................15911.18.4.8 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection.....................................................................................................15911.18.4.9 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications......................................................................................16011.18.4.10 SI-4(16) – Information System Monitoring: Correlate Monitoring Information............................................................................................16011.18.4.11 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk.................................................................................................16111.18.4.12 SI-4(20) – Information System Monitoring: Privileged User...........................................................................................................................16111.18.4.13 SI-4(21) – Information System Monitoring: Probationary Periods.................................................................................................................16111.18.4.14 SI-4(22) – Information System Monitoring: Unauthorized Network Services................................................................................................16211.18.4.15 SI-4(23) – Information System Monitoring: Host-Based Devices...................................................................................................................16211.18.5 SI-5 – Security Alerts, Advisories, and Directives.............................................................................................16211.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code..................................................................16311.18.6 SI-10 – Information Input Validation...............................................................................................................16311.18.7 SI-11 – Error Handling.....................................................................................................................................16411.18.8 SI-12 – Information Handling and Retention...................................................................................................164
ix[Insert Document Classification]
[Insert Company name/Logo]
1 BACKGROUND
All systems requiring authorization or re-authorization will follow the Risk Management Framework (RMF) methodology. This methodology includes documenting in the System Security Plan (SSP) how the Defense Security Service (DSS) baseline security controls are being implemented, as well as justifying any tailored security controls.
2 APPLICABILITY
This template is based on the DSS Assessment and Authorization Process Manual (DAAPM). It is applicable to all Information Systems (IS) that store, process, and/or transmit classified information.
3 REFERENCES
This document is based on the following references: NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 4,
Apr 2013 CNSSI 1253, Security Categorization and Control Selection for National Security Systems, March 2014 CNSSI 4009 National Information Assurance (IA) Glossary, April 2015 DAAPM, Version 1.2, November 2017
4 RECIPROCITY
Reciprocity is defined as a “Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information.” — [CNSSI 4009]
This agreement, however, does not imply blind acceptance. The body of evidence used for assessments of the subject system will be provided to the other participants who have a vested interest in establishing a mutual agreement. The receiving party will review the assessment evidence (e.g., SSP, test plans, test procedures, test reports, exceptions) to determine if there are any deltas in the evidence (e.g., baseline/overlay controls that were tailored, a test item that was omitted) and identify items that may require negotiations. Only security controls or test items that were initially omitted are subject to evaluation/testing to assure the system meets all requirements for a successful reciprocal agreement.
1[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
5 SYSTEM IDENTIFICATION
5.1 SYSTEM OVERVIEWSystem Name Click here to enter text.DSS UID Click here to enter text.Type of Information System (Check One)
Single-User Standalone (SUSA) Multi-User Standalone (MUSA) Closed Restricted Network (Local Area Network (LAN)) Wide Area Network (WAN) Interconnected System – Contractor-to-Contractor (C2C) Interconnected System – Contractor-to-Government (C2G) Other:
Type of Plan: SSP Master SSP (MSSP) (Type Authorization)
The system is in the life-cycle phase noted in the table below.
System Status (Check One):Operational The system is operating and in production.
Under Development The system is being designed, developed, or implemented.
Major Modification The system is undergoing a major change, development, or transition.
Other Explain: Click here to enter text.
Periods Processing: Yes NoAssured File Transfer: Yes NoIf Yes, Select: DSS Alternative Procedures
Mobility
Yes
If Yes, the IS will be moved:
Temporarily for less than 8 days only to contractor facilities under DSS cognizance
For 8 to 120 days to contractor facilities under DSS cognizance
No Temporarily for less than 8 days to a
government facility not under DSS cognizance For 8 days to 120 days to a government
facility not under DSS cognizance (requires relocation letter)
5.2 SECURITY CATEGORIZATION
5.2.1 Summary Results and RationaleSummarize information in the sections below (e.g., System # is categorized as a Moderate-Low-Low system processing [security classification] information types). Identify whether or not a risk analysis indicated that no risk adjustment tailoring was required.
5.2.2 Categorization Detailed ResultsDescribe categorizataion detailed results.
5.2.2.1 Information Impact Categorization (Reference: CNSSI 1253 Section 3.1)Information Impact Categorization Information Type Confidentiality
ImpactIntegrity Impact Availability Impact Authority
Example: ISR, Engineering, Administrative, Privacy, etc..
