SCDIS-200 Information Security and Privacy Standards

for all South Carolina state agencies

version: 1.5
issued: 18-Sep-2015
effective: 01-Jul-2016
owner: Chief Information Security Officer / Division of Information Security / Division of Technology / State of South Carolina
scope: Per South Carolina Provisos 117.113 (2014) and 101.32 (2014) and any successive statutes, these standards are to be
implemented by all South Carolina state agencies, including institutions, departments, divisions, boards, commissions, and
authorities. Exceptions are noted in the terms of the Provisos.
Within statutory scope, this policy applies to:
A. all persons managed by an agency, such as employees, contractors, and volunteers
B. all agency information systems, regardless of location or service level agreement
C. all information contained on any agency information system, regardless of format or medium
D. all information otherwise under the control of any agency, regardless of format or medium

Overview
This document establishes the standards to be used by each state agency to incorporate information security and privacy
protection controls into its business practices. These controls represent the same requirements enumerated in the published
Information Security policies, but incorporate supplemental guidance (see "How To Use" section below).

Authoritative Documents
If substantive differences are found to exist between this document and any of its superior documents, such as state policy,
statute, or regulation, those superior documents must be considered authoritative, and their provisions must prevail.

How To Use These Standards

These controls (see "Controls Matrix" tab) describe minimum standards for securing agency information.
Organization of Controls: The controls are listed by subject matter sections. Each section corresponds to the controls
originally published within the information security policies on the DIS website in 2014. Some controls have been reworded
to improve clarity. Some controls have additional guidance added to the control text. Substantially reworded controls are
listed in red.
Scoping Implementation of Controls: Some controls are not required to be applied to some situations. Criteria for
determining scope are supplied in the columns that correlate to data classification (Public/Internal, Confidential/Restricted).
These criteria correlate to NIST 800-53 rev 4 guidance.
Priority for Implementing Controls: The purpose of prioritizing implementation is to apply controls to the areas of higher risk
first. Regardless of the priority, all required controls are to be implemented by the effective date above. Guidance for
prioritizing the implementation of controls is supplied in the Priority column, and correlates with NIST 800-53 rev 4 guidance.
Gap Analysis and Remediation: Gap analysis can be performed, and remediation progress can be tracked, using the "Gap and
Remediation" tab. This replaces the gap analysis and implementation plan tools previously published on the DIS website.
Hosted Services: This tab establishes the minimum acceptable controls to be maintained by providers of hosted services.
Contractors with Data: This tab establishes the minimum acceptable controls to be maintained by contract service providers
who will be given possession of sensitive data.

Exceptions
For any exceptions to these standards, agencies must follow this exception process:
A decision to not require a specific policy, standard, procedure, or control (collectively policy framework components) for a given scope can only be
granted by an agency director or the agency directors designated executive authority for that given scope, and in consultation with DIS. Such an
exception must not be granted without first performing the following evaluations:
1. Determine the objective of the policy framework component, and consider whether this objective is meaningful in the given scope.
2. Consider the application of compensating controls to reduce the risk as consistent with the objective.
3. Analyze the residual risk, and document, including an executive level summary.
4. Consult with a DIS subject matter expert regarding the documented risk, and incorporate advice within the exception documentation.
5. Obtain documented executive endorsement for some treatment of the risk, such as:
a. Agreement that the objective of the policy framework component is not meaningful in the given scope.
b. Mitigation of the risk through compensating controls, and acceptance of the residual risk.
c. Acceptance of the full, unmitigated risk.
6. Centrally assemble and retain documentation for all exceptions.
7. Review all exceptions at least annually, to evaluate changes in requirements, risk factors, and effectiveness of any compensating controls.
8. Be prepared to produce all exception documentation during IT audits and assessments.
Example 1: An agency determines that it has no occasion to develop computer software, and therefore has no need to implement software
development security controls. In this case the agency would document within its Information Security Plan or as a separate document that the
objectives of these controls are unmeaningful within the agency, and an appropriate agency executive would then endorse the exception individually
or along with endorsement of the agency's Information Security Plan.
Example 2: An agency determines that a particular information system it operates has no means to enforce state mandated password complexity
requirements, and has verified this fact with the vendor. The agency determines that the control is intended to increase the amount of time needed
for an attacker to guess a password. Instead, the agency increases the amount of time an account is automatically locked for an incorrect password
entry, as a compensating control. Analysis of the selected compensating control indicates that it will give comparable protection. The agency
documents this exception as in Example 1, along with the compensating control and the analysis, and an appropriate agency executive endorses the
exception as in Example 1.

History
Date Version Description
18/Sep/2015 1.5 Comprehensive reviewed published InfoSec policies, excerpted controls, reorganized, reworded, scoped,
and clarified. Created linked gap and remediation tool. Created search/highlight function. Created
mappings to FedRAMP and to NIST 800-171 (draft).
 Find Text: matches are highlighted

nd to

re " o ng is
ng

te re t IST
M wi icy

te =
ui al lvi ol
in

r
on ni
ya ,

as th

as th
lit on

fo
po he

sta "X"
1. ed ol

eq nti vo ntr
sta a N
ith

icy ti ai

1. ed y

y
r

r
M wi

An
te g s
n at p
te

te
n at ic
bi cti

lic
ol ma nt

e se in

In in l i
rm nd
g
en y

s r e in o
tw

io ci ol

io ci e

in

by .
m el

r " olv tro

te nfid es n c
r P r co

m r
ica e

d AA
t h h e ls

t.
."
rs s o t h

te , a
rs so p

n ig .
pl y S

in
te qu

e gu
t i t r ted

te T tro

en
al
" o inv on

ica Co ess ive

te nfo nt

a. ire IP
ve s as the

de ht
ve s a s h i n

rn
sta ni

ls. ap olic

of T
ea 4. n
as I e

si s s a n

lic s c

nd " c g
e tu

rit y n IS
M he m

cr ev co
as n me
t

t
am , a in

da req of
t. ub sse en
am , a i

ul

" i as ro r a
hi o he o pe nt u a o .
tro ing P

io rit o N
gr ol w

e .g e on s e p 4, C .g
ls is ila nt d cu th re m de t
2 t cu
tiv . I

gr ol ith

ro n va e fin do in 3, lu co no

to , r ore
gh v/ re f c , 8 bl nd ns
on in ach

en "P e giv

ed = e
to lum ple

ar t bl ati ing m at v n. (e

Pr rio tati to
"X ed r p he
ro ntr tion
e c ID

1. ith do

ct " op
ro ntr w

nt c. a em r n e -5 co l is

ed -53 m

er r P en tes
ro xa 3A n.

t
ce co im

m s oc a
g c rm r e
bj ol

tri XC sc
An sifi s he
io w cy

y P co on

y P co ec

co sr are pl l fo nio cod 800 ID" ntro rol

nt e -5 tio

re a pr r
r o ntr

us 0 or

t
ui ed or the
tin te fo

ow he m ela
rs ted oli

an on e

." las tem w

es , " in
,
rit he cti

rit he bs

NI les
ed /c ns im efu pa ol n ol co nt

o
s IS -1) a e y. uid cati to b

lig p : co ific 00 ica

ls 80 ne
l o co

sa de d

ve cia e p

ed c ys es

/ R A A ed

- L Hig ple orr

t. cu g t s u
t. cu g t se

eq sifi s e
o

p
n te

ST

y
s r as m wh
tro on o
vis :/ tio n us m tr tio tr e c

ct on r s at
m
tro ed

al HIP uir
am sso th
pe i a

P3 - im c
en n Se nin the

en Se in e

ily th it g fi l

Re tp ica pli be co co lica Co th the

PM ad re bil IST ssi tro

tri ati fo dic

m ce dic

on ati to
h
n

& P1 ng de
t. on gn

nti y eq
te cl ste es
t . gr a o f

re he lica lt N cla on

es m d i n
ls. c lic s
.
co an in

um o tai of

um o tai of

o
e n c si

ica on r sy at
ht ubl om lso ting he ub IST ote of

de d b if r
ro ce b fer
en ro as e

P2 & tiz C
m ach -as

"R for ire ld

W p u a c

nd ati fo dic
al uid re

m y P l, am

oc ati on e

oc ati on e

n e
n

P0 ori ity
n

nt en Pu re
y d rm t c am
n

nfi ire es
ap ns at he
y d rm t c am

in qu fie
of ay au for cial e "Nent, ctiv
nti g s a
c u e IS

d. o

" i m d in

i
cu rit tro n

pi ior
Co qu at
re ti

co er ial ld
co e d s t
do es D

lic nfo en n

lic fo n n
te de e

re is
do cu on the

"X for ire ld

m e h e th r je

re pec fie

re dic
n
v

Pr
is tifi the

in a

Th
i
Po e I m he

Po e I m the
po rov ecti

in equ fie
Th earc T Sp in ppa Ob
Se his

In
S his
Se e c is

ed li
t
th en is

r his
T
th cu s

th cu is
p j

e
th his
Ob

T
ht ub
i
id his

do is

do is

T
n
T

Th

Th

p c a di t P

f
T

n
DIS Section NIST Control ID Public or Confidential
Control ID Objective Policy Name (ver 1.2) Policy Section Policy Subsection SC State Policy Control (NIST 800-53) NIST Control Name NIST Control Description Internal or Restricted HIPAA Priority Code

t
N
1.100 Information Security Plan: Each agency must formally authorize, document, prioritize,