Choose an item. Choose an item.Choose an item.
Choose an item.Choose an item.
Choose an item.Example: Security Classification Guide, ISO, REF, etc.
2[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
5.2.2.2 System Security Impact Categorization (Reference: CNSSI 1253 Section 3.1)Final System Impact Categorization Confidentiality Impact Integrity Impact Availability Impact AuthorityChoose an item. Choose an
item.Choose an item.Choose an item.Choose an item.
Choose an item.Example: Security Classification Guide, ISO, REF, etc.
5.2.2.3 Risk Adjusted System Impact Categorization (Reference: CNSSI 1253 Section 3.1)Risk Adjusted System Impact Categorization Confidentiality Impact Integrity Impact Availability Impact AuthorityChoose an item. Choose an item.Choose an
item.Choose an item.Choose an item.
Choose an item.e.g., AO, REF, ISO, SCG
5.2.3 Control SelectionBaseline:
e.g., Moderate-Low-Low (M-L-L)DSS Overlays (Select/Add all that apply):
Single User Standalone (SUSA)Multi-User Standalone (MUSA)Isolated Local Area Network (ISOL)/ Peer to Peer (P2P)
6 KEY ROLES AND RESPONSIBILITIES
6.1 RISK MANAGEMENTAuthorizing Official (AO)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
Industrial Security Representative (ISR)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
Security Control Assessor (SCA)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
Information Owner (IO)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
Information System Owner (ISO)/Program Manager (PM)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
3[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
6.2 IA SUPPORT PERSONNELInformation System Security Manager (ISSM)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
System Administrator/Network Administrator (SA/NA)Name: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.
Data Transfer Agent (DTA)/Assured File TransferName: Click here to enter text.Organization: Click here to enter text.Address: Click here to enter text.Phone: Click here to enter text.Email: Click here to enter text.Transfer Risk Level (High or Low): Click here to enter text.
7 SYSTEM ENVIRONMENT
7.1 PHYSICAL ENVIRONMENTReferences: NIST SP 800-53/DAAPM, DD Form 254 (Item 11c)
PE-3
Is the secure facility authorized or approved to process and store information at the level covered by this SSP?
Yes No
Who authorized or approved the facility? Organization:Indicate if the facility is a Closed, or Restricted Area. Closed Date of Approval Click here to enter text.
Restricted Both Date of Approval Click here to enter text.
State the classification level approved for the facility, as well as any caveats applied to the information.
Confidential Secret Top Secret
NATO RD FRD CNWDI FGI NOFORN
COMSEC Other:
_______________
Is the facility approved for 24-hour operation? Yes No
Is the facility approved for Open or Closed storage? Opened Closed
List all items approved for Open Storage: Click here to enter text.List all items restricted to Closed Storage: Click here to enter text.Are classified and lower classified systems co-located within the facility? (If yes, complete the box to the right. If no, proceed to the next question.)
NIPRNet/NMCI/Internet SIPRNet No
Other: _______________ _______________
Is the system approved for unattended processing? Yes No
Is a PDS required to support this connection? (If yes, upload PDS Approval Letter and PDS Diagram.)
Yes No
Approval Date:
4[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
7.2 FACILITY/SYSTEM LAYOUT (BLUEPRINT DIAGRAM)Include diagram as an attachment. Note: The IS Boundary is required to be annotated in the diagram.
7.3 PERSONNEL AUTHORIZATIONSNIST SP 800-53/DAAPM AC-2
Minimum Clearance Minimum Access Citizenship Foreign National
Confidential Top Secret Secret
Interim Final
Yes No
7.4 SYSTEM CLASSIFICATION LEVEL(S) & COMPARTMENT(S)Classification Caveats Formal Access Approvals
Confidential Secret Top Secret
None FRD RD FGI Other: _______________
None NATO COMSEC CNWDI Other: _______________
7.5 UNIQUE DATA HANDLING REQUIREMENTSIdentify handling requirements/caveats and Authority.
7.6 INFORMATION ACCESS POLICIESNIST SP 800-53/DAAPM AC-2, 3
Attach any additional organizational or system-specific user access policies.
8 GENERAL SYSTEM DESCRIPTION/PURPOSE
8.1 PROGRAM/CONTRACT INFORMATIONEnter Program/Contract information, including contract vehicle's expiration date:
8.2 SYSTEM DESCRIPTIONNIST SP 800-53/DAAPM PL-2
Enter System Description:
8.3 SYSTEM ARCHITECTUREDescribe System Architecture:
8.4 FUNCTIONAL ARCHITECTUREDescribe Functional Architecture; e.g., data flow. Attach diagram if appropriate.
5[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
8.5 USER ROLES AND ACCESS PRIVILEGESList User Roles and Access Pprivileges (e.g. Privileged User, General User, Database Administrator, and Data Transfer Agent).
Role Name Authorized Privileges and Functions Performed
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
9 INTERCONNECTIONS
9.1 DIRECT NETWORK CONNECTIONSNOTE: Direct Network Connections with external organizations, whether internal or external to the facility, must be addressed in an ISA/MOU/A.
NIST SP 800-53/DSS DAAPM PL-2, AC-17, CA-3 This system does not connect to any other system.
This system connects to following systems:SYSTEM NAME
ORGANIZATION CLASSIFICATION/ COMPARTMENTS
ATO ISSUED BY DATE OF ATO
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
Click here to enter text.
9.2 MEMORANDA OF UNDERSTANDING (MOU), MEMORANDA OF AGREEMENT (MOA), CO-UTILIZATION AGREEMENTS (CUA) AND INTERCONNECTION SECURITY AGREEMENTS (ISA)
This information system does not require any MOU/MOA, CUA, or ISA.This information system requires an MOU/MOA, CUA, and/or ISA.
NIST SP 800-53/DAAPM AC-20
Subject of MOU/MOA/CUA/ISA Click here to enter text.Date of MOU/MOA/CUA/ISA Click here to enter text.POC Name Click here to enter text.Organization Click here to enter text.
6[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Contact (phone or e-mail) Click here to enter text.
10 SECURITY ASSESSMENT PLAN
DSS will conduct the security controls assessment utilizing the Defense Information System Agency (DISA) Security Content Automation Protocol (SCAP) Compliance Checker (SCC) for automated checks and all appropriate baseline/benchmark Security Technical Implementation Guides (STIGs). The SCC, STIG Viewer, and applicable STIG and/or SCC content must be installed on the IS. If your IS cannot be assessed utilizing the specified scanning tools, please document your justification below:
7[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11 BASELINE SECURITY CONTROLS MODERATE – LOW – LOW (M-L-L)
The following controls are required for the DAAPM Moderate-Low-Low (M-L-L) baseline developed from the CNSSI 1253 NSS Security Control Baseline. Provide sufficient information to detail how the security controls are being implemented. If the security control is being tailored, provide details on how the IS is meeting the security requirements. Additional clarification regarding the security control requirements can be found in the DAAPM.