a
and provide resources for incorporating security and privacy controls into its business
processes. x x xc P1
1.101 Information Security 1.1 Information Security PM1.1 - Information Each agency must develop and communicate an information PM-1 Information Security The organization:
Program Program Planning Security Plan security plan that underlines security requirements, the security Program Plan a. Develops and
management controls, and common controls in place for meeting
those requirements.
disseminates an organization-
wide information security
x x xc P1
program plan that:
1. Provides an overview of
1.102 Information Security 1.1 Information Security PM1.2 - Information Each agencys security plan must identify and assign security PM-1 Information Security The organization: for the
the requirements
Program Program Planning Security Plan program roles, responsibilities and management commitment, and Program Plan a. Develops
security program andand a
ensure coordination among the agencys business units, as well as disseminates
description ofan theorganization-
security x x xc P1
compliance with the security plan wide information
program management security controls
program plan that:
and common controls in place
1.
or planned Provides
for meeting thoseof
an overview
1.103 Information Security 1.1 Information Security PM1.3 - Information Each agency must ensure coordination among the agencys PM-1 Information Security The
the organization:
requirements
requirements; for the
Program Program Planning Security Plan business units responsible for the different aspects of information Program Plan a. Develops
security program andand a
security (i.e., technical, physical, personnel, etc.) 2. Includes
disseminates
description ofanthe
the
organization-
security x x xc P1
identification
wide information and security
assignment
program
of roles, management
responsibilities, controls
1.104 Information Security 1.1 Information Security PM1.4 - Information Each agency must ensure that the security plan is approved by PM-1 Information Security program
and
The common plan controls
organization: that: in place
management commitment,
Program Program Planning Security Plan senior management Program Plan 1.
or planned Provides
a. Develops
coordination foramong an
meeting
and overviewthoseof x x xc P1
the requirements
requirements;
disseminates an for the
organization-
organizational
security entities,
programthe and a and
1.105 Information Security 1.1 Information Security PM1.5 - Information Each agency must periodically review the information security plan, PM-1 Information Security The
wide organization:
2. Includes
information
compliance; security
Program Program Planning Security Plan staging each full review cycle across no more than a 3-year period. Program Plan description
a. 3.Develops
identification ofand
the
and security
assignment
program
program
disseminates
of roles,
plan
Reflects that:
management coordination
an organization-
responsibilities,
1. organizational
Provides an overviewcontrols of
x x xc P1
among
and common controls entities
in place
wide information
management
the requirements
responsible for thesecurity
commitment,
for the
different
or planned
program
coordination
security for
plan
program meeting
that:
among those
and asecurity
1.106 Information Security 1.1 Information Security PM1.6 - Information Each agency must update the security plan to address changes and PM-1 Information Security The organization:
aspects
requirements;of information
Program Program Planning Security Plan problems identified during plan implementation or security control Program Plan 1. Provides
organizational
description
a. technical,
(i.e., Develops andansecurity
entities,
of the overview
physical, and of
assessments. the 2. Includes
requirements
compliance;
program
disseminates management
an the
personnel, cyber-physical); for the controls
organization- and x x xc P1
identification
security and assignment
wide
of
3.
and common Isprogram
Reflects
information
4.
roles, approved and byain
coordination
controls
security
responsibilities,
place
a senior
description
among
or planned
program
official with of
for
plan the
organizational security
meeting
that:
responsibility entities
those
and
1.107 Information Security 1.1 Information Security PM1.7 - Information Each agency must protect the information security plan from PM-1 Information Security The organization:
management
program
responsible forcommitment,
managementthe controls
different
Program Program Planning Security Plan unauthorized disclosure and modification. Program Plan requirements;
1.
a.common
aspects
Provides
accountability
Develops
coordination
and
for
and
among
anthe
controls
of information
2.incurred
Includes the
overview
risk
insecurity
place
of x x xc P1
the
being requirements
disseminates an to for the
organization-
organizational
or planned
(i.e.,
securitytechnical,
identification for
program entities,
meeting
physical,
and assignment
and a and
those
1.108 Information Security 1.1 Information Security PM 3 -Information Security Each agency must consider resources needed to implement and PM-1 Information Security organizational
The
wide organization:
information
compliance;
requirements;
personnel,
operations
security and
cyber-physical);
Program Program Planning Resources maintain the information security plan in capital planning and Program Plan of roles,
description
(including
a. 3.
program responsibilities,
Develops of that:
the
mission,
and security
functions,
investment requests. 2.
management
program
image,
disseminatesIsplan
Reflects
Includes
4. and approved coordination
the
reputation),
an by acontrols
commitment,
management organization- senior x x xc P1
among
official1. with
Provides
organizational
identification and anassignment
overview
responsibility entitiesandof
coordination
and
wide
the common
organizational
information
requirements among
controls
assets,
security
for in place
the
responsible
of roles,
accountability
organizational
or planned forfor
for thethe
responsibilities,different
entities,
meeting risk
and
those
individuals,
program
security planother
program that: and a
1.109 Information Security 1.1 Information Security PM 4.1 - Plan of Action Each agency must follow a process for ensuring that an PM-4 Information Security (1) The
aspects
management
being organization:
of information
incurred
compliance;
requirements;
organizations,
1. Provides commitment,
toanthe
and
security
overview
Nation;
Program Program Planning and Milestones Process implementation plan is developed and executed to address Program Plan description
a. technical,
(i.e., Implements
coordination
organizational ofamong
the asecurity
process
physical,
operations forof
identified security and privacy deficiencies. the
ensuring
3.
2.
personnel,
Reflects
Includes
b.requirements
program Reviews
organizational
(including
among that the
management coordination
the
plans organization-
forofthe
cyber-physical);
entities,
mission,
organizational
controls
action
and
functions,
entities and x x xc P1
identification
wide
security information and assignment
and
compliance;
image,
responsible
of roles, Isprogram
common
milestones
4. and approved forand
security
controls
reputation), byain
the
for[Assignment:
the
responsibilities,different
place
asecurity
senior
program
description
or planned
program
official withplan
and of
for the security
meeting
associated
responsibility those
and
1.110 Information Security 1.1 Information Security PM 4.2 - Plan of Action Each agency must review implementation plans for consistency PM-4 Information Security (1) The
aspects 3.
management Reflects
organizational
organization:
of coordination
assets,
information
organization-defined
program commitment,
management security
controls
Program Program Planning and Milestones Process with the agencys risk management strategy and priorities for risk Program Plan requirements;
organizational
accountability
among
individuals,
a.common
Implements information
for
organizational
other the risk
entities
a process for
(i.e., technical,
coordination
frequency];
and physical,
among
controls in place
response actions. systems:
being
ensuring2.
personnel,
Includes
incurred
responsible
organizations,
organizational
or planned
c. Updates thatfor
for
tothe
the
and
plans
the
meetingdifferent
the
plan Nation;
of action
cyber-physical);
entities, and
tothoseand x x xc P1
identification
and b. 1. Are
organizational
aspects of
Reviews
milestones and
developed
information
thefor assignment
operations and
organization-
the security
address 4. Isorganizational
compliance;
requirements;
of roles, approved by achanges
responsibilities, senior
maintained;
(including
(i.e.,
wide
program
official3. with mission,
technical,
information
and
Reflects associatedfunctions,
physical,
security
responsibility
coordination and
1.111 Information Security 1.1 Information Security PM 6 - Information Each agency must develop, monitor, and report on the results of PM-6 Information Security and
(1) problems
The
image, 2.
management Includes identified
organization
2. and
Document the
commitment,
reputation),the during
develops,
remedial
personnel,
program
organizational
accountability
among cyber-physical);
plan [Assignment:
information
for
organizational
plan implementation
identification and the risk
entities
assignment
or and
Program Program Planning Security Measures of information security and privacy measures of performance, as Measures Of coordination
monitors,
information
organizational and
4.incurred among
reports
security
Iscontrol assets,
approved
organization-defined
systems: on
actions
by a seniorthe to
being
responsible
security
of roles, to
forentities,
the
responsibilities,different
assessments;
Performance directed by the SC Division of Information Security or the SC
Enterprise Privacy Office.
Performance organizational
results
adequately
official
frequency];
aspects
and
management
compliance;
measures
of
individuals,
with
1. Are
organizational
of
information
respond
other to
responsibility
developed
operations
information
commitment,
of performance.
and
security
risk
and to
and
security x x xc P1
organizational
organizations,
accountability
c. Updates
maintained;
(including
(i.e., operations
and
for
the
mission,
technical, the
the
plan to and
Nation;
risk
functions,
physical,
coordination
d.
b. 3.Protects
Reflects among
the information
assets,
being
address
image, 2.
personnel,
security
individuals,
Reviews
incurred
and
organizational tocoordination
the
organizational
Document
reputation),
program
other
organization-
the
cyber-physical);
entities,
plan changes
remedial
and and
from
among
wide organizational
organizations,
information
organizational
and problems
information and the
security
operations
identified
security entities
Nation;
actions during
organizational
4.
compliance;
unauthorized
responsible
and
program
Is approved
planfor assets,
disclosure
the by
different
[Assignment: and to
a senior
(including
adequately
individuals,
official with
modification.
3. mission,
plan implementationrespond
other
Reflects functions,
toorriskand
responsibility
coordination to
aspects
image,
security3. of
Are
and
organizational information
reported
organization-defined
reputation),
control in
assessments;
operations security
and
organizations,
accountability
among
(i.e., and
for
organizational
technical, therisk
the
physical, Nation;
entities
accordance
frequency];
organizational
and
assets,
being with
individuals,
b. Reviews
incurred the
to OMB
assets, other FISMA
organization-
responsible
personnel,
reporting
c. Updates forthetheplan
different
cyber-physical);
requirements. to and
individuals,
wided. Protects
organizations, other
information
organizational
aspects and information
the Nation;
security
operations
b. 4.
address Isof
Reviews
organizations,
security
and
information
approved
plans
organizational
program and by
the
plan
security
aNation;
of actionsenior
changes
from
program
(including
(i.e.,
official plan
technical,
with [Assignment:
mission, functions,
physical,
responsibility and
and b.milestones
problems
Reviews
unauthorized
image, 3. and fororganization-
consistency
identified
the
disclosure
Are cyber-physical);
reported
organization-defined
reputation), in during
and
personnel,
accountability
with
plan the forOMB
organizational
implementation the or riskrisk and
wide information
modification.
accordance with security FISMA
1.200 Information Security Roles and Responsibilities: Each agency must formally document
authority for security and privacy responsibilities within its organization.
x x x P1
1.201 Information Security 1.2 Security Organization Information Security Each agencys chief executive must ensure that the agencys senior PM-2 Senior Information (1) The organization appoints a
Program (Roles and Authority officials are given the necessary authority to secure the operations Security Officer senior information security
Responsibilities) and assets under their control. officer with the mission and x x x P1
resources to coordinate,
1.202 Information Security 1.2 Security Organization Information Security Each agency must appoint an information security liaison with the PM-2 Senior Information develop, implement,appoints
(1) The organization and a
Program (Roles and Liaison mission and resources to: coordinate, develop, implement, and Security Officer maintain an organization-wide
senior information security
Responsibilities) maintain an information security plan. information
officer with thesecurity
missionprogram.
and x x x P1
resources to coordinate,
develop, implement,establishes
and
1.203 Information Security 1.2 Security Organization Information Security Each agency must establish an information security workforce and PM-13 Information Security (1) The organization
maintain an organization-wide
Program (Roles and Workforce professional development program appropriately sized to the Workforce an information security
Responsibilities) agencys information security needs.
information security program.
workforce development and x x x P1
improvement program.
1.204 Information Security 1.2 Security Organization Role-based Security Each agency must provide role-based security training to personnel AT-3 Role-Based Security (1) The organization provides
Program (Roles and Training with assigned security roles and responsibilities. Training role-based security training to x x x P1
Responsibilities) personnel with assigned
security roles and
1.300 Information Security Policy Management: Each agency must formally evaluate its responsibilities:
business processes, and ensure that these processes are designed in compliance with a. Before authorizing access
the state Information Security Program. to the information system or x x x P1
performing assigned duties;
1.301 Information Security 1.3 Policy Management Procedure Development Each agency must adopt a risk-based approach to identify State and PM-9 Risk Management (1) b.
TheWhen required by
organization:
Program (Plan of Action) agency-specific information security and privacy objectives, and Strategy information
a. Develops system
a changes;
and
must develop information security procedures in alignment with
the identified security objectives.
comprehensive
c. [Assignment:
strategy to
manage risk to organizational
x x xc P1
organization-defined
operations and assets,
frequency] thereafter.
individuals, other
1.302 Information Security 1.3 Policy Management Procedure Development Each agency must allocate the appropriate subject matter experts PM-3 Information Security (1) The organization:
organizations, and the Nation
Program (Plan of Action) to the development of State and agency-specific information Resources a. Ensures thatthealloperation
capital
security procedures.
associated
planning and
with
investment
and use of information
x x xc P1
requests
systems; include the resources
1.303 Information Security 1.3 Policy Management Procedure Development Each agency must approach independent external (third party) PM-15 needed
Contacts With Security (1) b.
The to implement
Implements
organization the
theestablishes
risk
Program (Plan of Action) specialists to assist in the development of information security information
management
Groups And Associations and security
strategy
institutionalizes program
contact
policies, procedures, or controls in cases where it is established that and
with documents
consistently
selectedacross all exceptions
groups the and
the required skills do not exist within the agency and are not to this requirement;
organization;
associations and the security
within
available within any other state government agency. b. Employsand
c. Reviews
community: a business
updates the x x xc P1
case/Exhibit
riska.management 300/Exhibit
To facilitate strategy53 to
ongoing
record
security the
[Assignment: resources
organization-
education and required;
training
and
defined
for frequency]personnel;
organizational or as
c. Ensures
required, that
to address
b. To maintain information
currency with
1.304 Information Security 1.3 Policy Management Procedure Development Each agency must work in collaboration with other states, Federal security
recommended resources
organizational are available
changes.
security
Program (Plan of Action) government, and external special interest groups in cases where for expenditure as planned.
practices, techniques, and
procedures directly or indirectly affect interfacing activities with
them. technologies; and x x xc P0
c. To share current security-
related information including
1.305 Information Security 1.3 Policy Management Procedure Development Each agency should ensure that information security and privacy PL-1 threats, vulnerabilities, and
Security Planning Policy (1) The organization:
Program (Plan of Action) policies, standards, guidelines, and procedures that are developed And Procedures incidents.
a. Develops, documents,
at the agency should contain the following information, as and disseminates to
appropriate: version, issued date, effective date, owner of [Assignment: organization-
document (identified by office or role), purpose, definitions, scope, defined personnel or roles]: x x x P1
directives, guidance, and revision history. 1. A security planning
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
1.306 Information Security 1.3 Policy Management Procedure Development Each agency must review each draft procedure with stakeholders
coordination among
Program (Plan of Action) who must be impacted by the procedure, to ensure that the
procedure is enforceable and effective. organizational entities, and x x xc P0
compliance; and
2. Procedures to facilitate
1.307 Information Security 1.3 Policy Management Procedure Development Each agency must identify gaps within the procedures that are not PM-4 Plan Of Action And (1)
theThe organization:of the
implementation
Program (Plan of Action) enforceable and effective, must document the gaps, and must Milestones Process a. Implements
planning apolicy process andfor
assign the appropriate resources to remediate the gaps.
security
ensuring
associated that plans planning
security of action x x xc P1
and milestones
controls; and for the security
1.308 Information Security 1.3 Policy Management Procedure Development Each agency must develop and implement a communication plan to PL-1 program
Security Planning Policy (1) b.
The and associated
Reviews and updates the
organization:
Program (Plan of Action) disseminate new procedures or changes to existing procedures. And Procedures organizational
a. Develops,information
current: documents,
systems:1. Security planning
and disseminates to policy x x x P1
1. Are developed
[Assignment: organization- and
maintained;
defined frequency];
personnel or and
roles]:
1.309 Information Security 1.3 Policy Management Procedure Review and Each agency may establish a procedure governance committee for PL-1 Security Planning Policy (1) The 2. Aorganization:
Document the remedial
Program (Plan of Action) Approval the purpose of review and approval of procedures. And Procedures 2.
a. 1. Security
security
Develops,
information
procedures
policy that
planning
planning
documents,
security
[Assignment:
addresses actions to x x x P1
and disseminates
adequately respond to topurpose,
risk to
organization-defined
scope, roles, responsibilities,
[Assignment: organization-
organizational
frequency].
management operations and
commitment,
defined personnel
assets, individuals, or roles]:
other
coordination among
1. A security planning
organizations,
organizational and the Nation;
entities, and
policy
and that addresses purpose,
compliance;
scope, roles, and
responsibilities,
3. Are reported
2. Procedures in
to facilitate
management commitment,
1.310 Information Security 1.3 Policy Management Procedure Implementation Each agency must implement mechanisms to help ensure that PL-1 Security Planning Policy (1) The organization:
Program (Plan of Action) information security procedures will be available to the agencys And Procedures a. Develops, documents,
personnel on a continuous basis and whenever required. and disseminates to
[Assignment: organization-
x x x P1
defined personnel or roles]:
1. A security planning
1.311 Information Security 1.3 Policy Management Procedure Implementation Each agency must require employees to review and acknowledge PL-4 Rules Of Behavior (1) Thethat
policy organization:
addresses purpose,
Program (Plan of Action) understanding of information security procedures prior to allowing a.
scope, Establishes and makes
roles, responsibilities,
access to sensitive data or information systems. readily
management
requiring
available
access
to individuals
commitment,
to the
x x xc P2
coordination among
information
organizational system,
entities, theandrules
that describe
compliance; and their
responsibilities
2. Procedures andto expected
facilitate
1.400 Information Security Controls: Each agency must ensure that security and privacy behavior with regardoftothe
controls are implemented in compliance with the state Information Security Program. the implementation
information
security planning
system usage;
and information
policy and x x x P1
associated security planning
b. Receives
controls; and a signed
1.401 Information Security 1.4 Information Security Controls Deployment Each agency must adopt a risk-based approach to prioritize CA-2 Security Assessments acknowledgment
(1) The
b. andfrom
organization:
Reviews updates suchthe
Program Controls Deployment deployment of controls. individuals,
a. Develops
current: indicating
a security that they x x x P2
have
assessmentread,
1. Securityunderstand,
planplanning and
that describespolicy
1.402 Information Security 1.4 Information Security Controls Deployment Each agency must allocate the appropriate subject matter experts PM-3 Information Security agree
the
(1) The toorganization:
scope
[Assignment: abide
of the byassessment
the rules of
organization-
Program Controls Deployment to the deployment of State and agency-specific information Resources behavior,
including:
a. Ensures before
defined frequency]; and that authorizing
all capital
security controls. access
planning 2. to
1. information
Security
and investment
controls
planning andand the x x xc P1
information
control
requests
procedures system;
enhancements
include the resources
[Assignment: under
c. Reviews
assessment;
needed and
to implement
organization-defined updatesthe the
1.403 Information Security 1.4 Information Security Controls Deployment Each agency must approach independent external (third party) PM-15 Contacts With Security The
rules
organization
ofAssessment
behavior
establishes
[Assignment:
Program Controls Deployment specialists to assist in the deployment of information security Groups And Associations information
and 2.
frequency]. security
institutionalizes procedures
program
contact
controls in cases where it is established that the required skills do organization-defined
to
andbedocuments
with used to determine
selected all exceptions
groups and
frequency];
security
to this requirement; and
control effectiveness;
not exist within the agency and are not available within any other associations
d. Employs
andb.
within
Requires aindividuals
the security
business who x x xc P1
state government agency. community:
havea. 3. signed
case/Exhibit
To a300/Exhibit
Assessment
facilitate previous
ongoing version
53 to
of the rules
environment,
record
security the ofassessment
behavior
resources
education and to read
required;
training
team,
and
for The resign
and
organizational when
assessment the rules
roles
personnel; of
1.404 Information Security 1.4 Information Security Controls Deployment Each agency must ensure that controls which cannot be PM-2 Senior Information (1)
behavior
and c. organization
are revised/updated.appoints a
Program Controls Deployment implemented due to the agencys resource or other constraints Security Officer b.responsibilities;
senior
Ensures
Toinformation
maintain thatcurrency
information
security with
security
b. Assesses
recommended resources the security
are available
security
must be reported as directed by the SC Division of Information
Security or SC Enterprise Privacy Office.
officer
controls
for with
expenditure
practices,
resources
theinformation
intechniques,
the mission
as planned.and
and x x xc P1
system
technologies; andtoits coordinate,
environment of
and
develop,
operation implement,
[Assignment: and
c. To share
maintain an current security-
organization-wide
1.405 Information Security 1.4 Information Security Controls Deployment Each agency must review each control with stakeholders who must organization-defined
related information including
information
frequency] tosecurity
determine program.the
Program Controls Deployment be impacted, to ensure that the control is enforceable and threats, vulnerabilities, and
effective. extent
incidents. to which the controls x x xc P0
are implemented correctly,
operating as intended, and
1.406 Information Security 1.4 Information Security Controls Deployment Each agency must develop and implement a communication plan to PL-1 Security Planning Policy The organization:
producing the desired outcome
Program Controls Deployment disseminate new controls or changes to existing controls. And Procedures a. respect
Develops, to documents,
with
and disseminates
established
meeting
security to x x x P1
[Assignment:
requirements;organization-
1.407 Information Security 1.4 Information Security Controls Deployment Each agency must periodically review information security controls, PL-1 defined personnel
Security Planning Policy Thec.organization:
Produces a security or roles]:
Program Controls Deployment staging each full review cycle across no more than a 3-year period. And Procedures a. 1. A security
Develops,
assessment report planning
documents,
that
policy
and that addresses
disseminates
documents the results to purpose,
of the x x x P1
scope,
[Assignment:
assessment; roles, and responsibilities,
organization-
management
defined
d. Providespersonnel commitment,
or roles]:
the results of
coordination
1. A security
the security among
control planning
2.100 Access Management: Each agency must ensure the management of information organizational entities, and
systems and user accounts, to appropriately secure legitimate user and system access. policy
assessment that addresses
to [Assignment: purpose,
compliance;
scope, roles, and
organization-defined responsibilities, x x x P1
2. Procedures
management
individuals roles].to facilitate
or commitment,
the implementation
coordination among of the
2.101 Information Security Policy 1.1 Access Management Access Control Policy And Each agency must establish or update formal, documented AC-1 Access Control Policy And (1) The organization:
security
organizational planning policyand
entities, and
Access Control Procedures procedures for secure and compliant management of information Procedures a. Develops,
associated anddocuments,
security planning
systems, user accounts, and networks.
compliance;
and disseminates
controls; and
2. Procedures toto facilitate x x x P1
[Assignment:
Reviews organization-
theb.implementation and updatesof the the
2.102 Information Security Policy 1.1 Access Management Account Management Each agency must identify account types (e.g., individual, group, AC-2 Account Management defined
current:
(1) personnel
The organization:
security planning policy or roles]:
and
Access Control system, application, guest/anonymous, and temporary) and a.1.Identifies
associated An access
Security
securityand control
planning
selects
planningpolicy
the
establish conditions for group membership. that addresses
[Assignment:
following
controls; types
and purpose,
organization-
of information scope, x x x P1
roles,
defined
system responsibilities,
b. Reviews frequency];
accounts and the
andtoupdates
support
management
2. Securitycommitment,
organizational
current: planning
2.103 Information Security Policy 1.1 Access Management Account Management Each agency must identify authorized users of information systems AC-2 Account Management (1) The organization:
coordination
procedures among
[Assignment:
Access Control and specify access rights. missions/business
a.1.Identifies
Securityand
organizational
organization-defined
functions:
planning
selects
entities,
policy
andthe
x x x P1
[Assignment:
following types organization-
2.104 Information Security Policy 1.1 Access Management Account Management Each agency must establish a process to enforce access requests to AC-2 Account Management compliance;
frequency].
defined
(1) The andof information
information
organization:
frequency]; system
and
system accounts toto support
Access Control be approved by a business or data owner (or delegate) prior to a.2.
account Procedures
types];and
2.Identifies
Security planning facilitate
selects the
provisioning user accounts.
organizational
the b.implementation
procedures
following Assigns
missions/business types account
[Assignment: of the
of information
functions:
x x x P1
access
managers
system control policy
for organization-
organization-defined
accounts information and
to support
[Assignment:
associated access controls; and
system
frequency].
organizational
defined accounts;
information systemthe
b. Establishes
Reviews andconditions
updates
account types]; functions:for
c.
missions/business
current:
group
[Assignment:and
b.1.Assigns role membership;
organization-
account
defined Access
d. Specifies control
information authorized policyusers
system
managers
[Assignment: for organization-
information
of the information
account
system types];
accounts; system,
defined
group
b. andfrequency];
Assigns role and
membership,
account
c.2.Establishes
Access conditions for
control
and
managers
group access
and for authorizations
role information
membership; (i.e.,
procedures
privileges)
system [Assignment:
andauthorized
accounts; other attributes
d. Specifies
organization-defined users
(asthe
of c.required)
Establishes
information for conditions
each account;
system, for
frequency].
e. Requires approvals by
2.105 Information Security Policy 1.1 Access Management Account Management Each agency must authorize and monitor the use of AC-2 Account Management (1) The organization:
Access Control guest/anonymous and temporary accounts, and notify relevant a. Identifies and selects the
personnel (e.g., account managers) when temporary accounts are
no longer required.
following types of information
system accounts to support
x x x P1
organizational
missions/business functions:
2.106 Information Security Policy 1.1 Access Management Account Management Each agency must establish a process to notify relevant personnel AC-2 Account Management (1) The organization:
[Assignment: organization-
Access Control (e.g., account managers, system administrators) to remove or a. Identifies
defined information and selects
systemthe
deactivate access rights when users are terminated, transferred, or
access rights requirements change.
following
account types];
system
types of information
accounts to support
x x x P1
b. Assigns account
organizational
managers for information
missions/business
system functions:
2.107 Information Security Policy 1.1 Access Management Account Management Each agency should remove, disable, or rename default user AC-2 Account Management (1) The accounts;
[Assignment: organization:
organization-
Access Control accounts. Where such is not possible, agency should increase the c.
a. Establishes
Identifies conditions
and selects for
definedand
group information
role membership; systemthe
required length or complexity of password, or use additional factors
for authentication.
following
account
d. Specifies
system
types
types];
accounts
of information
authorized
to support users x x x P1
b. Assigns
of the information account system,
organizational
managers for information
group and role membership,
missions/business functions:
2.108 Information Security Policy 1.1 Access Management Account Management Each agency must ensure that rights granted to accounts must be AC-5 Separation Of Duties system
(1)
and The accounts;
organization:
access authorizations (i.e.,
[Assignment:
c. Establishes organization-
conditions for
Access Control based on the principles of need-to-know, least-privilege, and AC-6 Least Privilege a.
privileges)
defined Separates and
information [Assignment:
other attributes
system
group and role membership;
separation of duties. Access not explicitly permitted should be
denied by default.
organization-defined
(as
account
d.
required)
individuals];
e. Requires
types];
Specifies
for eachduties
authorized
approvals by
account; of
users x x P1
of b.
the Assigns
information account system,
b. Documents
[Assignment:
managers for separation of
organization-
group
duties
defined and
of roleinformation
individuals;
personnel membership,
or and
roles] for
2.109 Information Security Policy 1.1 Access Management Account Management Each agency must ensure that access requests from users are AC-2 Account Management system
(1)
andc.The accounts;
organization:
access authorizations (i.e.,
requests Defines
c. Establishesto information
create information
conditions for x x x P1
Access Control recorded. a.
privileges)
system Identifies
accessand
accounts; and
other selects the
attributes
authorizations to
group
following
(as and
required) role
types for membership;
of information
each account;
2.110 Information Security Policy 1.1 Access Management Account Management Each agency must ensure that privileged accounts (e.g., system / AC-2 Account Management (1) support
f.The
d. separation
Creates, enables,
organization:
Specifies of duties.
authorized modifies,
users
system
e. Requires
disables, accounts
and to support
approvals
removes by
Access Control network administrators having root level access, database AC-6 Least Privilege of a. Identifies
the
[Assignment: information
organizational and system,
selects the
organization-
administrators) must only be provisioned after approval by an Least Privilege | (2) Theand
information
following
group organization
typessystem
role employs in
accounts
of information
membership,
missions/business
defined
the personnel
principle
accordance of
with leastfunctions:
or privilege,
roles] for
[Assignment:
agency information security officer and/or similarly designated role. Authorize Access To system
and access
[Assignment:
requests accounts
to toinformation
authorizations support(i.e.,
organization-
create
The approval must be granted to a limited number of individuals Security Functions allowing
organizational
privileges) only
organization-defined and authorized
other attributes
defined
system information
accounts; system
with the requisite skill, experience, business need, and accesses
procedures
missions/business
(as f.g.required)
account
processes
foror
types];
Creates,
Monitors
users
for (or
conditions];
functions:
each
enables,
acting theonuse
account;
modifies,
behalf
ofbyof
x x x P1
documented reason based on role requirements. [Assignment:
e.
b.
disables, Requires
Assigns organization-
approvals
account
andsystem
removes
users)
information
defined
[Assignment: which are
information necessary
systemtoin
accounts;
organization-
managers
information
accomplish for information
system
assigned accounts
h. Notifies
account
defined
system
accordance types];
personnel
accounts;
account
with or tasks
roles]infor
[Assignment:
accordance
managers:
b.
requests Assigns with
account
to create organizational
information
c.
missions Establishes
organization-defined
and
1. accounts;
When conditions
business
accounts are no for
managers
system
group
procedures and fororinformation
role membership;
conditions];
functions.
longer
system
f.g. required;
accounts;
Creates, enables, modifies,
2.111 Information Security Policy 1.1 Access Management Account Management Each agency must ensure that privileged accounts are controlled, AC-2 Account Management (1) d. The organization:
Specifies
Monitors
2. When authorized
the use
users areof theusers
Access Control monitored, and can be reported on a periodic basis. of c. Establishes
disables,
a.
the
information andsystem
Identifies
information conditions
removes
and selects
system,
accounts; for
terminated
group
information
following
group
h. 3. and
and
Notifies
or
role
types transferred;
system
role membership;
accounts
of information
membership,
account
andin x x x P1
d.
accordance
system When
Specifies
accountswithindividual
authorized
[Assignment: users
to support(i.e.,
and
managers: access
information authorizations
systemsystem,usage or
of the
privileges) information
organization-defined
organizational
1. When andaccounts
other attributes
are no
2.112 Information Security Policy 1.1 Access Management Account Management Each agency must implement processes to enforce periodic user AC-2 Account Management (1) The
need-to-know
group
procedures and
organization:
role
orforchanges;
membership,
conditions];
Access Control access reviews to be performed by information / data owners or missions/business
(as a.required)
longer required;
Identifies and functions:
each account;
selects the
their assigned delegates to ensure the following: current access andi.e. Authorizes
g.access
Monitors
[Assignment:
following Requires
2. Whentypes
access
authorizations
the use
organization-
approvals
users
of are
to
ofby
information
the
(i.e.,
information
privileges)
information
definedaccounts andsystem
other
system
information based on:
attributes
accounts;
system
rights are consistent with current agency access provisioning [Assignment:
terminated
system 1. Atypes];or
validfororganization-
transferred;
to
access support and
criteria, and there are unnecessary duplicate user identifiers. (as h.
account
definedrequired)
Notifies
3.
organizational personnel
When each
account account;
or roles]
individual for
authorization;
e.
managers:
b. Requires
Assigns approvals
account by
Privileged accounts must be reviewed at least as often as requests
information
missions/business
2.
[Assignment:
managers
system 1.
need-to-know
to
Intended
When for
create
accounts;
system information
usageusage;
functions:
system
organization-
accounts
information
changes; are
or
no x x x P1
semiannually. Standard accounts must be reviewed at least as often [Assignment:
and organization-
as annually. defined
longer
system
defined personnel
required;
accounts;
f.i. Authorizes
Creates, enables,
information accessorsystem
roles]
to thefor
modifies,
requests 3. When
2. Other
c. Establishesto attributes
create
users are ason:
information
conditions for
disables,
information
account
required and
types];
byrole removes
system based
thetransferred;
organization or
system
terminated
group
information
b. 1. andaccounts;
A valid
Assigns or
systemmembership;
access
account accounts andin
associated
f.
d. Creates,
3. When
Specifies missions/business
enables,
individual
authorized modifies,
users
accordance
authorization;
managers
functions; with [Assignment:
for information
disables,
information
of the
system and
information
organization-defined
2. Intended
accounts; removes
system usage
system,
system or
usage;
2.113 Information Security Policy 1.1 Access Management Account Management Each agency must regulate information system access and define AC-2 Account Management (1) j.The Reviews
information
need-to-know
group and accounts
organization:
system
role changes; for in
accounts
membership,
procedures
and c. Establishes
compliance or
with conditions];
conditions
account for
Access Control security requirements for contractors, vendors, and other service andi.a.
accordance Identifies
Authorizes with and selects
[Assignment:
access to the
ofasthe
providers.
g.
group
management
following
access
Monitors
3.
andOther authorizations
role
types
organization-defined
information
privileges) and
the
attributes
system
use
membership;
requirements
of
other information
based
(i.e.,
on:
attributes
x x x P1
information
required
d. Specifies
[Assignment: by thesystem accounts;
organization
authorized
organization- or
users
system
procedures
(as h. 1. accounts
A valid
required)
Notifies orfor to support
conditions];
access
each
account account;
associated
of the
defined
organizational missions/business
information
frequency]; system,
and
2.114 Information Security Policy 1.1 Access Management Account Management Each agency must establish procedures to administer privileged AC-6(5) Least Privilege | (1) g.
e. The
managers:
functions;
group Monitors
authorization;
Requires
andorganization
role the use
approvals ofby
restricts
membership,
k. 2. Establishes
missions/business
information system asystem
process
functions:
accounts; for
Access Control user accounts in accordance with a role-based access model. Privileged Accounts privileged 1. Intended
[Assignment:
j. access When
Reviews organization-
accounts
accounts
accounts on forusage;
the
are no
and
reissuing
[Assignment:
and h. Notifies
defined
information
longer
compliance
privileges)
authorizations
shared/group
personnel
required; organization-
account
system
with
and
(i.e.,
ortoattributes
account
other roles] for x x P1
account
defined
managers:
requests 3. credentials
information
Other
to attributes
create (if
system
as
information
[Assignment:
management
(as 2. When
required)
deployed) organization-
users
requirements
for each areaccount;
account
required
system
defined 1. bywhen
types];
When the
accounts;
personnel
individuals
accounts
organizationare are
noor
2.115 Information Security Policy 1.1 Access Management Access Enforcement Each agency must enforce approved authorizations for logical (e.g. AC-3 Access Enforcement terminated
[Assignment:
(1) e.
removed
b.
longer
The
associated
or
information
Requires
Assignsfrom
required; the or
transferred;
organization-
approvals
account
roles].
system
group.
missions/business
byand
Access Control cyber or electronic) access to information systems. f. Creates,
defined
enforces 3.
[Assignment:
managers
functions;
disables, 2.
When enables,
frequency];
approved
When for
individual
organization-
information
andsystemusers
removes
and
are
modifies, x x x P1
information
k. Establishes
authorizations
defined personnel orusage
roles]or
fora logical
process for
for
system
terminated
j.The accounts;
Reviews
information
need-to-know or transferred;
accounts
system
changes; for and
accounts in
2.116 Information Security Policy 1.1 Access Management Access Enforcement Each agency must implement encryption of data in motion to AC-17(2) Remote Access | reissuing
access
(1)
requests
c. to shared/group
information
information
to
Establishes create system
and
information
conditions for
Access Control protect remote connections. Protection Of compliance
accordance
i.
account
system
implements
group
information
management
3.
and
When
Authorizes with
resources
accounts;
role
individual
credentials
system
account
[Assignment:
access
in (if
cryptographic
membership;
usage
requirements
to the
or
x xc P1
Confidentiality / Integrity organization-defined
information
deployed)
accordance
mechanisms
f. Creates,
d. Specifieswhensystem
with
to protect
enables, based
individuals
applicable
authorized
on:are
theusers
modifies,
2.117 Information Security Policy 1.1 Access Management Information Flow Each agency must enforce information flow controls for its systems, AC-4 Information Flow
Using Encryption need-to-know
[Assignment:
procedures
(1)
removed
access The 1.
confidentiality
disables, A valid
information
from
control
and changes;
organization-
orremoves
conditions];
access
policies.
and system of
the group.
integrity
of the
i.
defined information
Authorizes
g. Monitors
authorization; frequency]; access
the system,
useandto
of the
Access Control Enforcement to allow large Restricted data flows to transfer only to approved Enforcement enforces
remote
information approved
access sessions.
system accounts in
destinations.
group
k. 2.
information and
authorizations
accordance
role
Establishes
Intended system
with
membership,
basedusage;
fora[Assignment:
process
accounts;
system
controlling on:
for x x P1
and
reissuing
and h. access
1. A
Notifies authorizations
valid access
shared/group
account (i.e.,
the flow of
organization-defined
privileges) information
andattributes within
other(ifattributes
authorization;
account
managers:
the system
procedures credentials
3. Other and
orfor between
conditions]; as
(as required)
deployed)
required 2.
1. Intended
bywhen
When the each
system account;
individuals
accounts
organization usage;
are are
noor
interconnected
g.
e. Monitors
Requires systems
the use of
approvals based
by
and
removed
longer
associated
on from
required;
[Assignment:
information the group.
missions/business
system organization-
accounts;
[Assignment:
functions; 3.
2. Other
When organization-
attributes
users are as
defined
h. Notifies
defined information
personnel account orflow
roles] for
required
terminated
j. Reviews
control
managers: by orthe
policies]. organization
transferred;
accounts for and or
requests
associated
compliance 3. Whentomissions/business
When create
with information
individual
account
system 1. accounts; accounts are no
functions;
information
management
longer required; system usage or
requirements
f.j. Creates,
Reviews enables,
accounts modifies,
need-to-know
[Assignment:
disables, 2. Whenandwith
changes;
users
removes arefor
organization-
compliance
i.
defined Authorizes
terminated or frequency]; account
access and
transferred; to theand
information
management
information
k. Establishes system accounts
requirements
system based on:
a process forin
2.118 Information Security Policy 1.1 Access Management Separation Of Duties Each agency should implement controls in information systems to AC-5 Separation Of Duties (1) The organization:
Access Control enforce separation of duties through assigned access a. Separates [Assignment:
authorizations, such as separation of security administration duties organization-defined duties of
from security audit duties, administration duties for critical individuals];
business systems separated among personnel, separation of
information system testing and production duties.
b. Documents separation of
duties of individuals; and
x x P1
c. Defines information
system access authorizations to
support separation of duties.
2.119 Information Security Policy 1.1 Access Management Separation Of Duties Each agency should document and implement separation of duties AC-5 Separation Of Duties (1) The organization:
Access Control through assigned information system access authorizations. a. Separates [Assignment:
organization-defined duties of x x P1
individuals];
2.120 Information Security Policy 1.1 Access Management Least Privilege Each agency must ensure that only authorized individuals have AC-6 Least Privilege (1) b.
The Documents
organization separation
employsof
Access Control access to agency data, and that such access is controlled and duties
the of individuals;
principle and
of least privilege,
audited in accordance with the concepts of need-to-know, least- c. Defines information
allowing only authorized
privilege, and separation of duties. system access
accesses authorizations
for users (or to x x P1
support separation
processes acting onof duties.
behalf of
users) which are necessary to
2.121 Information Security Policy 1.1 Access Management Least Privilege Each agency must implement processes or mechanisms to disable AC-6 Least Privilege accomplish
(1) The organization
assignedemploys tasks in
Access Control file system access not required for duties, restrict database AC-6(1) Least Privilege | accordance
the principlewith of least
organizational
privilege,
management to authorized database administrators, and restrict AC-6(2) Authorize Access To missions only
allowing and business
authorized
access to removable device/media boot functions to system Security Functions functions.for users (or
accesses x x P1
administrators. Least Privilege | Non- processes acting on behalf of
Privileged Access For users) which are necessary to
Nonsecurity Functions accomplish assigned tasks in
2.122 Information Security Policy 1.1 Access Management Unsuccessful Login Each agency must ensure that its information systems enforce a AC-7 Unsuccessful Logon accordance
(1) The informationwith organizational
system:
Access Control Attempts limit of unsuccessful logon attempts during an agency-defined Attempts missions
a. Enforcesand business
a limit of
period. The number of logon attempts must be commensurate functions. organization-
[Assignment:
with the classification of data hosted, processed or transferred by defined number] consecutive
(2) Thelogon
organization explicitly
x x xc P2
the information system. invalid attempts by a
authorizes
user duringaccess to
a [Assignment:
[Assignment: organization-
organization-defined time
defined
period]; security
and functions
2.123 Information Security Policy 1.1 Access Management Unsuccessful Login Each agency must automatically lock user accounts the after AC-7 Unsuccessful Logon (1) The information
(deployed in hardware,
system:
Access Control Attempts maximum logon attempts is reached, and must establish an Attempts b. Enforces
a. Automatically a limit[Selection:
of
account lock time period commensurate with the classification of software, and
locks the account/node
[Assignment: firmware)
organization- andan
for
security-relevant information].
data hosted, processed or transferred by the information system. [Assignment:
defined
organization-
defined number] consecutive
time attempts
period]; locks
x x xc P2
invalid logon by a the
(3)The
user organization
account/node
during requires by
until released
a [Assignment:
that users of information
an administrator; delays
organization-defined time next
system
logon accounts, or roles, towith
2.124 Information Security Policy 1.1 Access Management System Use Notification Each agency system interface intended for non-public usage must AC-8 System Use Notification (1) Theprompt
period];
access
and according
information
to [Assignment: system:
Access Control display a warning before granting system access, addressing issues [Assignment:
b. Displays
a. Automatically organization-
to users [Selection:
organization-defined
defined
locks thedelay algorithm]]
account/node security
for an
such as intended use of the system, applicable privacy disclosures, [Assignment:
functions or organization-
security-relevant
when the maximum number of
and other warnings as required for applicable regulatory or [Assignment:
defined system
information],
unsuccessful
defined time
organization-
useuse
attemptsnon-notification
period];before is the
locks
x x xc P1
contractual obligations. message
privileged or banner]
accounts releasedor roles,
exceeded.
account/node
granting accessuntilto the systemby
when accessing
an administrator; nonsecurity
delays
that provides
functions. privacy andnext
logon
Theprompt
security notices according
consistent to with
2.125 Information Security Policy 1.1 Access Management Session Lock Each agency systems should disconnect sessions or require AC-11 Session Lock (1) information system:
Access Control reauthentication after (30) minutes of inactivity. [Assignment:
applicable
a. Prevents
defined delay
organization-
federal
furtherlaws,
algorithm]]
access to x x P3
Executive Orders,
the system by initiating a directives,
when
sessionthe
policies, maximum
regulations,
lock number
standards,
after [Assignment: of
2.200 Network Access Management: Each agency must ensure the management of networks unsuccessful
and guidanceattempts
organization-defined and states is that:
time
to appropriately secure legitimate user and system access. exceeded.
period]1. Users are accessing
of inactivity or upona x x x P1
U.S. Government
receiving a request information
from a
2.201 Information Security Policy 1.2 Network Access Remote Access Each agency must document allowed methods for remote access to AC-17 Remote Access system;
(1) The
user; andorganization:
Access Control Management the network and information systems. b. 2.
a. Information
Establishes
Retains the and system
session lock x x xc P1
usagethe
documents
until may be
user monitored,
usage restrictions,
reestablishes
2.202 Information Security Policy 1.2 Network Access Remote Access Each agency must utilize automated mechanisms to enable AC-17(1) Remote Access | (1) The
recorded, information
andestablished
subject
configuration/connection
access using system
to audit;
Access Control Management management to monitor and control remote connections into Automated Monitoring / monitors and and
3. Unauthorizedcontrols
and use remote of
networks and information systems. Control
requirements,
identification
access
the methods.
information
implementation system
guidance is for x xc P1
authentication procedures.
prohibited
each type of and subject
remote to
access
2.203 Information Security Policy 1.2 Network Access Remote Access Each agency must require Virtual Private Network (VPN) or AC-17(2) Remote Access | criminal
allowed;
(1) and
and civil penalties;
The information system
Access Control Management equivalent encryption technology establish remote connections Protection Of andb. Authorizes
implements remote access
cryptographic
into the agency's private networks. to the4.information
Confidentiality / Integrity mechanisms Use oftothe information
protectsystem theprior x xc P1
Using Encryption system
to allowingindicates
such
confidentiality and consent
connections.
integrity to of
monitoring
remote access andsessions.
recording;
2.204 Information Security Policy 1.2 Network Access Remote Access Each agency must restrict remote access to its private networks and AC-17(3) Remote Access | (1) b.
The information
Retains the notification system
Access Control Management systems to the mechanisms and protocols approved by the agency. Managed Access Control routes allor remote accesses
Points
message
through
screen until
banner
[Assignment:
on the
users acknowledge
x xc P1
organization-defined
the usage conditions number] and take
managed
explicit actionsnetwork to log access
on to or
control points.
further access the information
system; and
c. For publicly accessible
systems:
1. Displays system use
information [Assignment:
organization-defined
conditions], before granting
2.205 Information Security Policy 1.2 Network Access Remote Access Each agency must require two-factor authentication for remote IA-2 Identification And (1) The information system
Access Control Management connections by Virtual Private Network (VPN) or other such Authentication uniquely identifies and
tunneling technologies. (Organizational Users) authenticates organizational x x x P1
users (or processes acting on
2.206 Information Security Policy 1.2 Network Access Remote Access Each agency must develop formal procedures for authorized AC-17 Remote Access behalf
(1) Theof organizational users).
organization:
Access Control Management individuals to access its information systems from external systems, a. Establishes and
such as access allowed from an alternate work site (if required). documents usage restrictions,
configuration/connection
x x xc P1
requirements, and
implementation guidance for
2.207 Information Security Policy 1.2 Network Access Wireless Access Each agency must establishes usage restrictions, configuration and AC-18 Wireless Access (1)
each Thetypeorganization:
of remote access
Access Control Management connection requirements, and implementation guidance for a. Establishes usage
wireless access.
allowed;
restrictions,
and
b. Authorizes remote access
x x xc P1
configuration/connection
to the information system prior
requirements,
to allowing such and connections.
2.208 Information Security Policy 1.2 Network Access Wireless Access Each agency must only use wireless networking technology that AC-18(1) Wireless Access | (1) The information
implementation systemfor
guidance
Access Control Management enforces user authentication for access to non-public networks. Authentication And protects wireless access to the
Encryption
wireless access; and
system using authentication of x x xc P1
b. Authorizes wireless
[Selection (one or more):
access to the information
2.209 Information Security Policy 1.2 Network Access Wireless Access Each agency must authorize wireless access to information systems AC-18 Wireless Access users;
(1) Thedevices]
system to and
organization:
prior allowingencryption.
such
Access Control Management prior to allowing use of wireless networks for access to non-public a. Establishes usage
connections.
networks. restrictions, x x xc P1
configuration/connection
2.210 Information Security Policy 1.2 Network Access Wireless Access Each agency prohibits wireless access points to be installed AC-18(4) requirements,
Wireless Access | Restrict (1) The organization and identifies
Access Control Management independently by users. Configurations By Users implementation
and explicitly authorizes guidanceusers for x x xc P1
wireless access;
allowed to independently and
2.211 Information Security Policy 1.2 Network Access Use of External Each agency requires that before agency data is processed or AC-20 Use Of External (1) b.
TheAuthorizes
configure organization
wireless wireless
establishes
networking
Access Control Management Information Systems stored on a third-party system, the system must be approved for AC-20(1) Information Systems accessand
terms to the
capabilities. information
conditions,
such use by data owners, considering such issues as the Use Of External system
consistent with any trustsuch
prior to allowing
classifications of data which may be used with the system, the Information Systems | connections. established with
relationships
permitted methods of connection to the system, and compliance of Limits On Authorized Use other organizations owning, x x xc P1
the system with state and agency policy. operating, and/or maintaining
external information systems,
allowing authorized individuals
2.212 Information Security Policy 1.2 Network Access Boundary Protection Each agency segregates systems intended for internal use from SC-7 Boundary Protection to:
(1) The information system:
Access Control Management systems intended for public use by means of separate physical or a.
a. Access
Monitors theand information
controls
logical networks. system from external
communications at the x x xc P1
information
external systems;
boundary of and
the
b. Process,
system at store, or transmit
2.213 Information Security Policy 1.2 Network Access Boundary Protection Each agency's networks and information systems must not be SC-7 Boundary Protection (1) The and information
organization-controlled
key internal
system:
Access Control Management accessible from pubic networks (e.g., Internet) except under boundaries
a. Monitors within the
andexternal system;
controls
information
b. Implements using subnetworks
secured and managed interfaces employing boundary protection communications
information systems. at the x x xc P1
devices. for publicly accessible
external boundary of the system
components
system atthat
keyare
(2) The and
[Selection: organization internal
permits
boundariesphysically;
authorized within thelogically]
individuals system;
to use
2.214 Information Security Policy 1.2 Network Access Boundary Protection Each agency must limit network access points to a minimum to SC-7(3) Boundary Protection | separated
(1) The
b. from
organization
Implements internallimits
subnetworks the
an external
organizational information
networks; system
and
Access Control Management enable effective monitoring of inbound and outbound Access Points number
for publicly
to access of external
accessible
the information network
system
communications and network traffic. c. Connects
connections
components
system or or to
thatto external
theare
to information
process, information
store, or
x xc P1
networks
system.
[Selection: physically; logically]
transmit
systems organization-
only through managed
separated
controlled from internal
information
interfaces
organizational consisting
networks; of only
and
2.300 Identity Management: Each agency must ensure that legitimate users of systems are when
boundary the organization:
protection devices
identified as appropriate to support security requirements. c.
(a)Connects
arranged Verifies
networks in
to external
the
oraccordance
information with x x x P1
implementation
an organizational of required
security
systems
security only
controlsthrough managed
on system
the
2.301 Information Security Policy 1.3 Identity Identification and Each agency must establish processes to enforce the use of unique IA-2 Identification And architecture.
(1) The information
interfaces consisting of
Access Control Management Authentication identifiers assigned to each member of agency personnel (User Authentication external system
uniquely identifies as specified
and in
boundary
the protection
organizations devices
information
IDs), including system users, technical support personnel, system (Organizational Users) authenticates
arranged in organizational
accordance with
operators, network administrators, system programmers, and security
users (orpolicy
processes and security
acting on x x x P1
an organizational
plan; orof organizational security
database administrators. behalf
architecture. users).
(b) Retains approved
information system connection
2.302 Information Security Policy 1.3 Identity Identification and Each agency must prevent reuse of a user ID until all logs, IA-4 Identifier Management or (1)processing
The organization agreements manages with
Access Control Management Authentication documents, or other records referencing the user ID have reached the organizational
information systementity identifiers
the end of their retention periods. hosting
by: the external x x x P1
information
a. Receiving system.
authorization
2.303 Information Security Policy 1.3 Identity Identification and Each agency must allow the use of group IDs only where these are AC-2 Account Management from
(1) The[Assignment:
organization:
Access Control Management Authentication necessary for business or operational reasons; group IDs must be organization-defined
a. Identifies and selects personnel
the
formally approved and documented. or roles] totypes
following assign of aninformation x x x P1
individual, group,
system accounts to support role, or
2.304 Information Security Policy 1.3 Identity Identification and Each agency must ensure that where the agency requires use of IA-2(5) Identification And device
(1) Theidentifier;
organizational
organization requires
Access Control Management Authentication group IDs, it requires users to be authenticated with a user ID prior b. Selecting
missions/business
Authentication | Group individuals to be anauthenticated
identifier
functions:
to, or simultaneous with, using the group ID. Authentication that identifies
[Assignment:
with an individual an individual,
organization- x x x P1
group, role,
defined information
authenticator or device;
when asystem group
c. Assigning
account
authenticator types]; isthe identifier to
employed.
theb.intended
Assigns accountindividual, group,
role, or device;
managers for information
d. Preventing
system accounts;reuse of
identifiers for [Assignment:
c. Establishes conditions for
organization-defined
group and role membership; time
period]; and authorized users
d. Specifies
e. Disabling
of the information the identifier
system,
2.305 Information Security Policy 1.3 Identity Identification and Each agency must minimize the use of system, application, or AC-6(1) Least Privilege | (1) The organization explicitly
Access Control Management Authentication service accounts; and must document, formally approve, and AC-6(3) Authorize Access To authorizes access to
designate a individual owner of each such account. Security Functions [Assignment: organization- x x P1
Least Privilege | defined security functions
Network Access To (deployed in hardware,
2.306 Information Security Policy 1.3 Identity Identification and Each agency must perform identification and authentication of any IA-8 Identification And
Privileged Commands
(1) The information system
software, and firmware)
Access Control Management Authentication user accessing any system intended for internal-only use, and Authentication (Non- uniquely identifies and and
security-relevant information].
record logs sufficient to identify each user's network address. Organizational Users) authenticates non-
organizational users (or
x x xc P1
(2) The organization authorizes
processes acting on behalf of
network access to users).
non-organizational
[Assignment: organization-
2.400 Authentication: Each agency must ensure that legitimate users of systems are defined privileged commands]
authenticated as appropriate to support security requirements. only for [Assignment: x x x P1
organization-defined
2.401 Information Security Policy 1.4 Authentication Authenticator Each agency must use multifactor authentication for remote user IA-2(4) Identification And (1) The information
compelling operational system needs]
Access Control Management authentication to non-public systems, such that one factor is IA-2(11) Authentication | Network implements
and documents multifactor
the rationale
generated by a device other than the device from which the user
connects.
Access To Privileged
Accounts
authentication
for such access for
access
plan fortothe privileged
in the
information
networksecurity
accounts.system
x x x P1
Identification And (2) The information system
Authentication | Network implements multifactor
2.402 Information Security Policy 1.4 Authentication Unsuccessful Logon Each agency must implement mechanisms to record successful and AC-7 Unsuccessful Logon
Access To Non-Privileged (1) The information
authentication system:
for network
Access Control Attempts failed authentication attempts. Attempts
Accounts a. Enforces
access a limit of
to non-privileged
x x xc P2
Identification And [Assignment:
accounts. organization-
Authentication | Local defined number] consecutive
(3) The information system
2.500 Emergency Access: Each agency must ensure that privileged accounts that are shared invalid
(e.g. administrator, root, system) are appropriately protected, and usage is accounted Access To Privileged implements multifactorby a
logon attempts
to individual users. Accounts user during a [Assignment:
authentication for local access
organization-defined time
x x x P1
Identification And to privileged accounts.
Authentication | Remote period]; and
(4) The information system
2.501 Information Security Policy 1.5 Emergency Access Account Management Each agency must establish processes and procedures for users to AC-2 Account Management (1) b.
TheAutomatically
organization:
Access - Separate Device implements multifactor [Selection:
Access Control obtain access to required information systems on an emergency locks the account/node
a. Identifies and selects forthe
an
basis.
authentication
[Assignment:
following types
access to privileged
for remote
organization-
of information
and non-
x x x P1
defined
system
privileged time
accounts period];
accounts locks
to support
such the
that
2.502 Information Security Policy 1.5 Emergency Access Account Management Each agency's emergency procedure must ensure that only AC-2 Account Management account/node
organizational
(1)
oneThe organization:
of the factorsuntilisreleased
providedby
Access Control identified and authorized personnel are allowed emergency access; AC-2(2) an
Account Management | by a. administrator;
missions/business
Identifies
a device delays
functions:
and selects
separate next
from the the
all emergency actions are documented in detail; emergency logon
systemprompt
Removal Of Temporary / [Assignment:
following types
gaining according
organization-
of information
access and tothe
accounts are removed, disabled, or resecured promptly upon Emergency Accounts [Assignment:
defined
system accounts organization-
information
device meets [Assignment: to system
support
conclusion of the emergency conditions; and emergency actions defined
account delay
organizationaltypes];
organization-defined algorithm]] strength x x x P1
are reported to management. when the maximum
b. Assigns
missions/business
of mechanism account number of
functions:
requirements].
unsuccessful
managers for attempts
information
[Assignment: organization- is
exceeded.
system
definedaccounts;
information system
c. Establishes
account types]; conditions for
group and role
b. Assigns membership;
account
2.600 Password Security: Each agency must ensure that passwords are difficult to guess, and d. Specifies authorized users
retained only by those persons who have legitimate need to access the associated managers for information
account.
of
system accounts; system,
the information x x x P1
group and role membership,
c. Establishes conditions for
and access
group and role authorizations
membership; (i.e.,
2.601 Information Security Policy 1.6 Password Policy Account Management Each agency must enforce the following password selection criteria IA-5_x000D_ Authenticator (1) The
privileges)
d. organization
Specifies othermanages
andauthorized attributes
users
Access Control by policy and where possible by technical means: IA-5(1) Management_x000D_ (as
information
required) system
for
of the information system, each account;
Users must change personal user account passwords at least as Authenticator authenticators
e. Requires
group by:_x000D_
and roleapprovals
membership, by
frequently as every 180 days. Management | Password- and
[Assignment:
a.access
Verifying, organization-
as part of the
authorizations (i.e.,
Privileged user account passwords must be changed at least as Based Authentication initial
defined authenticator
privileges) personnel
and other or attributes
roles] for
frequently as every 60 days. requests
distribution,
(as required) to create
the
for identity
eachinformation of the
account;
System account passwords must be changed at least as frequently individual,
system group,
accounts;
e. Requires role, orby
approvals
as every 180 days. device
f. Creates,
receiving enables,
[Assignment: organization- the modifies,
Each password must be at least 8 characters in length, and be authenticator;_x000D_
disables,personnel
defined and removes or roles] for
composed of at least one uppercase letter, at least one lowercase information
b. Establishing
requests system
to create initial
accounts in
information
letter, and at least one digit or punctuation character. accordance
authenticator withcontent[Assignment:
for
Passwords must be encrypted when stored or transmitted.
system accounts;
organization-defined
authenticators defined
f. Creates, enables, modifies, by the x x x P1
For Federal Tax Information (FTI): Change/refresh passwords procedures
organization;_x000D_
or
disables, and removes conditions];
every 90 days at a minimum for a standard user account, every 60 g. Ensuring
c. Monitors
information that
systemthe use of
accounts in
days at a minimum for privileged users._x000D_ information with
authenticators
accordance systemhave accounts;
sufficient
[Assignment:
strength
h. Notifies
of mechanism
organization-defined account for
managers:
their intended
procedures use;_x000D_
or conditions];
d.
g. 1.
Establishing
When accounts
Monitors theand use of are no
longer required;
implementing
information administrative
system accounts;
procedures
h. 2. When
Notifies foraccount
users
initialare
terminated
authenticator
managers: or distribution,
transferred; and for
lost/compromised
3. When
1. When accountsindividualor damagedare no
2.602 Information Security Policy 1.6 Password Policy Account Management Each agency must prohibit its users from sharing their personal IA-5 Authenticator information
authenticators,
(1) Therequired;
longer system
organization and usagefor
manages or
Access Control account passwords with others. Management need-to-know
revoking
information
2. Whensystem changes;
users are x x x P1
authenticators;_x000D_
i. Authorizes
authenticators
terminated access to the
by:
or transferred; and
2.603 Information Security Policy 1.6 Password Policy Account Management Each agency must ensure that shared account passwords must be IA-5 Authenticator (1) The
information
e.
a. organization
Changing
Verifying,
3. When systemdefault
as part
individual manages
based content
of on:
the
Access Control changed immediately upon termination, resignation, or Management information
of authenticators
initial 1. A validsystem
authenticator access prior to
reassignment of any person with knowledge of the password.
information system usage or
authenticators
authorization;
information
distribution,
need-to-know system
the by: identity of the
changes;
x x x P1
a. Verifying,
installation;_x000D_
2.
individual, Intended
i. Authorizes group, as part
role, of
system
access the
orusage;
to the
initial
and f.
device authenticator
Establishing
informationreceivingsystem minimum
the based on: and
distribution,
maximum 3. Other
authenticator; the
lifetime identity
attributes
1. A valid access restrictions
asof the
individual,
required
and b.reuse group,
byconditions
Establishing
authorization; role,for
the organization
initial or or
device 2. receiving
associated
authenticators;_x000D_
authenticator the
missions/business
Intended contentsystem forusage;
authenticator;
functions;
g. Changing/refreshing
authenticators
and defined by the
b. Establishing
authenticators
j. Reviews accounts initialfor
[Assignment:
2.604 Information Security Policy 1.6 Password Policy Account Management Each agency must prohibit its users from using common words or IA-5 Authenticator (1) The organization manages
Access Control personal information as passwords (e.g., username, social security Management information system
number, childrens names, pets names, hobbies, anniversary dates,
etc.).
authenticators by:
a. Verifying, as part of the
x x x P1
initial authenticator
distribution, the identity of the
2.605 Information Security Policy 1.6 Password Policy Account Management Each agency must suspend user accounts after a specified number AC-2(3) Account Management | (1) The information
individual, group, role, systemor
Access Control of days of inactivity. Disable Inactive Accounts automatically
device receiving disables
the inactive x x P1
accounts
authenticator; after [Assignment:
2.606 Information Security Policy 1.6 Password Policy Account Management Each agency must implement a process to change passwords IA-5 Authenticator organization-defined
(1) b. The organization
Establishing time
manages
initial
Access Control immediately if there reason to believe a password has been Management period].
information
authenticator system
content for
compromised or disclosed to someone other than an authorized
user.
authenticators by: defined by the
a. Verifying, as part of the
x x x P1
organization;
initial authenticator
c. Ensuring that
distribution,
authenticators thehaveidentity of the
sufficient
individual,
strength ofgroup, mechanism role, or for
2.700 Password Administration: Each agency must ensure that processes and agreements device receiving the
are in place to support password security. their intended use;
authenticator;
x x x P1
d. Establishing and
2.701 Information Security Policy 1.7 Password Access Agreements Each agency must require its users of non-public systems to sign an PS-6 Access Agreements (1) b. TheEstablishing