11.1 ACCESS CONTROL (AC)
11.1.1 AC-1 – Access Control Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2 AC-2 – Account ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.1 AC-2 (1) – Account Management: Automated System Account ManagementRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below))
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
8[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency AccountsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.3 AC-2(3) – Account Management: Disable Inactive Accounts Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.4 AC-2(4) – Account Management: Automated Audit ActionsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
9[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.5 AC-2(5) – Account Management: Inactivity LogoutRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.6 AC-2(7) – Account Management: Role Based SchemesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/AccountsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
10[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical UsageRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk IndividualsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
11[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.3 AC-3 – Access EnforcementRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.3.1 AC-3(2) – Access Enforcement: Dual Authorization Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
12[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.1.3.2 AC-3(4) – Access Enforcement: Discretionary Access Control Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.4 AC-4 – Information Flow EnforcementRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.5 AC-5 – Separation of Duties Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
13[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6 AC-6 – Least Privilege Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.1 AC-6(1) – Least Privilege: Authorize Access to Security FunctionsRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
14[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.3 AC-6(5) – Least Privilege: Privileged AccountsRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.4 AC-6(7) – Least Privilege: Review of User Privileges Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
15[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.7 AC-7 – Unsuccessful Login AttemptsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
16[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.8 AC-8 – System Use NotificationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.9 AC-10 – Concurrent Session Control Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.10 AC-11 – Session Lock Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
17[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.10.1 AC-11(1) – Session Lock: Pattern Hiding Displays Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.11 AC-12 – Session Termination Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.11.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
18[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.12 AC-14 – Permitted Actions without Identification or Authentication Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.13 AC-16 – Security Attributes Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.13.1 AC-16(5) – Security Attributes: Attribute Displays for Output Devices Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
19[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.13.2 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.13.3 AC-16(7) – Security Attributes: Consistent Attribute Interpretation Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
20[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.1.14 AC-17 – Remote Access Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.14.1 AC-17(1) – Remote Access: Automated Monitoring/Control Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.14.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
21[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.14.3 AC-17(3) - Remote Access: Managed Access Control PointsRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.14.4 AC-17(4) – Remote Access: Privileged Commands/Access Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.14.5 AC-17(6) – Remote Access: Protection of Information Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
22[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.14.6 AC-17(9) – Remote Access: Disconnect/Disable Access Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.15 AC-18 – Wireless Access Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.15.1 AC-18(1) – Wireless Access: Authentication & Encryption Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
23[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.15.2 AC-18(3) – Wireless Access: Disable Wireless Networking Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.15.3 AC-18(4) – Wireless Access: Restrict Configurations by Users Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.16 AC-19 – Access Control for Mobile Devices Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
24[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.16.1 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption) Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.17 AC-20 – Use of External Information Systems Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.Choose an item.Implementation Status:
Implemented Planned PartialOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.17.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
25[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.17.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.17.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.17.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage DevicesRecommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
26[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.18 AC-21 – Information SharingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.1.19 AC-23 – Data Mining Protection Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
27[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.2 AWARENESS AND TRAINING (AT)
11.2.1 AT-1 – Security Awareness & Training Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.2.2 AT-2 – Security Awareness TrainingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.2.2.1 AT-2(2) – Security Awareness: Insider Threat Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
28[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.2.3 AT-3 – Role-Based Security Training Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.2.3.1 AT-3(2) – Security Training: Physical Security ControlsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.2.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
29[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.2.4 AT-4 – Security Training RecordsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
30[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.3 AUDIT AND ACCOUNTABILITY (AU)
11.3.1 AU-1 – Audit and Accountability Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.2 AU-2 – Audit Events Recommended Continuous Monitoring Frequency: Quarterly Program
Frequency:Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.2.1 AU-2(3) – Audit Events: Reviews and UpdatesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
31[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.3 AU-3 – Content of Audit Records Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.3.1 AU-3(1) – Content of Audit Records: Additional Audit InformationRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.4 AU-4 – Audit Storage Capacity Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
32[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.5 AU-5 – Response to Audit Processing FailuresRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
33[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6 AU-6 – Audit Review, Analysis and ReportingRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
34[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status:
35[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Implemented Planned PartialOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
36[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.3.7 AU-7 – Audit Reduction and Report Generation Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.8 AU-8 – Time StampsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
37[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.9 AU-9 – Protection of Audit Information Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.9.1 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
38[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.10 AU-11 – Audit Record RetentionRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.10.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.11 AU-12 – Audit Generation Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
39[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.11.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.11.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.12 AU-16 – Cross-Organizational AuditingRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
40[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.12.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.3.12.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
41[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.4 SECURITY ASSESSMENT AND AUTHORIZATION (CA)
11.4.1 CA-1 – Security Assessment and Authorization Policies & ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.2 CA-2 – Security AssessmentsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.2.1 CA-2(1) – Security Assessments: Independent AssessorsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
42[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.3 CA-3 – System Interconnections Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.3.1 CA-3(2) – System Interconnections: Classified National Security System Connections Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.3.2 CA-3(5) – System Interconnections: Restrictions on External Network Connections Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
43[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.4 CA-5 – Plan of Action & MilestonesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.5 CA-6 – Security Authorization Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.6 CA-7 – Continuous Monitoring Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
44[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.4.7 CA-9 – Internal System ConnectionsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
45[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.5 CONFIGURATION MANAGEMENT (CM)