implementing organization: initial
administrative
Access Control Administration acknowledgement of their understanding of authentication policies authenticator
procedures
a. Develops forcontent
initial
and for
documents
prior to allowing access to non-public agency networks or systems, authenticators
authenticator
access agreements definedfor by the
distribution, for
including the agency's policies on password selection and organization;
lost/compromised
organizational or damaged
information x x x P3
confidentiality. c.
systems; Ensuring
authenticators, that
and for
authenticators
revoking
b. Reviews have
authenticators;
and sufficient
updates the
strength
e. Changing
access of mechanism
agreements default contentfor
their intended
of authenticators
[Assignment: use; prior
organization- to
2.702 Information Security Policy 1.7 Password Identification and Each agency must establish a process to verify the identity of a user IA-5 Authenticator (1) The organization
d. Establishing
manages
andand
Access Control Administration Authentication prior to providing a new, replacement, or temporary password. Management information
defined
information system
system installation;
frequency];
implementing
f. Establishing
c. Ensures that
authenticators administrative
minimum
by:individuals and x x x P1
procedures
maximum
requiring for initial
lifetime
access restrictions
a. Verifying, astopart of the
authenticator
and reuse
organizational
initial distribution,
conditions
information for and for
2.703 Information Security Policy 1.7 Password Identification and Each agency must establish a process to uniquely identify and IA-8 Identification And (1) Theauthenticator
information
lost/compromised
authenticators; orsystem
damaged
Access Control Administration Authentication authenticate non-agency users of internal-use agency systems. Authentication (Non- information
distribution,
uniquely systems:
the identity
identifies and of the
Organizational Users)
authenticators,
g. Changing/refreshing
1. Signgroup,
individual,
authenticates
revoking
and
appropriate
non-
authenticators;
for
role, oraccess x x xc P1
authenticators
agreements
device receiving prior [Assignment:
theto (or
being
organizational
e. Changing
organization-defined users
default content
time
granted
authenticator;
processes access;
actingand on behalf of
2.704 Information Security Policy 1.7 Password Identification and Each agency must establish procedures to manage new or removed IA-5 Authenticator of
(1) authenticators
period
b. The2. organization
by authenticator
Re-sign
Establishing
prior
access totype];
manages
initial
Access Control Administration Authentication privileged account passwords. IA-5(1) Management non-organizational
information
h. Protecting
agreements
authenticator system users).
installation;
authenticator
tocontent
maintain foraccess x x x P1
Authenticator f. Establishing
authenticators
content by:
from unauthorized
to organizational minimum
information and
authenticators
maximum lifetime defined by the
restrictions
2.705 Information Security Policy 1.7 Password Authenticator Each agency must require that passwords administratively set on IA-5(1) Management
Authenticator| Password- (1) a.
systemsThe
disclosureVerifying,
organization; information
whenand accessas part of thefor
system,
modification;
Access Control Administration Management behalf of a user (e.g. new password, password reset) must be set to Based Authentication
Management andi. reuse
initial
| Password- password-based conditions
authenticator for to
c. Requiring
agreementsEnsuring have individuals
that been
a unique value per user and changed by the user at first use. Based Authentication authenticators;
distribution,
authentication:
take, andor
updated
authenticators
g.
havingthehave
Changing/refreshing
individual,
(a) Enforces group,
identity
devices
[Assignment: of the
sufficient
role,
minimum or
x x x P1
implement,
organization-defined
strength of specific security
mechanism for
authenticators
device
password
safeguards
frequency]. receiving
complexity [Assignment:
to protectthe of
their intended use;
organization-defined
authenticator;
[Assignment:
authenticators;
d. Establishing organization-
and time
andmanages
2.706 Information Security Policy 1.7 Password Authenticator Each agency must communicate temporary passwords to users in a IA-5 Authenticator (1)
period
definedThe organization
by
j.b.Changing authenticator
Establishing
requirements initialfortype];
authenticators case
Access Control Administration Management secure manner. IA-5(1) Management implementing
information
h. Protecting
authenticator
administrative
system authenticator
content x x x P1
Authenticator
sensitivity,
for group/role
procedures
authenticators
number initial forwhen
foraccounts
by:
of
content
authenticators
characters,
membership from mix unauthorized
to defined
of
those by
upper-case the
accounts
2.707 Information Security Policy 1.7 Password Authenticator Feedback Each agency must obscure feedback of authentication information IA-6 Authenticator |Feedback
Management authenticator
Password- (1) a. TheVerifying,
information distribution,
as part system
of the for
disclosure
organization;
letters,
changes.
lost/compromised and modification;
lower-case letters,
or damaged
Access Control Administration during the authentication process to protect the information from Based Authentication initial
obscures authenticator
i. Requiring
c.
numbers, Ensuringfeedback
and that
special of
individuals to
possible exploitation/use by unauthorized individuals. authenticators,
distribution,
authentication and
thehave for of the
information
identity x x x P2
take, andauthenticators;
authenticators
characters,
revoking having
including devices
sufficient
minimum
individual,
during
implement,
strength
requirements the ofgroup,
authentication
specific
mechanism
for role,
each or
security
for
type];
e. Changing
device
process receiving
to protect default
the the content
safeguards
their
(b) intended
Enforces
of authenticators to protect
use;
at least
prior the
to
authenticator;
information
authenticators;
d. Establishing
following from
number andpossible
and
ofinstallation;
changed
information
exploitation/use
b. Establishing system by
initial
3.100 Audit and Compliance: Each agency must ensure that its security and privacy policies, f.j. Establishing
Changing
implementing
characters when authenticators
administrative
new
procedures, and controls are current and effective. authenticator
unauthorized
for group/role
procedures
passwords lifetime
maximum for
minimum
individuals.
content
accounts
initial
are created: forwhen
restrictions
and x x x P1
authenticators
membership
authenticator
[Assignment: to defined
those
distribution,
organization- by the
accountsfor
3.101 Information Security Policy 1.1 Audit and Compliance with legal and Each agency must identify and document its obligations to and reuse conditions for
organization;
changes.number]; or damaged
lost/compromised
defined
IT Compliance Compliance contractual requirements applicable State, federal and other third party laws and regulations authenticators;
c. Ensuring that
Requirements in relation to information security.
authenticators,
(c) Stores and
g. Changing/refreshing
authenticators
revoking authenticators;
cryptographically-protected
and for
transmits
have sufficient
only x x xc P0
authenticators
strength of mechanism [Assignment: for
e.
passwords;Changing
organization-defined default content
time
3.102 Information Security Policy 1.1 Audit and Compliance with security Each agency must periodically review or audit its users' and AU-2 Audit Events their
(1)
of Theintended
organization:
authenticators
(d) Enforces use; prior totype];
password
IT Compliance Compliance policies and standards systems' compliance with security policies, standards, and period
d. by authenticator
Establishing
a. Determines and
that the
information
minimum and system
maximum installation;
Requirements procedures, and initiates corrective actions where necessary. h. Protecting
implementing
information
f. Establishing
lifetime system
restrictions
authenticator
administrative
is
ofcapable
minimum and x x x P1
content
procedures
of auditing from for
the unauthorized
initial
following
maximum
[Assignment:
disclosure lifetime
andorganization-restrictions
modification;
authenticator
events:
and
defined reuse [Assignment: distribution,
conditions
numbers for for
lifetime for
3.103 Information Security Policy 1.1 Audit and Compliance with security Each agency must document and report findings from compliance AU-6 Audit Review, Analysis, lost/compromised
(1) i.The organization:
Requiring individuals
or damagedto
IT Compliance Compliance policies and standards reviews or audits to agency leadership. And Reporting organization-defined
authenticators;
minimum,
a. Reviews lifetime
and auditable
maximum];
analyzes x x x P1
take, and having
authenticators,
events]; devices
and for reuse
Requirements g.
(e) Changing/refreshing
information
implement, Prohibits system password
specific audit
revoking
b.
authenticators
for
records
authenticators;
Coordinates
[Assignment:
[Assignment: thesecurity
[Assignment:security
organization-
3.104 Information Security Policy 1.1 Audit and Audit and Accountability Each agency must establish formal, documented audit and AU-1 Audit And Accountability (1) e.
audit
The
safeguards organization:
Changing
function to protect
default
with othercontent
IT Compliance Compliance Policy and Procedures accountability procedures. Policy And Procedures organization-defined
defined
a. number]
organization-defined
Develops,
authenticators;
of authenticators
organizational
period
and by
time
generations;
documents,
and
authenticator prior totype];
entities
x x x P1
Requirements frequency]
and j. disseminates
Changing
information for indications of
toinstallation;
authenticators
system
3.105 Information Security Policy 1.1 Audit and Audit and Accountability Each agency must implement a process to periodically review and AU-1 Audit And Accountability requiring
(1) h.
(f)
f.The
Allows
[Assignment:
audit-related
Protecting the
organization: authenticator
use of awhen
IT Compliance Compliance Policy and Procedures update the audit and accountability procedures. Policy And Procedures
for group/role
temporary
defined
a.
Establishing
information
content from
Develops, toorganization-
accounts
minimum
enhance
unauthorized
password
inappropriate for
documents, or
and
mutual x x x P1
membership
maximum personnel to help
lifetime thoseor roles]:
accounts
restrictions
Requirements support
disclosure
system
unusual
and and
logonsand
disseminates to
activity]; with and
to guide
modification;
an the
changes.
and 1. An audit and
i.b.reuse
selection
immediateRequiring
[Assignment:
Reports
accountability
ofconditions
auditable
change individuals for
events;
tothat
organization-
findings
policy ato to
authenticators;
c. Provides
take,
permanent andpersonnel
having a rationale
password. devices for
[Assignment:
defined
addresses
g. organization-
purpose,
Changing/refreshing orscope,
roles]:
why
defined the
implement, auditable
specific
1.responsibilities,
Anpersonnel
audit and events
orsecurity
roles].are
roles,
authenticators [Assignment:
deemed
safeguards
accountability to tobeprotect
adequate
policy that to
management
organization-defined
support commitment,
after-the-fact time
authenticators;
addresses
coordination purpose,
amongand scope,
period by authenticator
investigations
j. Changing of securitytype];
authenticators
roles,
h. responsibilities,
organizational
Protecting entities, and
authenticator
incidents;
for group/role
management and accounts
commitment, when
compliance;
content from and
unauthorized
d. Determines
membership
coordination to
among that accounts
those the
disclosure2. Procedures
and modification;to facilitate
3.200 Information System Audits: Each agency must ensure that its procedures and controls
for information systems are current and appropriately designed. x x x P1
3.201 Information Security Policy 1.2 Information System Information systems audit Each agency must conduct audit procedures in a way that AU-2 Audit Events (1) The organization:
IT Compliance Audit Considerations controls minimizes the risk of disruption of operational systems and a. Determines that the
business processes. information system is capable x x x P1
of auditing the following
3.202 Information Security Policy 1.2 Information System Protection of information Each agency must implement security controls to help prevent AU-9 Protection Of Audit events: [Assignment:system
(1) The information
IT Compliance Audit Considerations systems audit tools unauthorized access and/or access abuse of audit tools. Information organization-defined
protects audit information auditableand x x xc P1
events];
audit tools from unauthorized
3.203 Information Security Policy 1.2 Information System Audit Events Each agency must determine the types of events that are to be AU-2 Audit Events (1) b.
The
access, Coordinates
organization:
modification, the and
security
IT Compliance Audit Considerations audited within information systems, such as authentication success, audit function with
a. Determines
deletion. other
that the
authentication failure, user connections, system connections, organizational
information system entities
is capable
system updates, privileged user actions, record accesses, record requiring
of auditingaudit-related
the following
updates, system errors, application starts, application stops, system information
events: to enhance mutual
[Assignment: x x x P1
debugging operations. support and to help guide
organization-defined the
auditable
selection
events]; of auditable events;
c. Provides a rationale
b. Coordinates the security for
why the
audit auditable
function withevents
other are
3.204 Information Security Policy 1.2 Information System Audit Events Each agency must review and update the list of audited events AU-2 Audit Events (1) The organization:
deemed to be adequate
organizational entities to
IT Compliance Audit Considerations annually. a. Determines
audit-relatedthe
support after-the-fact
requiring that x x x P1
information
investigations
information system
toof is capable
security
enhance mutual
3.205 Information Security Policy 1.2 Information System Audit Events Each agency must ensure that leadership coordinates the audit AU-2 Audit Events (1)
of The
auditingorganization:
the
IT Compliance Audit Considerations functions, information security functions, and business functions to incidents;
support
a. andand
Determines to following
help
thatguide
the the
facilitate the identification of auditable events.
events:
d.
selection
information
[Assignment:
Determines
of auditablethat the
events;
system isauditable
organization-defined capable x x x P1
following
of auditing events
c. Provides are to befor
theafollowing
rationale
events];
audited
why within
the[Assignment:
auditable the events
informationare
3.206 Information Security Policy 1.2 Information System Content of Audit Records Each agency must ensure its information systems are enabled to AU-3 events:
Content Of Audit Records system:
(1) The
b. information
Coordinates system
the security
deemed [Assignment:
to be adequate
organization-defined to
auditable
IT Compliance Audit Considerations generate audit records containing details to help establish what generates
audit auditwith
function
organization-defined
support records
after-the-fact other
audited
type of event occurred, when and where the event occurred, the events];
containing(theinformation
organizational
events
investigations entities
subset
of of the
security that
source and outcome of the event, and the identity of any b. Coordinates
establishes
requiring
auditable
incidents;
the
what defined
events
and type
audit-related security
of event
in AU- x x x P1
individuals or subjects associated with the event. audit function
occurred,
information whento with
the
enhanceother
event mutual
2 a.)
d. along with
Determines
organizational the frequency
that
entities the
occurred,
support
of (or andwhere
situation to
following audit-related the
help event
events are to be the
guide
requiring)
requiring
occurred,
selection the
of source
auditable ofevents;
the
auditing
audited
information for
withineach theidentified
toaenhanceinformation
mutual
3.207 Information Security Policy 1.2 Information System Audit Records Review and Each agency must analyze information system audit records AU-6 event,
Audit Review, Analysis, (1) The
c.
event].
system: the outcome
organization:
Provides
[Assignment: of the
rationale for
IT Compliance Audit Considerations Reporting periodically. And Reporting support
event,
why a. and
and
Reviews
the the toand
auditable
organization-defined
help
identityguide
analyzes
events of
audited
the
any
are x x x P1
selection
individuals
information oforauditable
subjects
system events;
3.208 Information Security Policy 1.2 Information System Audit Records Review and Each agency must report findings of audit record reviews to AU-6
deemed
events
Audit Review, Analysis, (1) The
c.
to
(the be
subset
organization:
Provides a ofaudit
adequate theto
rationale for
associated
records
support with the
[Assignment:
after-the-fact event. AU-
IT Compliance Audit Considerations Reporting information security personnel and agency leadership. And Reporting auditable
why a.the
Reviewsevents
auditable
organization-defined
investigations
2 a.) along with
and defined
ofthe events in
analyzes
security
frequency
are x x x P1
information
deemed
frequency]
incidents; toand
besystem
for audit
adequate
indications toof
3.209 Information Security Policy 1.2 Information System Audit Records Review and Each agency must perform correlation and analysis of information AU-6 of
Audit Review, Analysis, (1) (or
records
support
The situation
[Assignment:requiring)
after-the-fact
organization:
[Assignment:
d.
auditingDetermines
for eachorganization-
that the
identified
IT Compliance Audit Considerations Reporting generated by security assessments and monitoring. And Reporting organization-defined
investigations
a. Reviews of security
and analyzes
defined
following
event].
frequency]
incidents;
information
unusual
inappropriate
events
for
and
are toor
indications
system
activity];
audited within theand
be
audit of
information
x x x P1
[Assignment:
d.
records
b. Determines organization-
[Assignment:
Reports
system: [Assignment: that
findings the
to
3.210 Information Security Policy 1.2 Information System Audit Storage Capacity Each agency must allocate sufficient audit storage capacity to AU-4 Audit Storage Capacity defined
following inappropriate
events
organization-defined
[Assignment:
organization-defined
(1) The organization organization- or
are allocates
to be
audited
IT Compliance Audit Considerations ensure compliance with audit log retention requirements. unusual
audited
frequency]
defined
audit
eventsrecord
b.
system:
activity];
within
(the
Reports
for
personnel theand
storage
subset
findings
[Assignment:
information
indications
or
of the of in
roles].
capacity
to
x x x P1
[Assignment:
auditable events
accordance organization-
with [Assignment:
defined in AU-
3.211 Information Security Policy 1.2 Information System Audit Storage Capacity Each agency must implement provisions for information systems to AU-4 Audit Storage Capacity [Assignment:
organization-defined
defined
organization-defined
(1)
2 a.)The organization-
inappropriate
organization
along with audited
or
allocates
audit
the frequency
IT Compliance Audit Considerations off-load audit records at regular intervals onto a different system or defined
events
unusual personnel
(the
of (or record
record
audit situation
storage subset
activity];
storage or roles].
ofcapacity
and the
requirements].
requiring) in
media than the system being audited. auditable
b. Reports
accordance
auditing events
for defined
findings
with
each to in AU-
[Assignment:
identified x x x P1
2 a.) along with
[Assignment:
event].
organization-defined the frequency
organization-
audit
of (or situation
defined
record personnel
storage requiring)
or roles].
requirements].
auditing for each identified
3.300 Information Security Monitoring: Each agency must ensure that its security controls event].
for information systems are effective. x x x P2
3.301 Information Security Policy 1.3 Information Security Continuous Monitoring Each agency must ensure security controls are monitored on an CA-2 Security Assessments (1) The organization:
IT Compliance Continuous Monitoring ongoing basis. a. Develops a security x x x P2
assessment plan that describes
3.302 Information Security Policy 1.3 Information Security Continuous Monitoring Each agency's security control assessment function must be CA-2(1) Security Assessments | (1)
theThe
scopeorganization employs
of the assessment
IT Compliance Continuous Monitoring independent from operational or business functions, or hired third Independent Assessors assessors
including: or assessment teams
parties. with [Assignment:
1. Security controls and
x x P2
organization-defined
control enhancements level of
under
3.303 Information Security Policy 1.3 Information Security Plan of Action and Each agency must develop a plan of action and milestones to CA-5 Plan Of Action And independence]
assessment;
(1) The organization:to conduct
IT Compliance Continuous Monitoring Milestones document planned remedial actions to correct deficiencies Milestones security
a. 2. control
Assessment
Develops assessments.
a planprocedures
of action
identified as result of risk assessments, security reviews, or audits. to
andbemilestones
used to determine
security control
information
for the
systemeffectiveness;
to
x x xc P3
and
document the organizations
planned3. Assessment
remedial actions to
3.304 Information Security Policy 1.3 Information Security Plan of Action and Each agency must update its plan of action and milestones at least CA-5 Plan Of Action And (1) The
correct organization:
environment, assessment
weaknesses or
IT Compliance Continuous Monitoring Milestones on a yearly basis, and also based on the findings from continuous Milestones a. Develops
team, a plan
and assessment ofroles
action
security monitoring activities.
deficiencies
and
and milestones
noted during
forsecurity
responsibilities;
assessment of the the
the x x xc P3
information
b. Assesses
controls system
and tothe to
security
reduce or
document the
the organizations
controls inknown
eliminate information
vulnerabilities
planned remedial actions to of
4.100 Risk Management: Each agency must establish its strategy for risk management. system and its
in the system; and
correct
environment
weaknesses orplan of x x x P1
operation [Assignment:
b. Updates existing
deficiencies noted during the
organization-defined
action and milestones
assessment
frequency] to
[Assignment: oforganization-
the security
determine the
controls and to reduce
extent tofrequency]
defined which the based or on
controls
eliminate
are known
implemented vulnerabilities
correctly,
the findings from security
in the system;
operating
controls and
as intended,
assessments, and
security
b. Updates
producing
impact the existing
analyses, and plan
desired of
outcome
action and milestones
4.101 Information Security Policy 1.1 Risk Management Risk Management Strategy Each agency must define a schedule for an on-going risk PM-9 Risk Management (1) The organization:
Risk Management assessment and risk mitigation process. Strategy a. Develops a x x xc P1
comprehensive strategy to
4.102 Information Security Policy 1.1 Risk Management Risk Management Strategy Each agency must review and evaluate risk based on the system RA-2 Security Categorization The
manage organization:
risk to organizational
Risk Management categorization level and/or data classification of their systems. a. Categorizes information
operations
and
and assets,
individuals, other system in
the information x x x P1
accordance with
organizations, and the Nation applicable
federal
associated laws, withExecutive
the operation Orders,
4.200 Risk Assessment: Each agency must conduct its risk assessment processes in directives,
and use of policies,information regulations,
alignment with its risk management strategy. standards,
systems; and guidance; x x x P1
b.
b. Documents
Implementsthe thesecurity
risk
4.201 Information Security Policy 1.2 Risk Assessment Risk Assessment Each agency must establish a risk assessment framework based on RA-3 Risk Assessment (1) The organization:
categorization
management results
strategy
Risk Management applicable State and federal laws, regulation, and industry a. Conducts
(including
consistently supporting
acrossan assessment
therationale)
standards (e.g. NIST 800-30). This assessment framework must of
in risk,security
the
organization;including andplanthefor likelihood
the
clearly define accountability, roles and responsibilities. and c.magnitude
information
Reviewssystem; and of updates
harm,
and from the x x x P1
the
risk management strategyuse,
c. unauthorized
Ensures that access,
the security
disclosure,
categorization disruption,
[Assignment: organization- decision is
modification,
reviewed
defined frequency]and or destruction
approved or asby the of
4.202 Information Security Policy 1.2 Risk Assessment Security Assessment Each agency must periodically conduct a formal assessment of its CA-2 Security Assessments the information
authorizing
(1) The
required, organization:
to official
address system
or and the
Risk Management information security and privacy processes and controls to information
authorizing
a. Develops it processes,
official
organizational changes. a security
designated
determine the appropriateness of the design and implementation stores, or transmits;
representative.
assessment plan that describes
of controls, and the extent to which the controls are operating as theb.scopeDocuments risk
of the assessment
intended and producing the desired outcome (e.g. NIST 800-115, assessment results in
including: x x x P2
NIST 800-53A). [Selection:
1. Securitysecurity plan; and
controls risk
assessment
control report;
enhancements under
[Assignment: organization-
assessment;
4.203 Information Security Policy 1.2 Risk Assessment Security Assessment Each agency must ensure that risk assessments identify, quantify, RA-1 Risk Assessment Policy defined
(1) The document]];procedures
2. Assessment
organization:
Risk Management and prioritize risks against criteria for risk acceptance and RA-3 And Procedures c. Reviews
to be
a. used to risk
Develops, assessment
determine
documents,
objectives relevant to the agency. Risk Assessment results
security
and [Assignment:
control effectiveness;
disseminates to x x x P1
organization-defined
and
[Assignment: organization-
frequency];
defined 3. Assessment
personnel or roles]:
4.204 Information Security Policy 1.2 Risk Assessment Plan of Action and Each agency must develop and periodically update a Plan of Action CA-5 Plan Of Action And (1) d.
The
environment, organization:
Disseminates assessmentrisk
Risk Management Milestones & Milestones (POAM) document that must identify any deficiencies Milestones a. 1.
assessment
team, and
A risk assessment
Develops a plan
results
assessment to ofrolesaction
related to internal security controls. The POAM must identify policy
and that
milestones addresses for thepurpose,
[Assignment:
responsibilities;organization-
planned, implemented, and evaluated remedial actions to correct scope,
information
defined
roles,
b. Assesses
management
responsibilities,
system
personnel ortoroles];
the security
commitment,
x x xc P3
deficiencies noted during assessments. document
and
controls in theamong organizations
information
coordination
planned remedial actions to of
e. Updates
system
organizationaland itsthe risk
environment
entities,
correct
assessment
operation weaknesses
[Assignment:
[Assignment: or and
4.205 Information Security Policy 1.2 Risk Assessment Security Authorization Each agency must establish a process and assign a senior-level RA-3 Risk Assessment compliance;
(1) The organization:
deficiencies and during the
noted
organization-defined
2. Procedures to facilitate
Risk Management executive or manager to determine whether or not risks can be CA-6 Security Authorization a. Conducts
assessment
frequency] or
to an assessment
ofdetermine
the
wheneversecurity there
the
accepted, and for each of the risks identified following the risk the
of implementation
risk,
controls including
and of
thecontrols
tochanges
reduce the
likelihood
or risk
are
extentsignificant
assessment to whichpolicy the and tofrom the
assessment, the designated personnel within the agency must and magnitude
eliminate
information
are implemented
associated
knownsystem
risk
of harm,
vulnerabilities
or
correctly,
assessment x x x P1
make a decision regarding risk treatment. the
in the unauthorized
environment
operating system; ofand
as intended, access,
operation and use,
controls;
disclosure,
b. Updates anddisruption,
existing plan ofof
(including
producing
b. Reviews the identification
desired
and outcome
modification,
action
new
with and milestones
threats
respect and
to destructionthe
ormeetingupdates of
current:
the information system
[Assignment:
vulnerabilities),
established
1. Risk securityor
assessment otherand
organization- the
policy
4.300 Risk Mitigation: Each agency must mitigate its risks in alignment with its risk information
defined
conditions that
requirements; it
frequency] processes,based
may impact the on
management strategy.
[Assignment:
stores,
the
security
defined
orstate
c.findings
Produces
organization-
transmits;
from
frequency];ofa the security
system.
security
and
x x x P2
b. Documents
controls
assessment assessments,
report risk
thatsecurity
4.301 Information Security Policy 1.3 Risk Mitigation Continuous Monitoring Each agency must establish and implement controls to ensure risks CA-6 Security Authorization (1) 2. Risk
The analyses,
assessment
impact assessment
organization:
results andin of the
documents
procedures the results
[Assignment:
Risk Management are reduced to an acceptable level based on security requirements, a. Assigns
[Selection:
continuous
assessment; a senior-level
security
monitoring
and plan; risk
organization-defined
once threats have been identified and decisions for the
management of risks have been made.
executive
assessment
activities. or manager
report;
d. Provides the results
frequency].
authorizing
as the
of x x x P2
the securityofficial
[Assignment: for the
organization-
control
information
defined
assessment system;
document]];
to [Assignment:
(2) b.
c.The organization:
Ensures
Reviews that the
risk assessment
4.302 Information Security Policy 1.3 Risk Mitigation Continuous Monitoring Each agency must determine and document the acceptable level CA-6 Security Authorization organization-defined
(1) a.
The Conducts
organization: an assessment
authorizing
results
individuals official
[Assignment:
or authorizes
Risk Management for risk for various threats based on the business requirements and of risk,
the including
a.information
Assigns
organization-defined aroles].the likelihood
senior-level
system for
the potential impact of the risk to the agency. and magnitude
executive
processing or of
manager
frequency];before commencing harm, as from
the x x x P2
the unauthorized
authorizing
operations;
d. Disseminates and risk use,
official access,
for the
disclosure,
information
c. Updates
assessment disruption,
system;
the security
results to
modification,
authorization
[Assignment: or
b. Ensures organization-
that destruction
the
[Assignment: of
the information
authorizing
organization-defined
defined personnel official system and the
authorizes
or roles];
5.100 Physical Access: Each agency must ensure that information systems and media are information
the information it processes,
system for
appropriately protected against unauthorized physical access. frequency].
and
stores,
processing or transmits;
before commencing x x x P1
e. Updates the risk
b. Documents
operations;
assessment and risk
[Assignment:
5.101 Information Security Policy 1.1 Physical Access and Physical and Each agency must establish formal, documented procedures to PE-1 Physical And (1) The
assessment
c. Updatesorganization:
results in
the security
Physical & Environmental Security Environmental Protection facilitate the implementation of physical and environmental Environmental Protection organization-defined
a. Develops, documents,
Security Policy and Procedures protection controls. Policy And Procedures
[Selection:
authorization
frequency]
and disseminates
security
or [Assignment:
whenever
to
plan;thererisk x x x P1
assessment
organization-defined report;
are significantorganization-
changes to the
[Assignment:
[Assignment:
frequency]. organization-
information
defined system
personnel ororroles]:
5.102 Information Security Policy 1.1 Physical Access and Physical and Each agency must establish procedures to review and maintain PE-1 Physical And (1) The organization:
defined
environment document]];
ofdocuments,
operation
Physical & Environmental Security Environmental Protection current the physical and environmental protection procedures. Environmental Protection a. 1. A physical
Develops,
c. Reviews risk and
assessment
Security Policy and Procedures Policy And Procedures (including
environmental
and
results
the
disseminates
[Assignment:
identification
protection
to of x x x P1
new
policy threats
[Assignment: and
that addresses
organization- purpose,
organization-defined
vulnerabilities), or other
scope,
definedroles,
frequency]; personnelresponsibilities,
or roles]:
conditions
management thatcommitment,
may impact the
d. 1.
security
A physical
Disseminates
state of
and
therisksystem.
coordination
environmental
assessment results amongprotection
to
organizational
policy
[Assignment:that addresses entities,
organization- and
purpose,
(2) Theroles,
compliance;
scope, organization:
and
responsibilities,
defined
a. 2. personnel
Assigns acommitment,or
senior-level roles];
management
and Procedures to facilitate
executive
the or manager ofas the
e.implementation
coordination
Updates
authorizing
among
the risk
official
the
physical
organizational
assessment entities,the
and[Assignment: for
environmental and
informationpolicy
protection system; and
5.103 Information Security Policy 1.1 Physical Access and Physical Access Each agency must develop, approve, and maintain a list of PE-2 Physical Access (1) The organization:
Physical & Environmental Security Authorizations personnel with authorized access to the facility where information Authorizations a. Develops, approves, and
Security systems are physically located. maintains a list of individuals x x x P1
with authorized access to the
5.104 Information Security Policy 1.1 Physical Access and Physical Access Each agency must establish a process to review, approve, and issue PE-2 Physical Access facility
(1) The where the information
organization:
Physical & Environmental Security Authorizations credentials for facility access. Authorizations system resides; approves, and
a. Develops,
b. Issuesa authorization
x x x P1
Security maintains list of individuals
5.105 Information Security Policy 1.1 Physical Access and Physical Access Each agency must remove individuals from the facility access list PE-2 Physical Access credentials
with
(1) Theauthorized for facility
organization: accessaccess;
to the
Physical & Environmental Security Authorizations when access is no longer required. Authorizations c.
facilityReviews
where the
a. Develops, the access
approves,
information list
and x x x P1
Security detailing
system resides;
maintains authorized facility
a list of individuals
5.106 Information Security Policy 1.1 Physical Access and Physical Access Control Each agency must ensure that facilities housing systems containing PE-3 Physical Access Control access
(1)
with The
b. by individuals
organization:
authorized
Issues authorization
access to the
Physical & Environmental Security sensitive data are protected against unauthorized physical access [Assignment:
a. Enforces
credentials
facility where fororganization-
physical
thefacility access
information
access;
Security (e.g. keycards, keys, security guards). defined frequency];
authorizations
system
c. Reviews
resides; and list
at [Assignment:
the access
x x P1
d. Removes
organization-defined
detailing
b. Issues authorized individuals
authorization facilityfrom
entry/exit
the
points
accessfacility
credentialsto
by theaccess
forfacility
individuals listwhere
facility when
access; the
5.107 Information Security Policy 1.1 Physical Access and Physical Access Control Each agency must maintain physical access audit logs for facilities PE-3 Physical Access Control (1) The organization:
Physical & Environmental Security housing systems containing sensitive data. access
information
c. is no longer
[Assignment:
a. Reviews
Enforces
1. Verifying
system required.
resides]
organization-
the access
physical list by;
access x x P1
Security defined
detailing frequency];
authorizations authorized atindividual
and
facility
[Assignment:
5.108 Information Security Policy 1.1 Physical Access and Physical Access Control Each agency must maintain, 24 hours per day, 7 days per week, PE-3(3) Physical Access Control | access
access
(1) d.
The authorizations
Removes
by individuals
organization
organization-defined individuals before
employs from
entry/exit
Physical & Environmental Security guards and/or alarms to monitor physical access points to facilities Continuous Guards / granting
the facility
[Assignment:
guards
points access
and/or
to theaccess to
alarms
facility the
organization- facility;
listwhere
when
to the
Security housing systems containing sensitive data. Alarms / Monitoring and
access
defined
monitor
informationisfrequency];
no
every longer
physical
system required.
and access
resides] by; x x P1
d. 2.
point to Controlling
Removes
the individuals
facility
1. Verifying individual where from
the
ingress/egress
the facility
information
access access to the
system
authorizations list facility
when
resides
before 24
5.109 Information Security Policy 1.1 Physical Access and Physical Access Control Each agency must perform security assessments on an annual basis PE-3(2) Physical Access Control | (1) The[Selection
using
access
organization
ischecks
no longer (one performs
or
required.more):
Physical & Environmental Security at the physical boundary of facilities housing sensitive data, to Facility / Information hours
granting
security per day,
access 7[Assignment:
days
to the per week.
facility;
[Assignment:
and organization-
Security determine the risk of unauthorized exfiltration of information or
removal of information system components.
System Boundaries organization-defined
defined physical
2. Controlling
frequency]
access
at the physical
control x x P1
systems/devices];
ingress/egress guards];
tofacility
the facility
boundary
b. Maintains of the physical or
access
using [Selection
information system (oneforor more):
5.110 Information Security Policy 1.1 Physical Access and Physical Access Control Each agency must establish a process to escort visitors and monitor PE-3 Physical Access Control audit
(1) The logs
[Assignment: for [Assignment:
organization:
organization-
unauthorized
organization-defined exfiltration of
entry/exit
Physical & Environmental Security their activity within facilities housing systems containing sensitive a. Enforces
defined physicalorphysical
accessaccesscontrol
Security data.
information
points];
authorizations
systems/devices];
removal
at [Assignment:
guards];
of x x P1
information
c. Provides system
b. Maintains[Assignment:
organization-defined
components. physical entry/exit
access
organization-defined
points
audit to
logs the
for facility
[Assignment: security
where the
5.111 Information Security Policy 1.1 Physical Access and Physical Access Control Each agency must change combinations and keys at defined PE-3 Physical Access Control (1) The
safeguards] organization:
to control access
Physical & Environmental Security intervals, and when keys are lost, combinations are compromised, information
organization-defined
a. Enforces system
physical resides]
accessby;
entry/exit
Security or individuals are transferred or terminated.
to areas
points]; within
1. Verifying
authorizations
the facility
atindividual
[Assignment: x x x P1
officially
access designated
authorizations
c. Provides asbefore
[Assignment: publicly
organization-defined
accessible; entry/exit
granting
points to access
organization-defined
the visitorsto
facility the facility;
security
where the
5.112 Information Security Policy 1.1 Physical Access and Access Control for Each agency must control physical access to information system PE-4 Access Control For (1)
and
The
d. organization
Escorts controls
and
Physical & Environmental Security Transmission Medium distribution and transmission lines within the data center(s) using Transmission Medium safeguards]
information
physical access to control
system to accessby;
resides]
[Assignment:
monitors
to areas2. visitor
Controlling
within activity
the facility
1. Verifying individual
Security physical access control devices (e.g., keycard or keys). organization-defined
[Assignment:
ingress/egress
officially
access
information
organization-
designated
authorizations to thedistribution
system asfacility
publicly
before x x P1
defined
using circumstances
[Selection (one
accessible;
granting
and access
transmission
requiring visitor to theor
lines]
escorts
more):
facility;
within
and
[Assignment:
and d. Escorts
organizational organization-
visitors and
facilities using
5.113 Information Security Policy 1.1 Physical Access and Access Control for Output Each agency must place output devices (e.g. printers, fax, copiers) PE-5(1) Access Control For monitoring];
defined
monitors
(1) The physical
organization:
visitor access control
activity
e. 2. Controlling
[Assignment: organization-
Physical & Environmental Security Devices in secured areas and in locations that can be monitored by Output Devices | Access (a)Secures
systems/devices];
[Assignment:
Controls
ingress/egress
defined security
keys, guards];
organization-
physical
to the access
facility
safeguards].
combinations,
b. Maintains and other
physical access
Security authorized personnel, and allow access to authorized individuals
only.
To Output By Authorized
Individuals
defined
to output
using
physical
audit
requiringlogs
circumstances
from [Assignment:
[Selection
access
for
organization-defined
visitor
(one or more):
devices;
[Assignment:
escorts outputand
x x P2
[Assignment:
f. Inventories organization-
[Assignment:
organization-defined
monitoring];
devices];
defined and access
physical entry/exit
control
organization-defined
points];
e. Secures
(b) Ensureskeys, thatguards];physical
only
systems/devices];
access devices] every
5.114 Information Security Policy 1.1 Physical Access and Monitoring Physical Access Each agency must review physical access logs at a defined PE-6 Monitoring Physical (1) The organization:
c. Provides
combinations,
authorized
b. Maintains [Assignment:
individuals
and other
physical receive
access
Physical & Environmental Security frequency and upon occurrence of security incidents. Access [Assignment:
a. Monitors
organization-defined
physical
output
audit
defined
from
logs access
forthe
frequency];
organization-
physical
devices;
device.
[Assignment: access
security
and
x x P1
Security to the
f. facility
safeguards]
Inventories
organization-defined to where
control the access
[Assignment:
entry/exit
5.115 Information Security Policy 1.1 Physical Access and Visitor Access Records Each agency must ensure that visitor access records to facilities PE-8 Visitor Access Records to
(1) g.
areas
TheChanges
information within
organization:
organization-defined combinations
system resides
the facility
physical to
points];
and keys [Assignment:
Physical & Environmental Security housing systems containing sensitive information, are retained for a detect
officially
a.
access
c. and
Maintains
devices]
Provides respond
designated everyto
visitor
[Assignment: physical
asaccess
publicly
Security minimum of 1 year. organization-defined
security
accessible;
records
[Assignment: incidents;
to theorganization-
organization-defined facility security
where x x P3
frequency]
b. Reviews
d.information
Escorts and/or
physical when keys
access
the
defined
safeguards]
areg.[Assignment:
lost, tovisitors
frequency];
combinations
system
control and
and resides
access
are
logs
to [Assignment:
monitors
forareasChanges visitor
withinor organization-
activity
organization-
combinations
theindividuals
facility
5.116 Information Security Policy 1.1 Physical Access and Delivery and Removal Each agency must establish processes to authorize, monitor, and PE-16 Delivery And Removal (1) The organization
compromised, frequency]
authorizes,
and upon
Physical & Environmental Security control sensitive information systems and media entering and [Assignment:
defined
and keystime
officially
monitors, organization-
andperiod];
[Assignment:
designatedcontrols asandpublicly
Security exiting facilities.
are b.transferred
occurrence
defined
accessible;
[Assignment: circumstances
Reviews
organization-defined or terminated.
of visitor
[Assignment:
access
organization- x xc P2
organization-defined
requiring
records
frequency] visitor
[Assignment:
d. Escorts
defined types and/or escorts
visitors events
andand
when
of information keysor
potential
monitoring];
are indications
organization-defined
lost,components]
monitors combinations
visitor activityofare
system entering
events];
ande.exiting
compromised,
[Assignment: andthe
Secures
frequency]. keys,
or individuals
organization-
facility and
5.200 Environmental Security: Each agency must ensure that information systems and media * Controls marked "x*" in this section are required, unless arec.transferred
Coordinates
combinations, orresults
and other
terminated. of
are appropriately protected against environmental hazards, in alignment with the agency performs a Business Impact Analysis (BIA) to defined
maintains circumstances
records of those
reviews and
physical access
requiring investigations
escorts andwith
visitordevices;
business continuity risk management strategy. estimate the impact of short term, long term, or permanent items.
the f.organizational
Inventories
monitoring]; incident
[Assignment:
loss of the relevant asset or function, and determines based response capability.
organization-defined keys, physical
on the BIA that the control is not needed.
e. Secures
access devices]and every x* x* xc* P1
combinations, other
[Assignment:
physical access organization-
devices;
defined frequency];
f. Inventories and
[Assignment:
g. Changes combinations
organization-defined physical
and
access keys [Assignment:
Thedevices] everyprotects
5.201 Information Security Policy 1.2 Environmental Power Equipment and Each agency must place power equipment and cabling in safe PE-9 Power Equipment And (1) organization
organization-defined
Physical & Environmental Security Cabling locations to prevent environmental and/or man-made damage and Cabling [Assignment: organization-
power equipment and power
Security destruction. frequency]
defined
cabling for and/or
frequency];
the when
and keys
information x* x* xc* P1
areg.lost,
system combinations
Changes
from combinations
damage are
and
compromised,
and keys [Assignment:
destruction. or individuals
are transferred or terminated.
organization-defined
frequency] and/or when keys
are lost, combinations are
compromised, or individuals
are transferred or terminated.
5.202 Information Security Policy 1.2 Environmental Emergency Shutoff Each agency must make available the capability of shutting off PE-10 Emergency Shutoff (1) The organization:
Physical & Environmental Security power to data system facilities during an incident. a. Provides the capability of x* x* xc* P1
Security shutting off power to the
5.203 Information Security Policy 1.2 Environmental Emergency Shutoff Each agency must place emergency shutoff switches or devices at PE-10 Emergency Shutoff (1) The organization:
information system or
Physical & Environmental Security locations which can be safely and easily accessed by personnel a. Provides
individual systemthe components
capability of
Security during an incident. shutting
in emergency off power to the
situations; x* x* xc* P1
information system
b. Places emergency or shutoff
5.204 Information Security Policy 1.2 Environmental Emergency Shutoff Each agency must implement physical and logical controls to PE-10 Emergency Shutoff individual
switches
(1) system
or devices in
The organization: components
Physical & Environmental Security protect emergency power shutoff capability from unauthorized in emergency
[Assignment: situations;
a. Providesorganization-
the capability of
Security activation. b. Places
defined
shutting emergency
location
off power byto theshutoff x* x* xc* P1
switches or devices
information system or in system
[Assignment:
component]
individual organization-
to facilitate
system safe a
components
5.205 Information Security Policy 1.2 Environmental Data Center Emergency Each agency must implement uninterruptible power supply to PE-11(1) Emergency Power | Long- (1) The organization
defined
and easy location
access by
for
provides
personnel;
Physical & Environmental Security Power facilitate transition to long-term alternate power in the event of a Term Alternate Power in emergency
long-term situations;
alternate power
Security primary power source loss. Supply - Minimal
information
and b. Places
supply for the
system
emergency or system
shutoff x* x* xc* P1
component]
c. Protects toinformation
facilitate
in ofsafe
Operational Capability switches
system
and easy that is emergency
or devices
access capable
for personnel;
power shutoff
[Assignment:
maintaining capability
organization-
minimally from
required
5.206 Information Security Policy 1.2 Environmental Data Center Fire Each agency must install and maintain fire detection and PE-13 Fire Protection (1)
and The organization
unauthorized
defined location by employs
activation.
Physical & Environmental Security Protection suppression devices that are supported by an independent power operational
and c. maintains
Protects capability
fire in the
suppression
emergency
Security source.
information
event
and of system orloss
an extended
detection
system
of x* x* xc* P1
power
component]
the
shutoff
primary todevices/systems
capability
powerfacilitate
source.
from
safe
for the information
unauthorized
and easy access for system
activation. that
personnel;
5.207 Information Security Policy 1.2 Environmental Data Center Fire Each agency must employ fire detection devices/ system that PE-13(2) Fire Protection | are
(1) supported
andThe by an employs
organization
Physical & Environmental Security Protection activate automatically and notify emergency personnel and defined Suppression Devices / independent
firec.suppression energy
Protects emergency source.
Security emergency responder(s) in the event of a fire. Systems devices/systems
power shutoff capability for the from x* x* xc* P1
information
unauthorizedsystem that
activation.
5.208 Information Security Policy 1.2 Environmental Data Center Fire Each agency must employ an automatic fire suppression system if PE-13(3) Fire Protection | provide
(1) automatic notification
The organization employs
Physical & Environmental Security Protection the data system facility is not staffed on a continuous basis. Automatic Fire of any
an activation
automatic fireto suppression
Security Suppression [Assignment:
capability organization-
for the information x* x* xc* P1
defined
system when personnel or roles]
the facility and
is not
[Assignment:
staffed
The on organization-
a continuous basis.
5.209 Information Security Policy 1.2 Environmental Data Center Temperature Each agency must employ automatic temperature and humidity PE-14(1) Temperature And (1)
defined
organization
emergency
employs
Physical & Environmental Security and Humidity Controls controls in the data system facilities to prevent fluctuations Humidity Controls | automatic temperature and
Security potentially harmful to processing equipment. Automatic Controls responders].
humidity controls in the facility x* x* xc* P1
to prevent fluctuations
5.210 Information Security Policy 1.2 Environmental Data Center Temperature Each agency must employ temperature and humidity monitoring PE-14(2) Temperature And potentially harmful to
(1) The organization the
employs
Physical & Environmental Security and Humidity Controls that provides an alarm or notification of changes potentially Humidity Controls | information
temperaturesystem. and humidity
Security harmful to personnel or equipment. Monitoring With Alarms / monitoring that provides an x* x* xc* P1
Notifications alarm or notification of
5.211 Information Security Policy 1.2 Environmental Data Center Water Each agency must protect processing equipment from damage PE-15 changes
Water Damage Protection (1) potentially harmful
The organization protectsto
Physical & Environmental Security Damage Protection resulting from water leakage. personnel
the informationor equipment.
system from x* x* xc* P1
Security damage resulting from water
leakage by providing master
5.300 Disposal of Equipment and Media: Each agency must ensure that information systems shutoff or isolation valves that
and media are appropriately disposed, to ensure the confidentiality of sensitive data. are accessible, working x x x P1
properly, and known to key
personnel.
5.301 Information Security Policy 1.3 Disposal of Media Sanitization Each agency must define and implement mechanisms for disposal MP-6 Media Sanitization (1) The organization: required for
Physical & Environmental Equipment of digital media and data storage devices. a. Sanitizes [Assignment: Internal x x P1
Security organization-defined
5.302 Information Security Policy 1.3 Disposal of Media Sanitization Each agency must employ sanitization mechanisms with the MP-6 Media Sanitization (1) The organization:
information system media]
Physical & Environmental Equipment strength and integrity commensurate with classification of data to a. Sanitizes [Assignment: required for
Security be sanitized.
prior to disposal,
organization-defined
organizational control, or
release out of
Internal x x P1
information
release for reuse system media]
using
5.303 Information Security Policy 1.3 Disposal of Media Sanitization Each agency must establish processes for cleansing and disposal of MP-6 Media Sanitization prior to organization:
[Assignment:
(1) The disposal, release out of
organization-
Physical & Environmental Equipment computers, hard drives, and fax/printer/scanner devices. organizational
defined control,
sanitization
a. Sanitizes or
techniques
[Assignment: required for
Security release for reuse in
and procedures]
organization-defined using
accordance Internal x x P1
[Assignment:
with applicable
information organization-
systemfederal and
media]
defined
prior sanitization
organizational standards
to organization
disposal, techniques
release and
out of
5.304 Information Security Policy 1.3 Disposal of Media Sanitization Each agency must implement controls to track and verify MP-6(1) Media Sanitization | (1) The
and procedures] reviews,
in accordance
Physical & Environmental Equipment sanitization of devices prior to disposal. Review / Approve / policies;
organizational
approves,
withb.verifies
release
and
Employs
tracks,
applicable
for reuse
control, or
documents,
federal
sanitization
using and x P1
Security Track / Document / Verify and
organizational media sanitization
standards and
mechanisms
[Assignment:
and disposal with the strength
organization-
6.100 Human Resource Compliance: Each agency must ensure that human resource policies;
and integrity
defined and actions.
commensurate
sanitization techniques
processes appropriately support security and privacy processes and controls related to with
and b.procedures]
Employs
the securitysanitization
category
in accordanceor
personnel.
mechanisms
classification
with applicable with thethe strength
of federal and x x x P1
and integrity commensurate
information. standards and
organizational
with the and
policies; security category or
6.101 Information Security Policy 1.1 Human Resource Personnel Security Policy Each agency must define security roles and responsibilities of PS-1 Personnel Security Policy (1) The
b. organization:
classification
Employs ofsanitization
the
Human Resource (HR) Compliance and Procedures employees, contractors, and third party personnel, and must And Procedures a. Develops,
information. with
mechanisms documents,
the strength
and Security Awareness document these in accordance with the organizations information
security procedures.
and disseminates
and integrity commensurate
[Assignment:
to
organization-
x x x P1
with the security category or
defined personnel
classification of theor roles]:
1. A personnel security
information.
policy that addresses purpose,
scope, roles, responsibilities,
management commitment,
coordination among
organizational entities, and
compliance; and
2. Procedures to facilitate
the implementation of the
personnel security policy and
associated personnel security
6.102 Information Security Policy 1.1 Human Resource Personnel Screening Each agency must ensure background verification checks on PS-3 Personnel Screening (1) The organization:
Human Resource (HR) Compliance candidates for employment, including contractors, and third party a. Screens individuals prior
and Security Awareness users. These checks must be aligned with the nature and sensitivity to authorizing access to the
of data and systems the personnel will have access to, and must be information system; and
carried out in accordance with applicable laws. b. Rescreens individuals x x x P1
according to [Assignment:
organization-defined
conditions requiring
6.103 Information Security Policy 1.1 Human Resource Personnel Termination Each agency must ensure that upon termination or transfer of PS-4 Personnel Termination rescreening and, where
(1) The organization, upon
Human Resource (HR) Compliance employment for employees, termination of engagement for non- PS-5 Personnel Transfer rescreening
termination is ofso indicated, the
individual
and Security Awareness employees, personnel must return to the agency all agency physical frequency
employment: of such
documents (and all copies thereof) and other agency property and rescreening].
a. Disables information
materials in their possession or control, and must certify the secure
erasure or destruction of any agency electronic information.
system access within
[Assignment: organization-
x x x P1
defined time period];
b. Terminates/revokes any
authenticators/credentials
associated with the individual;
6.104 Information Security Policy 1.1 Human Resource Access Agreements Each agency must ensure that employees, contractors, and third PS-6 Access Agreements (1) c.The organization:
Conducts exit interviews
Human Resource (HR) Compliance party users must agree and sign an acceptable use policy, which thata.include
Develops and documents
a discussion of
and Security Awareness must state responsibilities for information security. access
[Assignment:agreements for
organization- x x x P3
organizational
defined information information security
systems;
topics];
b.
d. Reviews
Retrievesand updates the
all security-
access
relatedagreements
organizational
6.200 Security Awareness Training: Each agency must ensure that all personnel receive [Assignment: organization-
training designed to improve their awareness of basic security and privacy issues. information system-related
defined
property;frequency]; and
x x x P1
c. Ensures
e. Retains access that individuals
to
6.201 Information Security Policy 1.2 Security Awareness Security Awareness Each agency must require employees, contractors, and third party PS-1 Personnel Security (1) The organization:
requiring
organizational access to
information and
Human Resource (HR) Training Training users to apply security in accordance with established policies and PS-7 Policy And Procedures a. Develops,information
organizational documents,and
information systems formerly
and Security Awareness procedures of the organization, where such personnel have Third-Party Personnel and disseminates
information
controlled bysystems: to
terminated
responsibilities for agency information, systems, media, or facilities Security [Assignment:
1. Signand
individual;
organization-
appropriate access x x x P1
housing such items. defined
agreements personnel
f. Notifies prior toorbeing
[Assignment: roles]:
granted 1. Aaccess;
personnel and security
organization-defined personnel
policy
or roles]2.that addresses
Re-sign
within access
[Assignment:purpose,
6.202 Information Security Policy 1.2 Security Awareness Role-Based Security Each agency must ensure employees, contractors, and third party AT-3 Role-Based Security scope,
agreements roles, responsibilities,
to maintain
(1) The organization provides access
organization-defined time
Human Resource (HR) Training Training users receive security and privacy awareness training, and regular Training management
to organizational
role-based
period]. commitment,
security information
training to
and Security Awareness updates about organizational policies and procedures, as relevant
for their job function.
coordination
systems when
personnel
organizational
agreements
security
withamong
roleshave
access
and
assigned
entities,
been and
x x x P1
(2) The organization:
compliance;
updated and
or [Assignment:
responsibilities:
a. Reviews and confirms
ongoing 2. Procedures
Beforeoperationaltoincludes
organization-defined
a. authorizing facilitate
need access
for
6.203 Information Security Policy 1.2 Security Awareness Role-Based Security Each agency must ensure that training is accompanied by an AT-3(3) Security Training | (1)the
the The organization
implementation
frequency].
to of theor
Human Resource (HR) Training Training assessment test, in order to determine comprehension of key cyber Practical Exercises currentinformation
practical logical
exercises andin system
physical
security
and Security Awareness security concepts.
personnel
performing security
assigned
access authorizations
training
associated that reinforceby
personnel
policy
duties;
to and
training
security
x x x P1
b. When
information required
systems/facilities
objectives.
controls;
information andsystem changes;
6.204 Information Security Policy 1.2 Security Awareness Role-Based Security Each agency must require that each user of agency information AT-3 Role-Based Security when
(1) The individuals
organization are provides
and b. Reviews and updates the
Human Resource (HR) Training Training receives some minimum level of awareness training prior to Training reassigned
role-based or transferred
security training to to
current:
c. [Assignment:
and Security Awareness granting access to agency information. other
personnel positions within
with assigned
1. Personnel
organization-defined security
the x x x P1
organization;
security roles
policy [Assignment: and
frequency]
b. Initiates thereafter.
[Assignment:
6.205 Information Security Policy 1.2 Security Awareness Testing, Training, and Each agency must appoint a cyber-security awareness training PS-2 Position Risk Designation responsibilities:
organization-defined
The organization:
organization-defined
a. Assigns
Before and
frequency]; authorizing transfer
access
Human Resource (HR) Training Monitoring coordinator to manage training content, schedules, and user a. a risk designation
and Security Awareness training completion status.
or
to
reassignment
to all
the 2.information actions]
Personnel security
organizational system
positions;or x x x P1
within
performing
procedures [Assignment:
assigned
[Assignment: duties;
b. Establishes
organization-defined screeningtime
b. When
organization-defined
criteria required
for individuals by filling
6.206 Information Security Policy 1.2 Security Awareness Testing, Training, and Each agency must ensure that its cyber security training PM-14 Testing, Training, And (1) The following
period
information
organization:
system thechanges;
formal
frequency].
those positions;
Human Resource (HR) Training Monitoring coordinator, along with the agency information security liaison, Monitoring action]; and
a. Implements
transfer
and
a process for
c. Reviews and updates
and Security Awareness reviews training content on an annual basis to ensure that it aligns
with all relevant compliance requirements.
ensuring
(2) c.The
position
plans
that organizational
c.[Assignment:
Modifies
fororganization:
risk
access
designations
conducting security
x x x P1
authorization
organization-defined as needed to
a. Establishes
[Assignment:
testing, training, personnel
organization-
correspond
frequency]
security with and
thereafter.
requirements any changes
defined
monitoring
in operationalfrequency].
activities
need due to
including
associated security
with roles and
organizational
7.100 Mobile Security: Each agency must ensure that all handheld computing devices and reassignment
responsibilities orfortransfer;
third-party and
information
d. Notifiessystems:[Assignment:
portable storage devices used by agency personnel for agency data are appropriately providers;
secured.
1. Are developed
organization-defined
b. Requires
maintained; and third-party
and
personnel x x x P1
or roles] within [Assignment:
providers to comply
2. Continue to be withexecuted
organization-defined
personnel security time
7.101 Information Security Policy 1.1 Mobile Security Device Identification Each agency only allows portable storage devices to be used for MP-7 Media Use | Prohibit Use in
(1)aThetimely
period]. manner;policies
organization prohibits and
Mobile Security agency data when these devices are assigned and identified to an Without Owner procedures
theb.use Reviews established
of portabletesting, by the
training,
storage
individual owner. organization;
and
devices monitoring plans for
in organizational x x xc P1
c. Documents
consistency
information with
systems personnel
the when
security
organizational
such requirements;
devices risk noprohibits
have
7.102 Information Security Policy 1.1 Mobile Security Device Identification Each agency only allows the use of portable storage devices that MP-7 Media Use | Prohibit Use (1) d.
The organization
Requires
management third-party
strategy and
Mobile Security allow secure erasure or destruction, for use with non-public agency Of Sanitization-Resistant identifiable
the use ofto owner.
sanitization-resistant
data. Media
providers
organization-wide
media
notifypriorities for
in organizational
[Assignment: organization-
x x xc P1
risk response
information actions.
systems.
defined personnel or roles] of
any personnel transfers or
terminations of third-party
personnel who possess
organizational credentials
and/or badges, or who have
information system privileges
within [Assignment:
7.103 Information Security Policy 1.1 Mobile Security Device Identification Each agency only allows the use of handheld computing devices MP-7 Media Use (1) The organization [Selection:
Mobile Security that have the ability to be remotely wiped / erased, for use with restricts; prohibits] the use of required for
non-public agency data. [Assignment: organization- Internal x xc P1
defined types of information
7.104 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must develop usage restrictions, configuration AC-19 Access Control For system
(1) The media]
organization:on [Assignment:
Mobile Security Devices requirements, connection requirements, and implementation Mobile Devices organization-defined
a. Establishes usage
information systems or system
guidance for organization-controlled handheld computing devices. restrictions,
components] using
requirements,
configuration
connection
x x xc P1
[Assignment:
requirements, and organization-
defined security guidance
implementation safeguards]. for
7.105 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must develop a list of approved handheld computing AC-19(4) Access Control For (1) The organization: mobile
organization-controlled
Mobile Security Devices device platforms, and ensure that only approved devices are Mobile Devices | (a) Prohibits
devices; and the use of
required for
allowed to access the agencys non-public networks and
information systems.
Restrictions For Classified
Information
unclassified
b. Authorizes
facilities
mobile
containing
thedevices in
Internal x xc P1
connection of mobile devices
information
to organizational systems information
processing,
systems. storing, or
7.106 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must develop and apply adequate asset management AC-19 Access Control For (1) The organization:
transmitting classified
Mobile Security Devices procedures to all agency-issued handheld computing devices. Mobile Devices a. Establishes usage
information
restrictions,
unless
permitted byconfiguration
specifically
the authorizing
x x xc P1
requirements,
official; and connection
7.107 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must ensure that handheld computing devices used to AC-19(5) Access Control For requirements,
(1) (b)
TheEnforces
organization and
the following
employs
Mobile Security Devices access non-public agency data are configured with encryption of Mobile Devices | Full implementation
restrictionsfull-device
[Selection: guidance for
on individuals required for
data at rest. Device / Container-Based organization-controlled
permitted bycontainer
encryption; the authorizing mobile Internal x xc P1
Encryption devices;
official toand
encryption] usetounclassified
protect the
b.
mobile Authorizes the
7.108 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must implement controls to ensure the installation of AC-19 Access Control For (1) The devices
confidentiality
connection organization:
of
in facilities
and integrity of
Mobile Security Devices standardized operating system, applications, and patches on Mobile Devices containing
information
a. Establishes onmobile
information devices
[Assignment:
usage systems
agency-issued handheld computing devices.
to organizational
processing, storing,
organization-defined
restrictions,
information
configurationormobile x x xc P1
systems.
transmitting
devices]. classified
requirements, connection
information:
requirements, and
7.109 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must ensure that non-public agency information is MP-6 Media Sanitization (1) The
(1)organization:
Connection of
Mobile Security Devices securely erased from any handheld computing device used to implementation
a. Sanitizes guidance
[Assignment: for
unclassified mobile
organization-controlled devices to
mobile required for
access such data, before the device is disposed or transferred to
another person.
organization-defined
classified
information
information
devices; andsystem media] systems Internal x x P1
is prohibited;
b. Authorizes the
prior to disposal,
(2) Connection release out of
ofdevices
connection
organizational of mobile
control, or to
7.110 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must deploy administrative and technical controls to unclassified
to organizational mobile devices
information
release for reuse
unclassified using
information
Mobile Security Devices mitigate risks associated with lost or stolen handheld computing systems.
devices.
[Assignment:
systems requires
defined
organization-
sanitization
approval from
techniques
x x xc P1
the authorizing official;
and procedures]
(3) Use of internal in accordance
or
7.111 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must ensure for agency-issued handheld computing AC-19 Access Control For with
(1) applicable
The
external organization:
modems federal and
or wireless
Mobile Security Devices devices, where feasible, the testing of vendor recommended Mobile Devices organizational
a. Establishes
interfaces within standards
usage
the and
patches, hot-fixes, or service packs before such changes are policies;
restrictions,
unclassified andmobile
configuration
devices is
approved for installation; and a process to keep system hardware, b. Employs
requirements, sanitization
connection
operating system, and applications up-to-date with the approved
prohibited; and
mechanisms
requirements, with
(4) Unclassified andthemobilestrength x x xc P1
system updates. and integrity
implementation
devices and the commensurate
guidance for
information
with theonsecurity
organization-controlled
stored those devicescategory areor
mobile
classification
devices;
subject toand randomof thereviews and
information.
b. Authorizes
inspections the
by [Assignment:
7.112 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must ensure that each agency-issued handheld AC-20(2) Use Of External The organization
connection of mobile
[Selection:
devices
Mobile Security Devices computing device is configured so that only approved services and Information Systems | organization-defined
restricts; prohibits] thesecurity
use of
software are enabled and/or installed. Portable Storage Devices to organizational
officials], and if classified
organization-controlled information x xc P1
systems.
information
portable is found,
storage devicesthe by
7.113 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must protect all handheld computing devices with incident handling
authorized individuals policyonis
Mobile Security Devices password or Personal Identification Number (PIN). followed.information systems.
external
(c) Restricts the connection
x x xc P1
7.114 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must ensure all handheld computing devices have of classified mobile devices to
Mobile Security Devices timeout/locking features. classified information systems x x xc P1
in accordance with
7.115 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must develop controls for the protection of data AC-20 Use Of External (1) The organization
[Assignment: establishes
organization-
Mobile Security Devices storage on handheld computing devices, including their removable AC-20(1) Information Systems terms
defined and conditions,
security policies].
media. Use Of External consistent with any trust x x xc P1
Information Systems | relationships established with
7.116 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must protect the storage and transmission of AC-19 Limits OnControl
Access Authorized
For Use other
(1) Theorganizations
organization:owning,
Mobile Security Devices information on agency-issued portable storage and handheld MP-6 Mobile Devices operating, and/orusage
a. Establishes maintaining
computing devices by scanning the devices for malicious code. If a MP-6(3) Media Sanitization external
restrictions,information
configuration systems,
portable storage or handheld computing device is used for Media Sanitization | allowing authorized
requirements, connection individuals
transitional storage of sensitive data (e.g., copying data between Nondestructive to:
requirements, and
systems), the data must be securely deleted from the device Techniques a. Access the information
implementation guidance for
x x P1
immediately upon completion. system from external mobile
organization-controlled
information
devices; and systems; and
b.
b.Process,
Authorizes store,
theor transmit
organization-controlled
connection of mobile devices
information
to organizational usinginformation
external
information systems.
systems.
(2)
(2) The
The organization
organization:permits
authorized individuals
a. Sanitizes to use
[Assignment:
an external information system
organization-defined
to access the information
information system media]
system
prior toor to process,
disposal, store,
release outorof
transmit organization-
organizational control, or
7.117 Information Security Policy 1.1 Mobile Security Access Control for Mobile Each agency must develop a process for users to notify designated
Mobile Security Devices personnel when a device is lost or stolen. The process must include
remote wiping / erasing of handheld computing devices. x x xc P1

7.118 Information Security Policy 1.1 Mobile Security Access Agreements Each agency must ensure that the physical security of each MP-4 Media Storage (1) The organization:
Mobile Security portable storage or handheld computing device is the responsibility a. Physically controls and
of the person to whom the device has been assigned. Each device securely stores [Assignment:
must be kept in the assigned persons physical presence whenever organization-defined types of
possible. Whenever a device is being stored, it must be stored in a digital and/or non-digital
secure place, preferably out of-sight. media] within [Assignment: x x x P1
organization-defined controlled
areas]; and
b. Protects information
system media until the media
are destroyed or sanitized
7.200 Removable Media Security: Each agency must ensure that all removable media used using approved equipment,
by agency personnel for agency data are appropriately secured. techniques, and procedures. x x x P1
7.201 Information Security Policy 1.2 Removable Media Media Protection Policy Each agency must protect information system media until the MP-4 Media Storage (1) The organization:
Mobile Security Security and Procedures media is destroyed or sanitized using approved processes. a. Physically controls and x x x P1
securely stores [Assignment:
7.202 Information Security Policy 1.2 Removable Media Media Storage Each agency must physically control and securely store digital (e.g., MP-4 Media Storage organization-defined
(1) The organization: types of
Mobile Security Security CD, flash drives) and non-digital (e.g., paper) media within secured digital
a. Physically
and/or non-digital
controls and
locations, when such media contains non-public information. media] within
securely stores[Assignment:
[Assignment:
organization-defined types controlled
of
x x x P1
areas];and/or
digital and non-digital
media]
b. Protects
within information
[Assignment:
7.203 Information Security Policy 1.2 Removable Media Media Transport Each agency must employ encryption mechanisms to protect the MP-5(4) Media Transport | (1) The media
system information
organization-defined until the system
controlled
media
Mobile Security Security confidentiality of information stored on digital media during Cryptographic Protection implements
areas]; and cryptographic
are destroyed or sanitized
transport outside of controlled areas. mechanisms
using
b. Protects
approved toinformation
protect
equipment, the x x P1
confidentiality
techniques,
system media and and
until integrity
procedures.
the media of
information
are The
destroyed stored on
or sanitized digital
7.204 Information Security Policy 1.2 Removable Media Media Transport Each agency must ensure accountability for removable media MP-5(3) Media Transport | (1)
media
organization
during transport
employs
outside
Mobile Security Security during transport outside of controlled areas. Custodians using
an
of
approved
identified
controlled
techniques,
equipment,
custodian
areas.
during x x P1
transport of and procedures.
information
7.205 Information Security Policy 1.2 Removable Media Media Sanitization Each agency must ensure that removable media are securely MP-6 Media Sanitization system
(1) The media outside of
organization:
Mobile Security Security erased or destroyed, and that paper media are securely destroyed, controlled
a. Sanitizesareas. [Assignment:
prior to disposal, for any such media containing non-public
information.
organization-defined
information system media]
x x x P1
prior to disposal, release out of
organizational control, or
7.300 Portable Computing Device Security: Each agency must ensure that all portable release for reuse using
[Assignment: organization-
computing devices such as laptops used by agency personnel for agency data are
appropriately secured.
defined sanitization techniques x x x P1
and procedures] in accordance
with applicable federal and
7.301 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must employ encryption at rest to protect the SC-28 Protection Of organizational
(1) The information standardssystem and
Mobile Security Devices Devices confidentiality of information stored on portable computing devices SC-28(1) Information At Rest policies; and
protects the [Selection (one or
such as laptops. Protection Of b. Employs
more): sanitization
confidentiality; x xc P1
Information At Rest | mechanisms
integrity] with the strength
of [Assignment:
7.302 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must ensure that each portable computing device is CM-7(5) Cryptographic
Least Protection
Functionality | andThe
(1) integrity
organization-definedcommensurate
organization:
Mobile Security Devices Devices configured so that only approved services and software are enabled Authorized Software / with(a)the
information security
Identifiesat rest].category or
[Assignment:
and/or installed. Whitelisting classification
organization-definedof the software x xc P1
information.
(2) The information
programs authorizedsystem to
implements
execute on thecryptographic
information
7.303 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must ensure that each portable computing device is CM-2 Baseline Configuration (1) The organization
mechanisms to prevent develops,
Mobile Security Devices Devices covered by a configuration management process that includes flaw system];
documents, and maintains
unauthorized
(b) Employs disclosure
a deny-all, and
remediation, such as installing most current stable security patches, under configuration
modification control, a
of [Assignment:
critical security updates, and hot fixes. permit-by-exception
current baseline
organization-defined
allow
policy to
configuration x x xc P1
of thethe executionsystem.
information
information]
of
on [Assignment:
authorized software programs
organization-defined
on the information system; and
information
(c) system
7.304 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must ensure automatic update of virus definition files SI-2(5) Flaw Remediation | (1) TheReviews
organization
components].
and updates
installs the
Mobile Security Devices Devices on portable computing devices. Automatic Software / list of authorized
[Assignment:
programs
software
organization-
[Assignment:
x x xc P1
Firmware Updates defined security-relevant
7.305 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must ensure a firewall is configured on each portable SC-7 Boundary Protection organization-defined
(1) The information
software and firmware system:
Mobile Security Devices Devices computing device, and prohibit users from making firewall AC-3(5) Access Enforcement | frequency].
a. Monitors
updates] and controls
automatically to
configuration changes. Security-Relevant communications
[Assignment: organization- at the x x x P1
Information external boundary ofsystem
defined information the
7.306 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must ensure asset tags are placed on portable CM-8 Information System system
(1) The and
components]. at key internal
organization:
Mobile Security Devices Devices computing devices. Component Inventory boundaries
a. Develops withinand the system;
documents x x x P1
b. Implements
an inventory of information subnetworks
7.307 Information Security Policy 1.3 Portable Computing Access Control for Mobile Each agency must ensure peer-to-peer (ad-hoc) wireless CM-7(1) Least Functionality | for
(1) publicly
The accessible
organization:
system components that: system
Mobile Security Devices Devices connections on all portable computing devices are disabled. Periodic Review components
(a)1.Reviews that
Accurately theare information
reflects the x x P1
[Selection:
system
current physically;system;
[Assignment:
information logically]
separated from
organization-defined
2. Includes all internal
organizational
frequency]
componentstowithin networks;
identify the and
c. Connects
unnecessary
authorization to external
and/or
boundary of the
networks or system;
nonsecurity
information information
functions, ports,
systems 3. Isonly
protocols, atand through
the services;
level of managed
and
8.100 Asset Identification: Each agency must ensure that all of its information assets,
including agency-specific applications, datastores, computing platforms, and network
platforms are inventoried and classified according to data sensitivity and other x x x P1
compliance requirements.