11.5.1 CM-1 – Configuration Management Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.2 CM-2 – Baseline ConfigurationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.2.1 CM-2(1) – Baseline Configuration: Reviews & UpdatesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
46[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.2.2 CM-2(2) – Baseline Configuration: Automation Support for Accuracy/CurrencyRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.3 CM-3 – Configuration Change ControlRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.3.1 CM-3(4) – Configuration Change Control: Security RepresentativeRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
47[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.3.2 CM-3(6) – Configuration Change Control: Cryptography Management Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.4 CM-4 – Security Impact AnalysisRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.5 CM-5 – Access Restrictions for ChangeRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
48[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.5.2 CM-5(6) – Access Restrictions for Change: Limit Library PrivilegesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.6 CM-6 – Configuration SettingsRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
49[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.7 CM-7 – Least FunctionalityRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.7.1 CM-7(1) – Least Functionality: Periodic Review Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.7.2 CM-7(2) – Least Functionality: Prevent Program Execution Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring:
50[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.7.3 CM-7(3) – Least Functionality: Registration Compliance Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.8 CM-8 – Information System Component InventoryRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
51[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
52[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.5.9 CM-9 – Configuration Management PlanRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.10 CM-10 – Software Usage Restrictions Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
53[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.11 CM-11 – User Installed Software Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.5.11.1 CM-11(2) – User Installed Software: Prohibit Installation Without Privileged Status Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
54[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.6 CONTINGENCY PLANNING (CP)
11.6.1 CP-1 – Contingency Planning Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.6.2 CP-2 – Contingency Plan Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.6.3 CP-3 – Contingency TrainingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
55[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.6.4 CP-4 – Contingency Plan Testing Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.6.5 CP-7 – Alternate Processing Site Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.6.6 CP-9 – Information System Backup Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
56[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.6.7 CP-10 – Information System Recovery and ReconstitutionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
57[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.7 IDENTIFICATION AND AUTHENTICATION (IA)
11.7.1 IA-1 – Identification and Authentication Policy and ProceduresRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2 IA-2 – Identification and Authentication (Organizational Users) Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2.1 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
58[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2.2 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2.3 IA-2(5) – Identification and Authentication: Group Authentication Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2.4 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
59[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2.5 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay Resistant
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.2.6 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.3 IA-3 – Device Identification and AuthenticationRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
60[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bidirectional Authentication Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.3.2 IA-4 – Identifier Management Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.3.3 IA-4(4) – Identifier Management: Identify User StatusRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
61[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4 IA-5 – Authenticator ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.1 IA-5(1) – Authenticator Management: Password-Based AuthenticationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status:
62[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Implemented Planned PartialOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength DeterminationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static AuthenticatorsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
63[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.7.4.5 IA-5(8) – Authenticator Management: Multiple Information System AccountsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
64[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.5 IA-6 – Authenticator FeedbackRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.6 IA-7 – Cryptographic Module Authentication Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
65[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.7 IA-8 – Identification and Authentication (Non-Organizational Users) Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.7.1 IA-8(1) – Identification and Authentication: Acceptance of PIV Credentials from Other AgenciesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.7.2 IA-8(2) – Identification and Authentication: Acceptance of Third-Party Credentials Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
66[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.7.3 IA-8(3) – Identification and Authentication: Use of FICAM Approved Products Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.7.7.4 IA-8(4) - Identification and Authentication: Use of FICAM-Issued ProfilesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
67[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.8 INCIDENT RESPONSE (IR)
11.8.1 IR-1 – Incident Response Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.2 IR-2 – Incident Response Training Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.3 IR-3 – Incident Response Testing Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
68[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.3.1 IR-3(2) – Incident Response Testing: Coordination with Related Plans Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4 IR-4 – Incident Handling Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4.1 IR-4(1) – Incident Handling: Automated Incident Handling ProcessesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
69[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4.2 IR-4(3) – Incident Handling: Continuity of OperationsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4.3 IR-4(4) – Incident Handling: Information CorrelationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
70[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.4.6 IR-4(8) – Incident Handling: Correlation with External Organization Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.5 IR-5 – Incident Monitoring Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
71[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.6 IR-6 – Incident Reporting Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.6.1 IR-6(1) – Incident Reporting: Automated ReportingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.6.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to IncidentsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status:
72[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Implemented Planned PartialOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.7 IR-7 – Incident Response Assistance Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.7.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information SupportRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
73[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.8.7.2 IR-7(2) – Incident Response Assistance: Coordination with External ProvidersRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.8 IR-8 – Incident Response PlanRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.9 IR-9 – Information Spillage Response Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
74[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.9.1 IR-9(1) – Information Spillage Response: Responsible Personnel Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.9.2 IR-9(2) – Information Spillage Response: Training Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.9.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
75[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.8.10 IR-10 – Integrated Information Security Analysis TeamRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
76[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.9 MAINTENANCE (MA)
11.9.1 MA-1 – System Maintenance Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.2 MA-2 – Controlled Maintenance Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.3 MA-3 – Maintenance ToolsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
77[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.3.1 MA-3(2) – Maintenance Tools: Inspect MediaRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.3.2 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.4 MA-4 – Non-Local Maintenance Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
78[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.4.1 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.4.2 MA-4(6) – Non-Local Maintenance: Cryptographic Protection Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.4.3 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
79[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.5 MA-5 – Maintenance Personnel Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.9.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
80[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.10 MEDIA PROTECTION (MP)
11.10.1 MP-1 – Media Protection Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.2 MP-2 – Media Access Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.3 MP-3 – Media Marking Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation
Click here to enter text.