8.101 Information Security Policy 1.1 Asset Identification Information System Each agency must document and maintain inventories of the CM-8 Information System (1) The organization:
- Asset Management Component Inventory important assets associated with each information system. Asset Component Inventory a. Develops and documents
inventories must include a unique system name, a system/business an inventory of information
owner, a data classification, and a description of the location of the system components that:
asset. Examples of assets associated with information systems are: 1. Accurately reflects the
Information assets: databases and data files, system current information system;
documentation, user manuals, training material, operational 2. Includes all
procedures, disaster recovery plans, archived information. components within the
Software assets: application software, system software, authorization boundary of the
development tools and utilities. information system;
Computing assets: servers, desktops, laptops, smartphones. 3. Is at the level of x x x P1
Networking assets: routers, switches, access points. granularity deemed necessary
Storage assets: disk arrays, SANs, tapes, portable storage. for tracking and reporting; and
Services: computing, application, and storage services. 4. Includes [Assignment:
organization-defined
information deemed necessary
to achieve effective
information system component
accountability]; and
b. Reviews and updates the
information system component
8.102 Information Security Policy 1.1 Asset Identification Information System Each agency must require user acknowledgement of all rules and PL-4 Rules Of Behavior (1) The organization:
inventory [Assignment:
- Asset Management Component Inventory regulations pertinent to an asset, prior to issuing or permiting a. Establishes and makes
organization-defined
access to the asset. readily
frequency].available to individuals x x x P2
requiring access to the
information system, the rules
8.103 Information Security Policy 1.1 Asset Identification Information System Each agency must periodically review asset records to ensure that CM-8 Information System (1) The organization:
that
- Asset Management Component Inventory each is classified appropriately and that the safeguards remain valid Component Inventory a.describe
Developstheir and documents
and operative. responsibilities
an inventory of and expected
information x x x P1
behavior with
system components that:regard to
information
1. Accuratelyand information
reflects the
8.104 Information Security Policy 1.1 Asset Identification Security Impact Analysis Each agency must classify assets into the data sensitivity RA-2 Security Categorization (1) The
system organization:
usage;
- Asset Management classification types in the State of South Carolina Data Classification current
a. information
Categorizes system;
information
b. 2.
Receives
Includes a signed
all system in
Schema: Public, Internal, Confidential, Restricted. and the information
acknowledgment
components
accordance within fromthe
with applicable
such x x x P1
individuals,
authorization indicating
boundary that they
of the
federal
have laws,
read, Executive Orders,
understand, and
information
directives, system;regulations,
policies,
8.105 Information Security Policy 1.1 Asset Identification Security Impact Analysis Each agency must ensure that each asset is classified based on data RA-2 Security Categorization agree
(1) The3.toIs abide theby
organization:
atand theof
level rules of
standards,
behavior, before guidance;
authorizing
- Asset Management classification type and impact level, and the appropriate level of a.
b. Categorizes
granularity
Documents deemed information
thenecessary
security
access to information and the
information security safeguards are available and in place. and
for the information
tracking
categorization
information
accordance
4. Includes
andresults system
reporting;
system;
with applicable
[Assignment:
in
and x x x P1
(including
c. Reviews supporting
and rationale)
updates the
federal
in laws, Executive
organization-defined
theofsecurity plan Orders,
for the
rules
directives, behavior
policies, [Assignment:
information
information
organization-definedsystem;regulations,
deemed necessary
and
standards,
to achieve
c. Ensuresand and guidance;
effective
that the security
9.100 Security Performance Metrics: Each agency must participate in the DIS-defined frequency];
b. Documents
information system thecomponent
security
collection and reporting of security performance metrics, in order to inform the categorization decision
d. Requires individuals is who
management decisions of agency and state executive stakeholders.
categorization
accountability];
reviewed
have signed
(including
and a
results
and
approved
previous
supporting
by the
version
rationale)
x x x P1
b. Reviews
authorizing and updates
official or the
of the
in the security
rules of
information behavior
plan
system for to read
the
component
authorizing
and official
resign[Assignment:
when the designated
rules of
9.101 Information Security Policy 1.1 Security Performance Information Security Each agency must monitor and report performance metrics as PM-6 Information Security information
inventory
The organization
representative. system; and
develops,
IT Risk Strategy and Metrics Measures of Performance specified by the Division of Information Security (DIS), to Measures Of behavior
c. Ensuresare
andrevised/updated.
organization-defined
monitors, that
reportsthe security
on the
demonstrate progress in adoption of security controls, and Performance categorization
frequency].
results decisionsecurity
of information is
associated policies and procedures, and effectiveness of the reviewed and approved
measures of performance. by the x x xc P1
information security program. authorizing official or
authorizing official designated
representative.
9.102 Information Security Policy 1.1 Security Performance Information Security DIS must define performance measures to be able to support the PM-6 Information Security The organization develops,
IT Risk Strategy and Metrics Measures of Performance determination of information system security posture, demonstrate Measures Of monitors, and reports on the
compliance with requirements, and identify areas of improvement. Performance results of information security
measures of performance.
x x xc P1