81[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.4 MP-4 – Media Storage Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.5 MP-5 – Media Transport Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.5.1 MP-5(3) – Media Transport: Custodians Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
82[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.5.2 MP-5(4) – Media Transport: Cryptographic Protection Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.6 MP-6 – Media Sanitization Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
83[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.6.2 MP-6(2) – Media Sanitization: Equipment Testing Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.7 MP-7 – Media Use Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
84[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.7.1 MP-7(1) – Media Use: Prohibit Use without Owner Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.8 MP-8 – Media Downgrading Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below))
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.8.1 MP-8(1) – Media Downgrading: Documentation of Process Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring:
85[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.8.2 MP-8(2) – Media Downgrading: Equipment Testing Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.10.8.3 MP-8(4) – Media Downgrading: Classified Information Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
86[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.11 PHYSICAL AND ENVIRONMENT PROTECTION (PE)
11.11.1 PE-1 – Physical and Environmental Protection Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.2 PE-2 – Physical Access AuthorizationsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
87[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.3 PE-3 – Physical Access Control Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.3.1 PE-3(1) – Physical Access Control: Information System Access Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
88[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.4 PE-4 – Access Control for Transmission Medium Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.5 PE-5 – Access Control for Output Devices Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
89[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.6 PE-6 – Monitoring Physical AccessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
90[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.7 PE-8 – Visitor Access RecordsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.8 PE-12 – Emergency LightingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.9 PE-13 – Fire ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring:
91[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.10 PE-14 – Temperature and Humidity ControlsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.11 PE-15 – Water Damage ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.12 PE-16 – Delivery and RemovalRecommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
92[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.13 PE-17 – Alternate Work Site Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.11.14 PE-19 – Information Leakage Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
93[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.11.14.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
94[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.12 PLANNING (PL)
11.12.1 PL-1 – Security Planning Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.2 PL-2 – System Security Plan Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.2.1 PL-2(3) – System Security Plan: Coordinate with other Organization Entities Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
95[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.3 PL-4 – Rules of Behavior Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.4 PL-8 – Information Security ArchitectureRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
96[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.4.1 PL-8(1) – Information Security Architecture: Defense in Depth Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.12.4.2 PL-8(2) – Information Security Architecture: Supplier Diversity Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
97[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.13 PROGRAM MANAGEMENT (PM)
11.13.1 PM-1 – Information Security Program PlanNOTE: All organizations are required to establish a Program cybersecurity/information assurance (CS/IA) program.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.2 PM-3 – Information Security ResourcesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.3 PM-4 – Plan of Action and Milestones ProcessRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
98[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.4 PM-5 – Information System InventoryRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.5 PM-6 – Information Security Measures of PerformanceRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.6 PM-7 – Enterprise ArchitectureRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
99[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.7 PM-8 – Critical Infrastructure PlanRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.8 PM-9 – Risk Management StrategyRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.9 PM-10 – Security Authorization ProcessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
100[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.10 PM-11 – Mission/Business Process DefinitionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.11 PM-12 – Insider Threat ProgramRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.12 PM-13 – Information Security WorkforceRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
101[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.13 PM-14 – Testing, Training, and MonitoringRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.14 PM-15 – Contact with Security Groups and AssociationsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.13.15 PM-16 – Threat Awareness ProgramRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status:
102[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Implemented Planned PartialOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
103[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.14 PERSONNEL SECURITY (PS)
11.14.1 PS-1 – Personnel Security Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.2 PS-2 – Position Risk DesignationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.3 PS-3 – Personnel ScreeningRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
104[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.3.1 PS-3(1) – Personnel Screening: Classified InformationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.4 PS-4 – Personnel TerminationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.4.1 PS-4(1) – Personnel Termination: Post-Termination RequirementsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
105[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.5 PS-5 – Personnel TransferRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.6 PS-6 – Access AgreementsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.6.1 PS-6(2) – Access Agreements: Classified Information Requiring Special ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
106[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.6.2 PS-6(3) – Access Agreements: Post-Employment RequirementsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.7 PS-7 – Third-Party Personnel SecurityRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.14.8 PS-8 - Personnel SanctionsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