9.103 Information Security Policy 1.1 Security Performance Manageability of Metrics DIS must ensure that the defined metrics are meaningful, yield
IT Risk Strategy and Metrics impact and outcome findings, and are scheduled for collection with
the time necessary for stakeholders to use the results to address
performance gaps.
x x xc P1

9.104 Information Security Policy 1.1 Security Performance Data Management DIS must standardize the data collection methods and data
IT Risk Strategy and Metrics Concerns repositories used for metrics data collection and reporting to
ascertain the validity and quality of data. x x xc P1
 9.200 Third Party Risk Management: Each agency must ensure that agency business
functions conducted by third parties are performed in compliance with all statues,
regulations, and other obligations encumbent on the agency. x x x P1
9.201 Information Security Policy 1.2 Third Party Risk External Information Each agency must establish processes to ensure that third parties SA-9 External Information (1) The organization:
IT Risk Strategy Management System Services comply with information security requirements and employ defined System Services a. Requires that providers of
security controls in accordance with compliance requirements
encumbent on the agency.
external information system
services comply with
x x x P1
organizational information
security requirements and
9.202 Information Security Policy 1.2 Third Party Risk External Information Each agency must implement processes, methods, and techniques SA-9 External Information (1)
employ The organization:
[Assignment:
IT Risk Strategy Management System Services to review compliance by third parties on an ongoing basis. System Services a. Requires that providers securityof
organization-defined
external
controls]informationin accordance system
with
x x P1
services
applicable comply
federal withlaws,
organizational
Executive Orders, information
directives,
9.203 Information Security Policy 1.2 Third Party Risk Risk Assessment Each agency must establish a process to conduct risk assessments AC-20(1) Use Of External (1)
security
The organization permits
IT Risk Strategy Management on third party service providers, and document the risk assessment RA-3 Information Systems | policies, requirements
authorized regulations,
individualsstandards,and
to use
results. SA-9(1) Limits On Authorized Use employ
andexternal
an [Assignment:
guidance; information system x x P1
Risk Assessment organization-defined
b. Defines
to access the and security
documents
information
controls]
government intoaccordance
oversight with
and user
9.204 Information Security Policy 1.2 Third Party Risk Risk Assessment Each agency must implement controls to help ensure that risk CA-3 System
External Information system
(1) The or
applicable
process, store,
organization:
federal laws, with
or
IT Risk Strategy Management assessments are updated in case of major changes in scope of SA-9 Systems | Risk
Interconnections roles
transmit and
a. Authorizesresponsibilities
organization- connections
Assessments / Executive
regard
controlled to Orders,
external
information directives,
information
only x x P1
services or contractual changes with third parties. External Information from
policies, theregulations,
informationstandards, system to
Organizational
System ServicesApprovals systeminformation
when
other theservices;
organization: andsystems
and(a) c.guidance;
Employs
Verifies [Assignment:
theof
9.205 Information Security Policy 1.2 Third Party Risk System Interconnections Each agency must authorize connections between agency CA-3 System Interconnections through
(1) b.
TheDefinesthe use
andofdocuments
organization:
organization-defined
implementation
Interconnection required
Security
IT Risk Strategy Management information systems and third party information systems by government
a. Authorizes
processes, oversight
methods, connections
andand user
entering into Interconnection Security Agreements.
security
Agreements;
roles and
from thesystem
techniques]
external
controls
information
to
on the
responsibilities
monitor
as system
specified withto x x x P1
regard
other b. Documents,
to external
information for each in
information
systems
security
the control compliance
organizations
interconnection, information
the interface by
system
through
external
security services;
the
service
policy useand andsecurityon
of
providers
9.206 Information Security Policy 1.2 Third Party Risk System Interconnections Each agency must ensure that for each third party system interface CA-3 System Interconnections (1) The
characteristics,
c. organization:
Employs security
[Assignment:
IT Risk Strategy Management with an agency system, the interface characteristics, security Interconnection
an
plan; ongoing
or
a. Authorizesand basis. Security
connections
requirements,
organization-defined
Agreements; the nature
requirements, and the nature of the information communicated are
documented.
from
of (b)the
the
processes,
information
other
Retains
information
b. Documents,
approved
information
methods,
information system for
system to
and
each
connection
systems
x x x P1
communicated;
techniques]
interconnection, to and
monitor
the interface
or processing
through c. Reviews the use agreements
and ofupdates with
security
characteristics,
the organizational control compliance
security
entity by
Interconnection
Interconnection
external service Security
Security
providers on
9.207 Information Security Policy 1.2 Third Party Risk Use of External Each agency must establish terms and conditions for trust AC-20 Use Of External requirements,
(1)
hosting The
Agreements; organization
the and
external the nature
establishes
IT Risk Strategy Management Information Systems relationships established with other entities owning, operating, or Information Systems Agreements
an
of
terms ongoing
the information
and [Assignment:
basis.
conditions,
information
b. Documents,
organization-defined system. for each
maintaining external information systems on behalf of agency.
Terms and conditions should control:
communicated;
consistent
interconnection,
frequency].
c. Reviews
relationships
with any
and
and
thetrust
interface
updateswith
established
x x xc P1
(2) The organization:
characteristics, security
Access to agency information systems from third party Interconnection
other a. organizations
Conducts
requirements, Security
owning,
an assessment
and the nature
information systems. (2) The
Agreements
operating, organization:
[Assignment:
and/or maintaining
9.208 of risk,
the
a. including
information
Requires that the likelihood
providers of
Information Security Policy 1.2 Third Party Risk Use of External Each agency
Controls formust review and
processing, update
storing, or transmitting of agency data by CA-3
third party security System Interconnections (1) The organization:
organization-defined
external
and information
magnitude of systems,
harm, from
IT Risk Strategy Management Information Systems agreements on an annual
third party information basis, or as defined in the contract.
systems.
communicated;
external
allowing
the
information
a. Authorizes
frequency].
c. authorized
unauthorized
Reviews and
and system
connections
individuals
access,
updates use,
x x x P1
services
from
to: comply with
the information system to
disclosure,
Interconnection
organizational
other informationdisruption,
Security
information
systems
9.209 Information Security Policy 1.2 Third Party Risk Information Sharing with Each agency must share personally identifiable information (PII) UL-2 Information Sharing With (1) a. TheAccess
modification, organization:
theor information
destruction
IT Risk Strategy Management Third Parties with third parties only for purposes in compliance with applicable Third Parties Agreements
security
through
system a. Shares
from
[Assignment:
requirements
the personally
use of
external and of
statutes and regulations.
the information
organization-defined
employ
Interconnection
identifiable
information [Assignment: system
Security
information
systems;
and the
and(PII)
x xc P0
information
frequency].
organization-defined
Agreements; it processes, security
externally,
stores, b. Process,
orin only for
store,
transmits; the
or transmit
controls]
b. Documents,
authorized
organization-controlled accordance
purposes eachwith
for identified
9.210 Information Security Policy 1.2 Third Party Risk Information Sharing with Each agency using a third party to process or store unencrypted UL-2 Information Sharing With (1) The
b.
applicable
interconnection,
organization:
Documents federal risk
laws,
IT Risk Strategy Management Third Parties sensitive data must enter into a binding agreement with the third Third Parties in the
information
a.
assessment Privacy
Shares Actthe
using
personally
results in
interface
and/or
external
Executive
characteristics,
described Orders, directives,
its security
insecuritynotice(s) or
party, describing the types of sensitive data covered, and information
identifiable
[Selection:
policies,
systems.
information
regulations, plan; riskfor
(PII)
standards,
specifically enumerating the purposes for which the data may be arequirements,
purpose
externally,
assessment that
only and
isfor
report;
the nature
compatible
the x xc P0
andthe
of
with guidance;
information
those purposes;
used. authorized
[Assignment:
b. purposes
organization- identified
in
definedb. Defines
communicated;
the Where
Privacy
and
Actand
documents
appropriate,
document]]; and/or
government
enters c. Reviews oversight
and updates
intoinMemoranda andof user
described
c. Reviews
roles and responsibilities
Interconnection its
risknotice(s)
Security or
assessment for
with
9.211 Information Security Policy 1.2 Third Party Risk Information Sharing with Each agency must monitor, audit, and train its staff on the UL-2 Information Sharing With Understanding,
aresults
(1) purpose
The that
organization:
[Assignment: isMemoranda
compatible of
regard to external
Agreements
Agreement, Letters information
[Assignment: of Intent,
IT Risk Strategy Management Third Parties authorized sharing of sensitive data with third parties and on the Third Parties with a. those
Shares
organization-defined purposes;
personally
consequences of unauthorized use or sharing of such data.
system
b. Where
identifiable
frequency];
services;
organization-defined
Computer
c. Employs
Matching and
appropriate,
information
[Assignment: (PII) x xc P0
frequency].
Agreements, or similar
enters
externally, into only
d. Disseminates
organization-defined Memoranda
for the of
risk
agreements,
Understanding, with third
Memoranda parties
9.212 Information Security Policy 1.2 Third Party Risk Information Sharing with Each agency must evaluate any proposed new instances of sharing UL-2 Information Sharing With authorized
assessment
(1) The
processes,
that
purposes
results
organization:
specifically methods, to
describeand the of
identified
IT Risk Strategy Management Third Parties sensitive data with third parties to assess whether the sharing is Third Parties Agreement,
in the
[Assignment:
a. PrivacyLetters
Shares
techniques] Act
personally
to monitor of Intent,
and/or
organization-
PII covered
Computer
described
defined personnel in and
Matching specifically
its notice(s)
or roles];or for
authorized and whether additional or new public notice is required. identifiable
security
enumerate
Agreements,
aand purpose
externally,
controlinformation
the
that
only
compliance
purposes
oris similar
for compatible
(PII)
theused;on
for by x xc P0
external
which theservice
PII may providers
be
agreements,
with
an c.e. those
Updates
authorized
ongoing with
purposes;
the
purposes
basis. third
risk parties
identified
that Monitors,
b.specifically audits,
describe and
trains
Where
assessment
in the Privacy
its staff Act
on and/or the
appropriate,
[Assignment:
the
PII
enterscoveredinto
organization-defined
described in and
Memoranda
its specifically
notice(s) of
or for
10.100 Contingency Planning: Each agency must ensure that the business functions * Controls marked "x*" in this section are required, unless authorized
enumerate sharing
thewhenever
purposesof PII there
with
for of
supporting any critical agency missions can be restored to functionality in the event of the agency performs a Business Impact Analysis (BIA) to aUnderstanding,
frequency]
purpose
third parties
or
that and isMemoranda
compatible
on the
which
Agreement, the
are significant
with PII
those purposes; may
Letters beof used;
changes to theIntent,
disruption, breach, or failure. estimate the impact of short term, long term, or permanent consequences
c.
ComputerMonitors,
information of
Matching unauthorized
audits,
system or and
use b.orWhere
sharing appropriate,
ofsimilar
PII; and
loss of the relevant asset or function, and determines based trains its
Agreements,
environment
enters intostaff on
or
of
Memoranda the
operation of x x x P1
on the BIA that the control is not needed. d. Evaluates
authorized
agreements,
(including sharing
the anythird
with proposed
of
identification PIIparties
with of
Understanding,
new instances Memoranda
ofdescribe
sharing PII of
third
that parties Letters
new specifically
threats
Agreement, and
and on the
of the
Intent,
with
PII third
consequences
covered
vulnerabilities), parties
and of to assess
unauthorized
specifically
or other
Computer
whether the Matching
sharing is
use or sharing
enumerate
conditions
Agreements, the
that orofpurposes
may PII;impact
similar and forthe
authorized
d. Evaluates
which
security the and
PII
state may whether
ofanythe proposed
be used;
system.
agreements,
additional or with
new third
public parties
notice
new
that instances
Monitors,of
c. specifically sharing
audits,
describe and PII
the
is required.
with
trains third parties
itsorganization:
(3) covered
The staff to assess
onspecifically
the
PII and
whether
authorized
(a) the
Conducts sharing
sharing
enumerate the purposes for an of isPII with
authorized
third
whichparties
organizational
the PII andand whether
on bethe
assessment
may used;of
additional
consequences
riskc.prior
Monitors,toorthe new
of public
unauthorized
acquisition
audits, and notice
or
is
userequired.
orits
outsourcing
trains sharing
staffofon of PII; and
dedicated
the
10.101 Information Security Policy 1.1 Contingency Planning Contingency Planning Each agency must establish a formal, documented contingency CP-1 Contingency Planning (1) The organization:
Business Continuity Policy and Procedures planning process that addresses purpose, scope, roles, Policy And Procedures a. Develops, documents,
Management responsibilities, management commitment, coordination among
organizational entities, and compliance.
and disseminates to
[Assignment: organization-
x x x P1
defined personnel or roles]:
1. A contingency planning
10.102 Information Security Policy 1.1 Contingency Planning Contingency Planning Each agency must establish a formal process for annual contingency CP-1 Contingency Planning (1) Thethat
policy organization:
addresses purpose,
Business Continuity Policy and Procedures planning policy and procedure review and update. Policy And Procedures a. Develops, documents,
Management
scope,
and
roles, responsibilities,
disseminates
management to
commitment,
x x x P1
[Assignment:
coordination among organization-
10.103 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must conduct a Business Impact Analysis (BIA) to CP-2(3) Contingency Plan | defined
(1) personnel
The organization
organizational orplans
entities, roles]:
andfor
Business Continuity identify functions, processes, and applications that are critical to Resume Essential the 1. A contingency
resumption
compliance; andof essential planning
Management the Each agency and determine a point in time (i.e. recovery time Missions / Business policy2.that
missions andaddresses
Procedures business to purpose,
facilitate
objective (RTO)) when the impact of an interruption or disruption Functions scope,
functions roles, responsibilities,
within
the implementation [Assignment:
of the
becomes unacceptable to the agency. management
organization-defined
contingency planning commitment, time
policy x x x P1
coordination
period] among
of contingency
and associated contingency plan
organizational
planning controls; and and
activation. entities,
compliance;
b. Reviewsand and updates the
current:2. Procedures to facilitate
10.104 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must utilize the BIA results to determine potential CP-2(3) Contingency Plan | (1)
theThe organization plans
implementation
1. Contingency of thefor
planning
Business Continuity impacts resulting from the interruption or disruption of critical CP-2(4) Resume Essential the resumption
contingency of essential
planning policy
Management business functions, processes, and applications. Missions / Business
policy [Assignment:
missions
and and business
associated
organization-defined contingency x x x P1
Functions functions
planning
frequency]; within
and [Assignment:
controls; and
10.105 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must assign contingency roles and responsibilities to CP-2 Contingency
Contingency Plan
Plan | organization-defined
(1) b.
TheReviews
2. Contingency and updates
organization: time the
planning
Business Continuity key individuals from all business functions. Resume All Missions / period]
current:
procedures of
a. Develops contingency
[Assignment:
a contingencyplan x* x* x P1
Management Business Functions activation.
plan 1. Contingency
organization-defined
for the information planning
system
(2) The[Assignment:
policy
frequency].
that: organization plans for
10.106 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must establish procedures to maintain continuity of CP-2(5) Contingency Plan | (1)
the
The organization plans for
resumption
Business Continuity critical business functions in the cases of critical information system Continue Essential the 1. Identifiesof
organization-defined
continuance of all missions
essential
essential
Management disruption, breach, or failure. Missions / Business
and business functions within
frequency];
missions andand business x* x* x P1
Functions [Assignment:
functions andorganization-
2. Contingency
with associated
little or planning
no loss
defined
procedures
contingency time period]
[Assignment:
requirements; of
10.107 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must document a Business Continuity Plan (BCP) that CP-2 Contingency Plan of
(1)operational
The organization:continuity and
contingency
organization-defined
sustains2. Provides plan activation.
recovery
that continuity until
Business Continuity addresses documented recovery strategies designed to enable the a. Develops
frequency]. a contingency
Management agency to respond to potential disruptions and recover its critical objectives,
full for therestoration
planinformation system system
information
business functions within a predetermined RTO following a priorities,
restoration
that:
3.
and
at metrics;
primary x* x* x P1
disruption. 1. Addresses
processing contingency
and/oressential
Identifies storage
roles, responsibilities,
sites.
missions and business assigned
individuals with
functions and associated contact
10.108 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must establish a process to ensure that the BCP is CP-2 Contingency Plan information;
contingency
(1) requirements;
The organization:
Business Continuity reviewed and approved by senior management. a. 4.
2.
essential
Addresses
Providesa recovery
Develops
missions
maintaining
contingency
and business
x* x* x P1
Management objectives,
plan for the restoration
information system
10.109 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must distribute copies of the BCP to key personnel CP-2 Contingency Plan functions
priorities,
that:
(1) despite
and metrics;
The organization: an
Business Continuity responsible for the recovery of the critical business functions and information
3.
a. 1. Addresses
Develops system
Identifies disruption,
contingency
a contingency
essential
compromise, or failure;assigned
Management other relevant personnel and partners with contingency roles, as
determined by the agency.
roles,for
missions
plan responsibilities,
5.
functions
that:
the
andinformation
Addresses
individualsand with
business
contact
associated
system
eventual, full x* x* x P1
information
information;
contingency
1. Identifiessystem
requirements;restoration
essential
without
missions2. deterioration
4. Provides
Addresses
and business of the
maintaining
recovery
10.110 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must establish and implement procedures to review CP-2 Contingency Plan security
(1) safeguards
The organization:
essential
objectives,
functions missions
and
restoration and
associatedoriginally
business
Business Continuity the BCP at planned intervals and at least on an annual basis. planned
a. and
Develops
functions despite
priorities,
contingency and implemented;
a contingency
an
requirements;
metrics;
Management and
plan for
information the
3. Provides
2. information
Addressessystem recovery system
disruption,
contingency
x* x* x P1
that: 6.responsibilities,
compromise,
roles,
objectives, Is reviewed andassigned
or failure;
restoration
approved1.
individuals
priorities, by
5. Identifies
Addresses
and [Assignment:
essential
withmetrics;eventual, full
contact
10.111 Information Security Policy 1.1 Contingency Planning Contingency Plan Each agency must establish a process to update the contingency CP-2 Contingency Plan (1) The organization:
organization-defined personnel
Business Continuity plan, including BIA, when changes to the organization, information missions
information
information;
a. 3. andsystem
Addresses
Develops business restoration
contingency
a contingency
or roles];
functions
without
roles, and associated
deterioration
4.responsibilities,
Addresses of system
the
maintaining
assigned
Management system, or environment of operation occurred. plan for
contingency
security
essential
individuals
that:
the
b. Distributes
information
copies
requirements;
safeguards
missions
with contact
and of the
originally
business
x x x P1
contingency
planned 2. Identifies
functions
information;
1. Provides
and plan to
recovery
implemented;
despite an
essential
[Assignment:
objectives,
and 4. Addresses
information
missions and organization-
restoration
system
businessmaintaining
disruption,
10.112 Information Security Policy 1.1 Contingency Planning Contingency Training Each agency must provide training to personnel with assigned BCP CP-3 Contingency Training defined
priorities,
(1) The6. Is
compromise,
essential
functions keyandcontingency
organization
reviewed
missions
and ormetrics;
failure;
and
associated provides
and business
Business Continuity roles and responsibilities. personnel
approved3.
contingency
functions
contingency
and/or by
(identified
Addressestraining
by requirements;
5. Addresses
role)
[Assignment:
despite
and
an by name
contingency
to
eventual, full x* x* x P2
Management roles, responsibilities,
information
organization-defined system
2. Provides recovery assigned
users
personnel
restoration
disruption,
10.113 Information Security Policy 1.1 Contingency Planning Contingency Training Each agency must establish a process for evaluating the CP-3 Contingency Training organizational
individuals
consistent
or roles];
without
compromise,
(1) with
with orelements];
deterioration
The organization
objectives, contact
assigned
failure;
restoration roles
of the
provides
Business Continuity effectiveness of its BCP training. c. Coordinates
information;
and b.responsibilities:
securityDistributes
5.
contingency
priorities,
planning
Addresses
safeguards
and training contingency
copies to of the
eventual,
metrics;
activities
originally
with
full x* x* x P2
Management a. 4.
contingency
planned
information
3. Addresses
Within and
Addresses maintaining
[Assignment:
plan to
implemented;
system restoration
users
contingency
10.114 Information Security Policy 1.1 Contingency Planning Contingency Training Each agency must incorporate simulated events and lessons CP-3(1) Contingency Training | incident
essential
and The
[Assignment:
without
consistent
roles, handling
missions
organization-defined
(1) organization
with activities;
and
organization-
deterioration
responsibilities, assigned business
time
of the
roles
assigned
Business Continuity learned into contingency training to facilitate effective response by Simulated Events d.responsibilities:
period] Reviews
functions
incorporates
defined
security
and 6.
individuals Isof
keydespitethecontact
assuming contingency
an
simulated
contingency
safeguards
reviewed
with a events
and
originally
plan for
information
contingency the information
system
role or system
disruption,
Management personnel with contingency roles when responding to disruption. intoa.contingency
personnel
approved
planned Within
information;
[Assignment:
compromise,
responsibility;
facilitate
and/or
and(identified
by training
[Assignment:
implemented;
[Assignment:
organization-
or
effective failure;
response
to
by name
by
x* x* x P2
and 4. by role)
organization-defined
Addresses and personnel
time
maintaining
defined
b. 5.
When
personnel
organizational
or roles];
period] frequency];
Addresses
required
in crisis
6. Isofmissions
essential reviewed
assuming eventual,
by
situations.
elements];
and
and a businessfull
e.
approvedUpdates
information
c. Coordinates
b. Distributes
contingency
functions by role
despitethe
system contingency
restoration
changes;
contingency
[Assignment:
copies
an of the
or
10.115 Information Security Policy 1.1 Contingency Planning Contingency Plan Testing Each agency must test the BCP at least annually to determine the CP-4 Contingency Plan Testing (1)
and The
without
planning
contingency organization:
plan to address planchanges
deterioration
activities
organization-defined
responsibility;
information system towith of to
thethe
personnel
disruption,
Business Continuity effectiveness of the plan and the agency's readiness to execute the a. Tests
organization, the contingency
information
Management plan.
security
[Assignment:
or roles];
b. When
compromise,
plan
system,
plannedfor
safeguards
c. [Assignment:
incident handling
the
or
or originally
activities;
organization-
required
failure;
information
environment
andcontingency
organization-defined implemented;
by
system
of x* x* x P2
d. 5.
defined
b. Reviews
Distributes
information key
Addresses thecopies
system contingency
of the
changes;
eventual, full
[Assignment:
operation
and
frequency]
plan for the
personnel
contingency
and and organization-
problems
thereafter.
information
(identified
plan system
to restoration
by name
information
defined system
frequency] using
10.116 Information Security Policy 1.1 Contingency Planning Contingency Plan Testing Each agency must review the BCP test results, record lessons CP-4 encountered
Contingency Plan Testing (1) The
and/or 6.
[Assignment:
c. by during
organization:
Is reviewed
role)
[Assignment:
without deterioration and
organization-
and of the
Business Continuity learned and perform corrective actions as needed. [Assignment:
contingency
a. Tests
approved
organizational
defined key the
by
organization-defined
security
organization-
plancontingency
[Assignment:
frequency];
contingency
safeguards elements];
originallythe x* x* x P2
Management defined
plane. for tests]
implementation,
the
organization-defined
c. Updates
personnel
Coordinates
frequency] to determine
the
(identifiedexecution,
information
thereafter. personnel
contingency
contingency
by name or
system
planned
effectiveness and implemented;
of thewithplan toand
testing;
[Assignment:
or roles];
plan to by
planning
and/or
and address organization-
activities
role) changes
and the
the f.organizational
definedCommunicates readiness
of theto
b.
execute 6. Isfrequency]
Distributes
organization,
incident
organizational handling
reviewed
the
using
copies
information
elements];
plan;
activities;
and
[Assignment:
contingency
system, or
d. Coordinates
c.
approvedReviews plan
the to
environment
by changes
organization- of to
contingency
contingency
[Assignment:
b.
defined Reviews
[Assignment:
for tests]
operation
plan
planning theand the contingency
organization-
to determine
problems
activities
information with the
system
organization-defined
plan test results; and personnel
defined
effectiveness
encountered
[Assignment:
incident
or key
roles];handling contingency
of the
during plan
organization-
activities;and
10.117 Information Security Policy 1.1 Contingency Planning Contingency Plan Testing Each agency must employ standard testing methods, ranging from CP-4 Contingency Plan Testing (1) The organization:
Business Continuity walk-through and tabletop exercises to more elaborate parallel/full a. Tests the contingency
Management interrupt simulations, to determine the effectiveness of the plan plan for the information system
and to identify potential weaknesses in the plans. [Assignment: organization- x* x* x P2
defined frequency] using
[Assignment: organization-
defined tests] to determine the
effectiveness of the plan and
10.200 Disaster Recovery: Each agency must ensure that the business functions supporting * Controls marked "x*" in this section are required, unless the organizational readiness to
any critical agency missions can be restored to functionality in the event of the agency performs a Business Impact Analysis (BIA) to execute the plan;
catastrophic disruption. estimate the impact of short term, long term, or permanent b. Reviews the contingency
loss of the relevant asset or function, and determines based plan test results; and
on the BIA that the control is not needed. c. Initiates corrective x* x* x P1
actions, if needed.