107[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
108[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.15 RISK ASSESSMENT (RA)
11.15.1 RA-1 – Risk Assessment Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.2 RA-2 – Security CategorizationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.3 RA-3 – Risk AssessmentRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
109[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.4 RA-5 – Vulnerability ScanningRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool CapabilityRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When IdentifiedRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
110[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable InformationRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged AccessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.15.5 RA-6 – Technical Surveillance Countermeasures SurveyRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
111[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
112[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.16 SYSTEM AND SERVICES ACQUISITION
11.16.1 SA-1 – System and Services Acquisition Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.2 SA-2 – Allocation of ResourcesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.3 SA-3 – System Development Life CycleRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
113[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4 SA-4 – Acquisition ProcessRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security ControlsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security ControlsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
114[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance ProductsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection ProfilesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in UseRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
115[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV ProductsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.5 SA-5 – Information System DocumentationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.6 SA-8 – Security Engineering PrinciplesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
116[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.7 SA-9 – External Information System ServicesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.7.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational ApprovalsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.7.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/ServicesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring:
117[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.8 SA-10 – Developer Configuration ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.8.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity VerificationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.9 SA-11 – Developer Security Testing and EvaluationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
118[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.10 SA-12 – Supply Chain ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.11 SA-15 – Development Process, Standards and ToolsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
119[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.16.11.1 SA-15(9) – Development Process, Standards and Tools: Use of Live DataRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.12 SA-19 – Component AuthenticityRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.16.13 SA-22 – Unsupported System ComponentsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
120[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
121[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.17 SYSTEMS AND COMMUNICATIONS PROTECTION (SC)
11.17.1 SC-1 – Systems and Communications Protection Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.2 SC-2 – Application PartitioningRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.3 SC-3 – Security Function IsolationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
122[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.4 SC-4 – Information in Shared ResourcesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.4.1 SC-4(2) – Information in Shared Resources: Periods ProcessingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.5 SC-5 – Denial of Service ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
123[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.5.1 SC-5(1) – Denial of Service Protection: Restrict Internal UsersRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6 SC-7 – Boundary ProtectionRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.1 SC-7(3) – Boundary Protection: Access PointsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
124[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.2 SC-7(4) – Boundary Protection: External Telecommunications ServicesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by ExceptionRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote DevicesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
125[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy ServersRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications TrafficRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.7 SC-7(10) – Boundary Protection: Prevent Unauthorized ExfiltrationRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring:
126[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications TrafficRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Imple Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.9 SC-7(12) – Boundary Protection: Host-Based ProtectionRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support ComponentsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
127[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.6.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical ConnectionsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.7 SC-8 – Transmission Confidentiality and IntegrityRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
128[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.17.7.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.7.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission HandlingRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.7.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message ExternalsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
129[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.7.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize CommunicationsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.8 SC-10 – Network DisconnectRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.9 SC-12 – Cryptographic Key Establishment and ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
130[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.9.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric KeysRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.9.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric KeysRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.10 SC-13 – Cryptographic ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
131[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.11 SC-15 – Collaborative Computing DevicesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.11.1 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work AreasRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.12 SC-17 – Public Key Infrastructure CertificatesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