10.201 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must develop a Disaster Recovery Plan (DRP) that CP-2 Contingency Plan (1) The organization:
Business Continuity and Contingency addresses scope, roles, responsibilities, and coordination among CP-2(1) Contingency Plan | a. Develops a contingency
Management Strategies organizational entities for reallocating information systems
operations to an alternate location.
Coordinate With Related plan for the information system
Plans that:
x* x* x P1
1. Identifies essential
missions and business
10.202 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must establish recovery time objectives for the BIA CP-2(3) Contingency Plan | (1) The organization
functions and associated plans for
Business Continuity and Contingency identified critical information systems. Resume Essential the resumption
contingency of essential
requirements; x* x* x P1
Management Strategies Missions / Business missions and
2. Provides business
recovery
10.203 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must establish and document procedures to fully CP-2 Contingency Plan
Functions (1) The
functions organization:
within [Assignment:
Business Continuity and Contingency restore critical information systems, after an incident, minimizing objectives,
a. Develops restoration
a contingency
organization-defined
priorities, and metrics; time
Management Strategies deterioration of the security safeguards originally planned and
implemented.
plan
period]
that:
for the
3. Addresses
information
of contingency system
plan
contingency x* x* x P1
activation.
roles,1.responsibilities, assigned
Identifies essential
individuals
missions and with contact
business
10.204 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must assign disaster recovery roles and responsibilities CP-2 Contingency Plan information;
(1) The organization:
functions and associated
Business Continuity and Contingency to key individuals. CP-2(1) Contingency Plan | a. 4. Addresses
Develops
contingency maintaining
a contingency
requirements; x* x* x P1
Management Strategies Coordinate With Related planessential
for missions
the
2. Provides informationand business
recovery system
10.205 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must establish a process to ensure that the DRP is CP-2 Plans
Contingency Plan functions
that:
(1) The despite
organization:
objectives, restoration an
Business Continuity and Contingency reviewed and approved by senior management. CP-2(1) Contingency Plan | information
a. 1.
Develops
priorities, system
Identifies
and disruption,
a contingency
essential
metrics; x* x* x P1
Management Strategies compromise,
Coordinate With Related plan
missionsfor the or failure;
andinformation
3. Addresses business system
contingency
10.206 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must distribute copies of the DRP to key personnel CP-2 Plans
Contingency Plan (1) 5.
functions
that: Addresses
and associated
Theresponsibilities,
roles, organization: eventual,
assigned full
Business Continuity and Contingency responsible for the recovery of the critical information systems and CP-2(1) Contingency Plan | information
contingency
1.
a. Develops
individuals system
Identifies
witha contact restoration
requirements;
essential
contingency
Management Strategies other relevant personnel and partners with contingency roles, as without
Coordinate With Related missions
plan for
information; deterioration
2. Provides
andinformation
the business
recoveryof system
the
determined by the Each agency. Plans security
objectives,
functions
that:
planned
safeguards
and
restoration
4. Addresses
priorities,
contingency andand
originally
associated
maintaining
implemented;
requirements;
metrics;
x* x* x P1
1. Identifies
essential missions essential
and business
and
missions3. Provides
2.
functions Addresses
and
despite recovery
businesscontingency
an
roles, 6.
objectives,
functions
information Is reviewed
responsibilities,
restoration
and and
associated
system assigned
disruption,
approved
individuals
priorities,
contingency
compromise, by
and [Assignment:
with metrics;
contact
requirements;
or failure;
10.207 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must establish and implement procedures to review CP-2 Contingency Plan (1) The
information;
3. organization:
organization-defined
Addresses personnel
contingency
Business Continuity and Contingency the DRP at planned intervals and at least on an annual basis. CP-2(1) Contingency Plan | a. 2.
5. Provides
Addresses
Develops a recovery
eventual,
contingency full
Management Strategies
or roles];
roles, 4.responsibilities,
Coordinate With Related objectives,
information
plan for
Addresses
the systemmaintaining
restoration
information
assigned
restoration
system x* x* x P1
b.
essentialDistributes
individuals
priorities, missions
with copies
contact
and
and metrics;of the
without deterioration of the
business
Plans that:
contingency plan to
functions
information;
security despite
3. Identifies
Addresses
safeguards an
contingency
originally
10.208 Information Security Policy 1.2 Disaster Recovery Disaster Recovery Plan Each agency must establish a process to update the DRP when CP-2 Contingency Plan (1) The1.
[Assignment:
information
4. organization:
Addresses essential
organization-
system maintaining
disruption,
Business Continuity and Contingency changes to the organization or environment of operation occurred. CP-2(1) Contingency Plan | roles,
planned
missions
a. responsibilities,
and
and
Develops implemented;
business
a assigned
contingency
Management Strategies
defined key
compromise,
essential
individuals
and
functions
Coordinate With Related plan for
personnel
functions
5. Isthe
contingency
missions
with
and
or contact
failure;
and business
associated
information
(identified
Addresses
despite an system
by name
eventual, full
x* x* x P1
Plans information;
6.
contingency
that: reviewed and
requirements;
and/or
information
approved4. by role)
system
Addresses
by andmaintaining
[Assignment:restoration
disruption,
without 2.
compromise, Provides
1. Identifies
organizational
deterioration
or recovery
essential
elements];
failure;of the
10.209 Information Security Policy 1.2 Disaster Recovery Alternate Site Each agency must identify and establish processes to relocate to an CP-7 Alternate Processing Site (1) The
essential organization:
missions
organization-defined
objectives, restoration andpersonnel
business
Business Continuity and Contingency alternate site to facilitate the resumption of information system missions
security
a. 5. and
c. Coordinates
Addresses
safeguards
Establishes business
contingency
aneventual,
originallyfull
alternate
functions
or roles];
priorities,
functions despite
and an
metrics;
associated
Management Strategies operations for business-critical functions within the defined planning
planned
information
processing
information
b. activities
and system
site
Distributessystem with
implemented;
restoration
including
disruption,
copies of the
3. Addresses contingency
recovery objectives (RTO and Recovery Point Objective (RPO)) when contingency
incident
and
without
necessary
compromise,
contingency
roles, 2.
requirements;
handling
deterioration
agreements activities;
or failure;
plan
responsibilities,
Provides to
recovery
of
tothe
assigned x* x* x P1
the primary site is unavailable due to disruption. d.
security
permit Reviews
6. Is
safeguards
the
[Assignment: reviewedthe
transfer
5. Addresses contingency
and
originally
eventual, full
organization-
individuals
objectives, with contact
plan
approved
planned for key
resumption
information
defined the
andbyrestoration
information
[Assignment:
ofimplemented;
[Assignment:
system
contingency system
restoration
information;
priorities,
[Assignment:
and and metrics;
organization-
personnel
organization-defined
without
personnel
4. deterioration
(identified of name
by the
maintaining
defined
or 3.
roles]; Addresses
6. by
information frequency];
Is reviewed
system contingency
and
operations]
10.210 Information Security Policy 1.2 Disaster Recovery Alternate Site Each agency must ensure that equipment and supplies required to CP-7 Alternate Processing Site (1) The
security
and/or
essential
roles,
organization:
safeguards
role)
missions andand
responsibilities, originally
business
assigned
Business Continuity and Contingency resume operations at the alternate processing site are available. for e.
approved
b. Updates
Distributes
a.essential by
Establishes the contingency
[Assignment:
copies
missions/business
an of the
planned
organizational
functions
individuals
plan
and
despite
with analternate
implemented;
elements];
contact x* x* x P1
Management Strategies andc. to
contingency
processing address
organization-defined
functions plan
within
site
Coordinates
information
information; system
changes
to to the
personnel
[Assignment:
including
contingency
disruption,
organization,
[Assignment:
or roles];
organization-defined
necessary
planning6. Is information
organization-
agreements
reviewed
activities time
and
with to
compromise,
system, 4. Addresses
or or failure;
environment maintaining
ofthe
10.211 Information Security Policy 1.2 Disaster Recovery Alternate Site Each agency must ensure contracts are in place with third parties CP-7 defined
b.
period
Alternate Processing Site permit
approved
incident
(1) The Distributes
key by contingency
consistent
the transfer copies
[Assignment:
handling
organization: and of
with
activities;
5.
essential
operation
personnel
contingency Addresses
missions
and eventual,
and
problems
(identified
plan to business
by name full
Business Continuity and Contingency and suppliers to support delivery to the site within the defined time recovery
resumption
a.
information time
organization-defined
d. Establishes
Reviews of and
the
system recovery
[Assignment:
personnel
contingency
an alternate
restoration
functions
encountered
and/or
[Assignment:
point by despite
role)
objectives]
organization-defined during an
organization-
and when the
or roles];
plan for the information system
Management Strategies period for transfer/ resumption of critical business operations. processing
without
information
contingency
defined
primary
information key
b. Distributes
[Assignment:
necessary
security
site
deterioration
organizational system
plan
including
contingency
processing elements];
system
agreements
safeguards
of the
disruption,
capabilities
operations]
copies
organization- of the
to
originally
x* x* x P1
compromise,
implementation,
personnel
are
for c.essential
Coordinates or
(identified
unavailable; failure;
execution,
contingency
by name
missions/business or
contingency
defined
permit
planned 5. and
Addressesplan
frequency];
the transfer to and
implemented;
eventual, full
testing;
planning
and/or
b.
functions byactivities
Ensures
[Assignment:
e. Updates
resumption role)
within
of and
that
the with
equipment
[Assignment:
organization-
contingency
[Assignment:
andf. Communicates
information system restoration
10.212 Information Security Policy 1.2 Disaster Recovery Alternate Site Each agency must ensure that the alternate processing site CP-7 incident
organizational
and
Alternate Processing Site (1)
defined
plan Theto handling
supplies
organization-defined
organization:
key
address elements];
requiredactivities;
contingency
changes to the
time
organization-defined
without 6. Is
contingency
d.
c.
reviewed
deterioration
plan andof to
changes theto
Business Continuity and Contingency provides information security safeguards similar to that of the a. Coordinates
transfer
period Reviews
and
consistent
Establishes
personnel
organization,
information thean
resume
(identified contingency
contingency
withoperations
alternate
information
system by name
operations]
Management Strategies primary site.
approved
security
[Assignment:
plan
planning
are
recovery
and/or for
processing
system,
for bythe
available
or
essential
by
time
[Assignment:
safeguards
activities
information
role)
site
organization-defined atandthe originally
organization-
with system
alternate
recovery
including
and
environment
missions/business of
personnel
x* x* x P1
planned
defined
[Assignment:
incident
processing
point and
key site
objectives] implemented;
contingency
handling organization-
activities;
or[Assignment:
contracts
when the are
necessary
organizational
operation
functions
or
androles]; agreements
and
within elements];
problems to
personnel
defined
in d.
place
primary
permit
c. Reviews
to (identified
frequency];thecopies
support
processing by name
contingency
delivery
capabilitiesto
b. Coordinates
encountered
and/or
the transfer
organization-defined
Distributes
6. Is
by
during
reviewed
role) and
contingency
and
time
and of the
plan
the
are e. for
Updates
the
siteconsistent
within
unavailable;
resumption information
the
theto contingency
with system
planning
period
contingency
approved
organizational
plan
[Assignment:
to byof
activities
address
organization-defined
b. Ensures
plan[Assignment:
with
[Assignment:
elements];
organization-
thatchanges timeto
equipment andthe
incident
recovery
[Assignment: handling
implementation, activities;
andexecution,
timeorganization-
organization-defined recovery
personnel or
g.supplies
period
and Protects
organization,
defined
information
d.
testing;
point frequency];
for
Reviews
objectives] the
required
system contingency
information
transfer/resumption;
thewhen tothe
operations]
contingency
defined
or roles];
plan from key contingency
unauthorized
system,
and e.
transfer
plan
for Updates
or
and
essential
f.
primary for the environment
Communicates
personnel the
resume
informationcontingency
missions/business
processing
(identified of
operations
system
capabilities
byofname
b.
operation
plan Distributes
disclosure
to and
address
and copies
modification.
problems
changes tothe
are c.unavailable;
Ensures
available
functions by within
[Assignment:
contingency
are
and/or
contingency
that
at
plan
role)
plan
the
and the
alternate
[Assignment:
organization-
changes
to tothe
alternate
encountered
organization,
processing siteduring
information
provides
10.213 Information Security Policy 1.2 Disaster Recovery Alternate Site Each agency must identify potential accessibility problems to the CP-7(2) Alternate Processing Site (1) The organization identifies
Business Continuity and Contingency alternate site in the event of an area-wide disruption or disaster. | Accessibility potential accessibility
Management Strategies problems to the alternate x* x* x P1
processing site in the event of
10.214 Information Security Policy 1.2 Disaster Recovery Telecommunications Each agency must establish primary and alternate CP-8(1) Telecommunications an
(1) area-wide disruption or
The organization:
Business Continuity and Contingency Services telecommunication service agreements with priority-of-service Services | Priority Of disaster and outlines
(a) Develops primary explicit
and
mitigationtelecommunications
actions.
Management Strategies provisions in accordance with organizational availability
requirements (including RTOs), quality of service and access;
Service Provisions alternate
service agreements that
x* x* x P1
contain priority-of-service
provisions in accordance with
10.215 Information Security Policy 1.2 Disaster Recovery Telecommunications Each agency must establish alternate telecommunications services CP-8 Telecommunications (1) The organization
organizational establishes
availability
Business Continuity and Contingency Services to facilitate the resumption of information system operations for Services alternate
requirements telecommunications
(including
Management Strategies critical business functions within the defined recovery objectives services including necessary
recovery time objectives); and
when the primary telecommunications capabilities are unavailable. agreements
(b) Requests to permit the x* x* x P1
resumption
Telecommunicationsof [Assignment:
Service
organization-defined
Priority for all
information system
telecommunications services operations]
10.216 Information Security Policy 1.2 Disaster Recovery Telecommunications Each agency must require primary and alternate CP-8(4) Telecommunications for
(1)
used essential
The missions
fororganization:
national and
security
Business Continuity and Contingency Services telecommunication service providers to have contingency plans. Services | Provider business functions
(a) Requires
emergency within
primary
preparedness andin
Management Strategies Contingency Plan [Assignment:
alternate thatorganization-
the event telecommunications
the primary
x* x* x P1
defined
service providers to have the
time
and/or alternate period] when
primary
contingency telecommunications
telecommunications plans; provides
services
10.217 Information Security Policy 1.2 Disaster Recovery Information System Each agency must establish documented procedures to restore and CP-10 Information System (1) The organization
capabilities are unavailable
Business Continuity and Contingency Recovery and recover critical business activities from the temporary measures Recovery And are(b)
for the Reviews
provided
recovery common at
byprovider
aand
either the
contingency primary
plans or alternate
Management Strategies Reconstitution adopted to support normal business requirements after an Reconstitution carrier.
reconstitution
processing of the ensure
or storage
to
x* x* x P1
incident. that the plans
information meet tosites.
system a known
organizational
state contingency
after a disruption,
requirements;
compromise, orand failure.
10.218 Information Security Policy 1.2 Disaster Recovery Information System Each agency must implement procedures for the recovery and CP-10 Information System (1) (c)
TheObtains evidence
organization of
provides
Business Continuity and Contingency Recovery and reconstitution of the information system to a known state after a Recovery And contingency
for the recovery testing/training
and by
Management Strategies Reconstitution disruption, compromise, or failure. Reconstitution providers [Assignment:
reconstitution of the x* x* x P1
organization-defined
information system to a known
frequency].
state after a disruption,
10.219 Information Security Policy 1.2 Disaster Recovery Information System Each agency must provide the capability to restore information CP-10(4) Information System (1) The
compromise,
organization provides
Business Continuity and Contingency Recovery and system components within defined restoration time periods from Recovery And the capabilityor to failure.
restore
Management Strategies Reconstitution configuration-controlled and integrity-protected information Reconstitution | Restore information system
representing a known, operational state for the components (for Within Time Period components within x* x* x P1
e.g. reimaging methods). [Assignment: organization-
defined restoration time-
periods] from configuration-
10.220 Information Security Policy 1.2 Disaster Recovery Information System Each agency must establish measures to protect backup and CP-10(6) Information System controlled
(1) and integrity-
The organization protects
Business Continuity and Contingency Recovery and restoration hardware, firmware, and software. Recovery And protected
backup andinformation
restoration x* x* x P1
Management Strategies Reconstitution Reconstitution | representing
hardware, a known,
firmware, and
operational state for the
Component Protection software.
10.300 Data Backups: Each agency must ensure that the business data supporting any critical * Controls marked "x*" in this section are required, unless components.
agency missions can be restored to functionality in the event of loss or corruption. the agency performs a Business Impact Analysis (BIA) to
estimate the impact of short term, long term, or permanent
loss of the relevant asset or function, and determines based
on the BIA that the control is not needed. x* x* x P1