132[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.13 SC-18 – Mobile CodeRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.13.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective ActionsRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.13.2 SC-18(2) – Mobile Code: Acquisition/Development/UseRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below)
133[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.13.3 SC-18(3) – Mobile Code: Prevent Downloading/ExecutionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.13.4 SC-18(4) – Mobile Code: Prevent Automatic ExecutionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.14 SC-19 – Voice over Internet Protocol (VoIP)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status:
134[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Implemented Planned PartialOrganizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.15 SC-20 – Secure Name/Address Resolution Service (Authoritative Source)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.16 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver)Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
135[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.17.17 SC-22 – Architecture and Provisioning for Name/Address Resolution ServiceRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.18 SC-23 – Session AuthenticityRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.18.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at LogoutRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
136[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.18.2 SC-23(3) – Session Authenticity: Unique Session Identifies with RandomizationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.18.3 SC-23(5) – Session Authenticity: Allowed Certificate AuthoritiesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.19 SC-28 – Protection of Information at RestRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
137[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.19.1 SC-28(1) – Protection of Information at Rest: Cryptographic ProtectionRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.20 SC-38 – Operations SecurityRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.21 SC-39 – Process IsolationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
138[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.22 SC-42 – Sensor Capability and DataRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.17.22.1 SC-42(3) – Sensor Capability and Data: Prohibit Use of ServicesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
139[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.18 SYSTEM AND INFORMATION INTEGRITY (SI)
11.18.1 SI-1 – System and Information Integrity Policy and ProceduresRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.2 SI-2 – Flaw RemediationRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.2.1 SI-2(1) – Flaw Remediation: Central ManagementRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may
Click here to enter text.
140[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation StatusRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective ActionsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.2.4 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/FirmwareRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section
Click here to enter text.
141[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.3 SI-3 – Malicious Code ProtectionRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.3.1 SI-3(1) – Malicious Code Protection: Central ManagementRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.3.2 SI-3(2) – Malicious Code Protection: Automatic UpdatesRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
142[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.3.3 SI-3(10) – Malicious Code Protection: Malicious Code AnalysisRecommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4 SI-4 – Information System MonitoringRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection SystemRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
143[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time AnalysisRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications TrafficRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.4 SI-4(5) – Information System Monitoring: System Generated AlertsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring:
144[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.5 SI-4(10) – Information System Monitoring: Visibility of Encrypted CommunicationsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.6 SI-4(11) – Information System Monitoring: Analyze Communications Traffic AnomaliesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.7 SI-4(12) – Information System Monitoring: Automated AlertsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
145[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.8 SI-4(14) – Information System Monitoring: Wireless Intrusion DetectionRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.9 SI-4(15) – Information System Monitoring: Wireless to Wireline CommunicationsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
146[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
11.18.4.10 SI-4(16) – Information System Monitoring: Correlate Monitoring InformationRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.11 SI-4(19) – Information System Monitoring: Individuals Posing Greater RiskRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.12 SI-4(20) – Information System Monitoring: Privileged UserRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
147[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.13 SI-4(21) – Information System Monitoring: Probationary PeriodsRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.14 SI-4(22) – Information System Monitoring: Unauthorized Network ServicesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.4.15 SI-4(23) – Information System Monitoring: Host-Based DevicesRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If
Click here to enter text.
148[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.5 SI-5 – Security Alerts, Advisories, and DirectivesRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable CodeRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.6 SI-10 – Information Input ValidationRecommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information Click here to enter text.
149[Insert Document Classification]
Version 1.2 11/17/2017
[Insert Company name/Logo]
regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.7 SI-11 – Error HandlingRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
11.18.8 SI-12 – Information Handling and RetentionRecommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Choose an item.Implementation Status: Implemented Planned Partial
Organizational Tailoring: Compensatory Control (Provide justification below) Tailored In (Provide justification below) Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply): Common System Specific Hybrid (Common and System Specific)
Enter text in order to provide detailed information regarding the implementation strategy. This section will also be used to provide any needed explanation/justification or additional information. If control was tailored out, further documentation may be required.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
150[Insert Document Classification]
Version 1.2 11/17/2017
![Config Structural Authorizations[1]](https://static.fdocuments.us/doc/165x107/55027c794a7959362a8b4953/config-structural-authorizations1.jpg)