10.301 Information Security Policy 1.3 Data Backups Data Backup and Storage Each agency must develop, maintain and document a data backup CP-9 Information System (1) The organization:
Business Continuity Policy and storage process that ensures the ability to recover electronic CP-1 Backup a. Conducts backups of user-
Management information in the event of failure. Contingency Planning level information contained in x* x* x P1
Policy and Procedures the information system
10.302 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must identify and apply security requirements for CP-9 Information System [Assignment:
(1) organization-
The organization:
Business Continuity protecting data backups based on the different types of data Backup defined frequency
a. Conducts consistent
backups of user-
Management handled by the agency. with recovery
level information time and
contained in x* x* x P1
recovery point
the information systemobjectives];
b. Conducts
[Assignment: backups
organization- of
10.303 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must identify an alternate storage site that is CP-6(1) Alternate Storage Site | (1) The organization
system-level information identifies
Business Continuity separated from the primary site so as not to be susceptible to same Separation From Primary defined
an frequency
alternate in storage
consistent
site that is
Management occurrences of hazards. Site
contained
with recovery
separated
the
time information
and
from the primary x* x* x P1
system
recovery[Assignment:
point objectives];
storage site to
organization-defined reduce frequency
b. Conductstobackups
susceptibility the same of
10.304 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must establish necessary agreements with the CP-6 Alternate Storage Site (1) The organization:
consistent
system-level with recovery
information time
Business Continuity alternate storage site owner to ensure that data storage and threats.
a. Establishes an alternate
Management retrieval process are not hindered during or after an incident.
and recovery
contained
storage site
c. Conducts
point
in the
including
objectives];
information
backups of
x* x* x P1
system [Assignment:
necessary
information agreements
system frequency
organization-defined to
10.305 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must ensure that the alternate storage site provides CP-6 Alternate Storage Site permit
(1) The the storage
organization:
documentation
consistent with recovery and time
including
Business Continuity information security safeguards similar to that of the primary retrieval of information
a.recovery
Establishes
security-related system
an objectives];
alternate
Management storage site.
and
backup
storage
point
information;
site including
documentation
c. Conducts andof
[Assignment:
backups
x* x* x P1
b. Ensures
necessary that
agreements
organization-defined
information the alternate
system frequency to
storage
permit
consistent sitewith
the
documentation provides
storage and time
recovery
including
information
retrieval
and of
recovery
security-related security
information system
point objectives];
safeguards
backup
and equivalent
information;
documentation to that
and
[Assignment:
of the
b. primary
d. Ensures
Protects that
organization-defined site.
the thefrequency
alternate
storage
consistent sitewith
confidentiality, provides
integrity,
recovery and time
information
availability ofsecurity
backup
and recovery point objectives];
safeguards
information
and equivalent
at storage to that
of the primarythe
locations.
d. Protects site.
10.306 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must identify potential accessibility problems to the CP-6(3) Alternate Storage Site | (1) The organization identifies
Business Continuity alternate storage site in the event of a disruption or disaster. Accessibility potential accessibility
Management problems to the alternate x* x* x P1
storage site in the event of an
10.307 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must identify secure transfer methods when MP-5 Media Transport area-wide disruption or
(1) The organization:
Business Continuity transporting backup media off-site. disaster and outlines
a. Protects and controls explicit x* x* x P1
Management mitigation actions.
[Assignment: organization-
10.308 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must establish and maintain an authorization list to defined types of information
Business Continuity retrieve backups from the off-site location. system media] during transport x* x* P2
Management outside of controlled areas
10.309 Information Security Policy 1.3 Data Backups Alternate Storage Site Each agency must review on an annual basis the security of the off- CP-9 Information System (1) The[Assignment:
using organization:
Business Continuity site location to ensure data is protected against unauthorized Backup a. Conducts backups
organization-defined of user-
security
Management disclosure or modification while in storage. level information contained in
safeguards]; x* x* x P1
theb.information system
Maintains accountability
10.310 Information Security Policy 1.3 Data Backups Information System Each agency must establish a process to perform data backups of CP-9 Information System [Assignment:
for information
(1) The organization-
organization: system media
Business Continuity Backup user-level and system-level information at a defined frequency Backup defined
during frequency
transport
a. Conducts backups consistent
outside ofofuser-
Management consistent with the established RTOs and RPOs. with recovery
controlled
level informationareas;time and
contained in x* x* x P1
recovery
the point objectives];
c.information
Documents activities
system
b. Conducts
associated
[Assignment: with backups
the transport
organization- of
10.311 Information Security Policy 1.3 Data Backups Information System Each agency must establish safeguards and controls to protect the CP-9 Information System (1)
of
The organization:
system-level
information information
system media;
Business Continuity Backup confidentiality, integrity, and availability of backup information at Backup defined frequency
a. Conducts backups consistent
of user-
Management storage locations.
contained
and
with
level
system
recovery in the
information
[Assignment:
time information
and
contained in x* x* x P1
d.
recovery
the Restricts
point
information systemthe activities
objectives];
organization-defined
associated
b. Conducts with the
backups frequency
transport
of
10.312 Information Security Policy 1.3 Data Backups Information System Backup Each agency must enforce dual authorization (two-person CP-9(7) Information System [Assignment:
(1) The organization
consistent with organization-
recovery enforces
timeto
of information
system-level
defined frequency system
information media
consistent
Business Continuity control) for the deletion or destruction of agency missions-critical Backup | Dual dual
and authorization
recovery
authorized point
inpersonnel. for the
objectives];
Management data. Authorization
contained
with
deletionrecovery
c. Conducts
system
the
time
or destruction
[Assignment:
information
and
backups of x* x* x P1
recovery
[Assignment:
information point objectives];
organization-
system
organization-defined
b. Conducts backups frequency
of
defined
documentation backup
consistent with information].
including
recovery time
11.100 Vulnerability Management: Each agency must ensure that its information systems are system-level
security-related information
and recovery
contained in point
the objectives];
information
periodically checked for vulnerabilities, and that findings are appropriately documentation
c. Conducts [Assignment:
backups of
remediated.
system
information
[Assignment:
organization-defined system frequency
x x xc P1
organization-defined
consistent with recovery frequency
documentation
consistent with includingtime
recovery time
and recovery
security-related point objectives];
11.101 Information Security Policy 1.1 Vulnerability Vulnerability Scanning Each agency ensure that processes are in place to scan for RA-5 Risk Assessment Policy (1)
and
and
The organization:
recovery point objectives];
Threat and Vulnerability Assessment vulnerabilities in information systems and hosted applications at And Procedures documentation
a. Conducts
c. [Assignment:
Scans for vulnerabilities
backups of in
Management least annually and results are reported to management. thed.information
Protects thesystem
organization-defined
information system frequency
and x x xc P1
confidentiality,
consistent
hosted with
applications integrity,
recovery and
time
documentation
availability of pointincluding
backup
and recovery
[Assignment:
security-related objectives];
organization-
information
and at storage
defined
documentation frequency and/or
[Assignment:
11.102 Information Security Policy 1.1 Vulnerability Vulnerability Scanning Each agency must ensure that privileged access to vulnerability RA-5(5) locations.
Vulnerability Scanning | (1) The information
d. Protects
randomly the system
in accordance with
organization-defined frequency
Threat and Vulnerability Assessment scanning tools and vulnerability reports are appropriately Privileged Access implements
confidentiality, privileged
integrity, access
and
Management controlled.
organization-defined
consistent with
authorization
availability
and when
recovery of
new to
recovery
backup
process]
[Assignment:
vulnerabilities
point
time
objectives];
x x xc P1
organization-identified
informationaffecting
potentially
and at storage the
11.103 Information Security Policy 1.1 Vulnerability Vulnerability Scanning Each agency must ensure remediation of identified vulnerabilities is RA-5 Risk Assessment Policy information
locations.
system/applications
(1) The
d. system
the are
organization:
Protects
Threat and Vulnerability Assessment performed in accordance with the agency risk management criteria And Procedures components]
identified
a. Scansand
confidentiality, forfor selectedand in
reported;
vulnerabilities
integrity,
Management and processes. [Assignment:
the b.information
Employs
availability organization-
vulnerability
of backup system and x x xc P1
defined
scanning
hosted
information vulnerability
tools at and
applications storage scanning
techniques
activities].
that facilitate organization-
[Assignment:
locations. interoperability
11.104 Information Security Policy 1.1 Vulnerability Penetration Testing Each agency must ensure that penetration testing exercises are CA-8 Penetration Testing (1) The
among tools
defined
organization
frequencyand automate conducts
and/or
Threat and Vulnerability Assessment performed on an annual basis, either by use of internal resources penetration testing
Management or employing an third party penetration team.
parts of the
randomly
[Assignment: in vulnerability
accordance
organization-
management processprocess]
with
by using
x xc P2
organization-defined
defined
standards frequency]
for: on
and when
[Assignment: new vulnerabilities
organization-
1. Enumerating
potentially affecting the platforms,
11.200 Incident Management: Each agency must ensure that information security incidents defined
softwareinformation
flaws, and improper systems or
system/applications are
occurring within the agency are appropriately handled. system components].
configurations;
identified and reported; x x xc P1
b. 2. Formatting
Employs checklists
vulnerability
11.201 Information Security Policy 1.2 Incident Incident Response Policy Each agency must develop, document, and internally publish an IR-1 Incident Response Policy (1)
andThe testorganization:
scanning procedures;
tools and techniques and
Threat and Vulnerability Management and Procedures incident response process that addresses scope, roles, and And Procedures thata.facilitate
Develops,
3. Measuring documents,
vulnerability
interoperability
Management responsibilities, internal coordination efforts, and compliance. and
impact;
among disseminates
[Assignment:
tools and automate to
organization-
x x x P1
c. Analyzes
parts vulnerability
of the vulnerability
defined
management personnel
scan reports and process or roles]:
results byfrom
using
security1. An incident
control response
assessments;
11.202 Information Security Policy 1.2 Incident Incident Response Plan Each agency incident response plan must include the following: IR-8 Incident Response Plan standards
(1) The
policy
for:
organization:
that addresses purpose,
Threat and Vulnerability Management Compatible interaction with the state level incident reponse d. Remediates
1. Enumerating
a. Develops legitimate
an incident platforms,
scope,
software roles,
vulnerabilities flaws, responsibilities,
[Assignment:
and improper
Management process published by DIS. response
management plancommitment,
that:
Types of information security incidents to be reported. organization-defined
configurations;
1. Provides the response
coordination
times] 2. inFormatting among
accordance with an
Establish metrics to ensure incident response capabilities remain organization
organizational with achecklists
entities, roadmap
andof
effective. and
for test procedures;
implementing assessment
its and
incident
compliance;
risk; and
3. Measuring and vulnerability
Define resources, such as technology and personnel, required to response capability;
effectively support incident response capabilities. e. 2.
impact; Procedures
Shares
2. Describesinformation to facilitate
theofstructure x x xc P1
the c.implementation
obtainedAnalyzesfromvulnerability the
the vulnerability
Roadmap for implementing incident response capabilities. and organization
incident response ofpolicy
the and
scanning
scan
incidentreports process
responseand and
results security
from
capability;
associated
control assessments
security incident
control response
with
assessments;
3.
controls; Provides a
and organization- high-level
[Assignment:
d. Remediates
approach for how legitimate
the incident
b. Reviews
defined personnel
vulnerabilities and updates
or roles]the
[Assignment: to
response
current: capability
help eliminate similar fits into the
organization-defined
overall organization; response
times] 1.inIncident
vulnerabilities accordanceinresponse
otherwith an
policy 4.[Assignment:
information Meets the unique
systems (i.e., of
organizational
requirements assessment
of the
organization-defined
systemic
risk; and weaknesses or
organization,
frequency];
deficiencies). andwhich relate to
e. Shares
mission, size,information
structure, and
obtained2. Incident
from the response
vulnerability
functions;
procedures [Assignment:
scanning process and security
11.203 Information Security Policy 1.2 Incident Incident Response Plan Each agency must review and update the incident response plan on IR-8 Incident Response Plan (1) The organization:
Threat and Vulnerability Management an annual basis. a. Develops an incident x x xc P1
Management response plan that:
11.204 Information Security Policy 1.2 Incident Incident Handling Each agency ensure that information security incident handling IR-4 Incident Handling (1) The organization:
1. Provides the
Threat and Vulnerability Management processes include preparation, detection and analysis, a. Implements
organization with an incident
a roadmap
Management containment, eradication, and recovery. handling
for implementing itsfor
capability security
incident
x x x P1
incidents that
response capability; includes
preparation,
2. Describes detection theemploys and
structure
11.205 Information Security Policy 1.2 Incident Incident Handling Each agency must ensure the implementation of incident response IR-4(9) Incident Handling | (1) The
analysis,
organization
containment,
Threat and Vulnerability Management tools such as intrusion detection, firewalls, and incident Dynamic Response and organization
[Assignment: of the
organization-
eradication,
incident dynamicresponseand recovery;capability;
Management investigation tools, to effectively respond to security incidents. Capability defined
b. 3.Coordinates
capabilities]Provides
response
a incident
high-level
to effectively
x x x P1
handling
approachtofor
respond activities
how the
security with incident
incidents.
contingency
response capability planning fitsactivities;
into the
11.206 Information Security Policy 1.2 Incident Incident Monitoring and Each agency must ensure that personnel are required to report IR-6 Incident Reporting and
(1) The organization;
overall organization:
Threat and Vulnerability Management Reporting suspected information security incidents to the incident response c. Incorporates
a. Requires
4. Meets the personnellessons
uniqueto
Management team or agency leadership. learned
report
requirements from ongoing
suspected of the security incident x x x P1
handling
organization, whichinto
incidents activities
to the organizational
relateincident
to
response
incident
mission, procedures,
response
size, structure, training,
capability and
11.207 Information Security Policy 1.2 Incident Information System Each agency ensure that monitor information systems are SI-4 Information System (1) The organization:
and
within testing/exercises,
[Assignment: and
Threat and Vulnerability Management Monitoring sufficiently monitored to detect attacks and/or signs of potential Monitoring functions;
a. Monitors the information
implements
organization-defined
5. to
Defines thereportable
resulting time
Management attacks, including unauthorized network local or remote
connections.
system
changes
period];
incidents;
detect:
accordingly.
and
1. Attacks and indicators
x x x P1
b. Reports
6. Provides
of potential security
attacks metricsin incident
for
information
measuring
accordancethe to [Assignment:
with incident
[Assignment:
11.208 Information Security Policy 1.2 Incident Information System Each agency must ensure that monitoring devices are deployed SI-4 Information System organization-defined
(1) The organization:
response capability within the
organization-defined
Threat and Vulnerability Management Monitoring strategically within information technology environment to collect Monitoring authorities].
a. Monitors
organization;
monitoring the information
objectives]; and
Management information security events and associated information. system 7. to
2.
1.
Definesdetect:
Unauthorized
Attacks
the resources
and
local,
indicators
x x x P1
and management
network, and remote support
of potential
needed
connections; attacks inmaintain
to effectively
accordance
andb.mature
Identifies with [Assignment:
an unauthorized
incident
11.209 Information Security Policy 1.2 Incident Information System Each agency must ensure the protection of information obtained SI-4 Information System (1) The
response
use
organization:
organization-defined
thecapability; and
Threat and Vulnerability Management Monitoring from intrusion-monitoring tools from unauthorized access, Monitoring a.of8.
Monitors information
reviewedinformation
the system
Management modification, and deletion.
monitoring
through
system 2. to
objectives];
Is[Assignment:
detect:
Unauthorized
and and
local,
x x x P1
approved
organization-definedby [Assignment:
network, 1. Attacks
and
organization-defined and indicators
remote personnel
techniques
of and methods];
11.210 Information Security Policy 1.2 Incident Information System Each agency must ensure the monitoring of inbound and outbound SI-4(4) Information System or potential
connections;
(1) c.The
roles]; attacks
information
Deploys monitoring
in
system
Threat and Vulnerability Management Monitoring communications traffic from sensitive information systems for Monitoring | Inbound accordance
b.
monitors Identifies with [Assignment:
unauthorized
devices: (i)inbound
Distributes
organization-defined strategically and of
copies the
within x x P1
Management unusual or unauthorized activities or conditions. And Outbound use of the
outbound
incident
the information information
communications
response plan system
system to
to
monitoring
through
Communications Traffic traffic objectives];
[Assignment:
[Assignment:
[Assignment: organization- and
collect 2. organization-
Unauthorized local,
organization-defined
defined
determined incident essential response
11.211 Information Security Policy 1.2 Incident Information System Each agency must ensure that information system monitoring SI-4 Information System (1) The organization:
network,
techniques
frequency] and and
for remote
methods];
unusual orname
Threat and Vulnerability Management Monitoring activity is appropriately adjusted for new and increased sources of Monitoring personnel
information;
a. Monitors (identified
and the (ii) atbyad
information hoc
Management risk.
connections;
c. Deploys
unauthorized
and/or
locations
system
b.
by
Identifies
role)
towithin monitoring
detect:activities
and
the system
unauthorized
or to x x x P1
devices:
conditions.
organizational
track (i)
specific
1. Attacks strategically
elements];
types
and of within
indicators
usec.information
the ofReviews
the information system system
to the
11.212 Information Security Policy 1.2 Incident Incident Response Training Each agency must provide incident response training within one (1) IR-2 Incident Response transactions
of
(1)potential
The organization-
through ofthe
attacks
organization
[Assignment:
incident
interest to
inprovides
collect
response
organization;
accordance plan [Assignment:
with [Assignment:
Threat and Vulnerability Management month of personnel assuming incident response roles or Training incident response
organization-defined training to
Management responsibilities.
determined
organization-defined
d. Protects
organization-defined
information
techniques
information;
essential
information
system
andand (ii)users
methods]; at ad hoc
x x x P2
frequency];
obtained
monitoring from intrusion-
objectives]; and
consistent
c. Deploys
locations
d. Updates with
within the assigned
monitoring
the system
incident roles
to
monitoring
and
devices: 2. tools
Unauthorized
responsibilities:
(i)plan from
strategically local,
within
11.213 Information Security Policy 1.2 Incident Incident Response Training Each agency must provide training to incident response personnel IR-2 Incident Response track
(1) The
response specific
unauthorized
network, organizationtypes
to address
access,
and[Assignment:
remote ofprovides
Threat and Vulnerability Management upon significant changes to information systems and/or changes to Training the a.
incident Within
information
transactions response
system/organizational ofand system
interest
training to
to the
changesto
Management the incident response plan.
modification,
connections;
organization-defined
collect
information
or problems organization-
organization;
e. Heightens
b. Identifies system
encountered
deletion;
the level
time
users
unauthorized of
x x x P2
period]
determined
d.
consistent
during of
Protects assuming
essential
with
planinformationinformation
assigned
implementation, an roles
information
use of the
incident
information; responsesystem rolemonitoring
at orsystem
11.214 Information Security Policy 1.2 Incident Incident Response Testing Each agency must establish a formal process to test incident IR-3 obtained
Incident Response Testing and
activity
(1) The
through orand
from
responsibilities:
execution, whenever
organizationtesting;
[Assignment:
(ii)
intrusion-
there
ad hoc
testsisthe anto
responsibility;
locations
monitoring
a.
e. Within within
Communicates tools the
from
[Assignment: system
incident
Threat and Vulnerability Management response capabilities on a yearly basis to determine the incident indication
incident of
response
organization-defined increased capabilityrisk tofor
Management response effectiveness and adequacy.
b.
track When
specific
unauthorized
organization-defined
response
organizational
the information
techniques
information
transactions
plan required
and
types
access,
changes
operations
system system
of
methods];
oforganization-
interest
by
time
to and
changes;
x x P2
modification,
period]
[Assignment:
assets,
[Assignment: of assuming
individuals,
c. Deploys and
organization-
monitoring an to the
deletion;
other
and
organization;
e. Heightens
incident
defined response
incident the level
role
response of
orwithin
organizations,
defined
devices:
(1) c. frequency]
(i)
[Assignment: or the
strategically Nation
using
11.215 Information Security Policy 1.2 Incident Incident Response Testing Each agency must document the incident response test results and IR-3 Incident Response Testing responsibility;
The
d.
information
personnel
based
organization
Protects
onresponse
law
information
system
(identified
enforcement
tests
monitoring
byto the
name
Threat and Vulnerability Management update incident response processes as applicable. [Assignment:
the information
organization-defined
incident
obtained
activity
b. When
and/or
information,
defined
collect
from
whenever
by role)
tests]
organization-
organization-
system
capability
intrusion-
required
toand
intelligencethere
determineby is anthe for x x P2
Management frequency]
the information
monitoring
indication
information
organizational thereafter.
tools
ofessential system
increased
system from
elements]; riskand
changes; to
information,
incident
determined
[Assignment:
unauthorized response or other credible
effectiveness
organization-
access,
11.216 Information Security Policy 1.2 Incident Malicious Code Protection Each agency must ensure malicious code protection mechanisms SI-3 Malicious Code (1)
and f.The
organizational
sources
and
organization:
Protects
of theoperations
information; incident and
Threat and Vulnerability Management are employed for information systems, to detect and eradicate Protection a.documents
information;
defined
modification, frequency]
Employs and
and the(ii)
malicious results.
at ad
using
deletion; hoc
code
Management malicious code.
assets,
c.
response
f.
[Assignment:
individuals,
[Assignment:
Obtains
locations
e. Heightens
protection
organizations,
planlegal
within
organization-defined
unauthorized
fromthe
organization-
mechanisms
or the
the
disclosure
other
opinion
system
level
Nationatofwith
and
to x x x P1
regardspecific
track
defined
information totests]
information
types
to determine
system of system
monitoring
entry andthe
based
frequency] on
modification.
monitoring
transactions law enforcement
thereafter.
activities in
11.217 Information Security Policy 1.2 Incident Malicious Code Protection Each agency must ensure malicious code protection mechanisms SI-3 Malicious Code incident
activity
exit
(1) Thepoints
information, toof
response
whenever interest
detect
organization:
intelligence andto is the
effectiveness
there an
accordance
organization;
and documents
indication
eradicate with
of increased
malicious applicable
the code;results.
risk to
Threat and Vulnerability Management are updated whenever new releases are available. Protection information,
a. Employs
laws, or malicious
other credible
code
Management
federal
d.
b. Protects
organizational
Updates
protection
sources offrom
Executive
information
operations
malicious
mechanisms
information;
Orders,
at and
code x x x P1
directives,
obtained
assets,
protection policies,
individuals, intrusion-
mechanisms or
other
information
f. Obtains
regulations;
monitoring system
legalfrom
and
tools opinion
entry and with
11.218 Information Security Policy 1.2 Incident Malicious Code Protection Each agency must ensure malicious code protection mechanisms SI-3 Malicious Code organizations,
whenever
exit
regard
(1) Thepoints
to new orreleases
to detect
information
organization: the and Nationare
system
g.
availableProvides
unauthorized
based on law
in [Assignment:
access,
enforcement
accordance with
Threat and Vulnerability Management are configured to perform periodic scans at defined time intervals. Protection monitoring
eradicate
a. Employs and malicious
organization-defined activities
malicious code;
in code
Management
modification,
information,
organizational
b. Updates
accordance
protection
information
e. Heightens
intelligence
with
mechanisms
system
deletion;
configuration
malicious
applicable
the code
at
monitoring
level of
x x x P1
information,
management
federal
protection
information laws, or
mechanismsother
policy
Executive
system andcredible
entry Orders,
and
information]
information
sources
procedures; of to
system [Assignment:
information; monitoring
whenever
directives,
exit points
organization-defined
activity new
policies,
to
whenever releases
detect orand are
personnel
there is with an
f.
c. Obtains
Configures
regulations;
available
eradicate in legal
accordance
and
malicious opinion
malicious
code; withcode
or roles]
indication
regard
protection to[Selection
of increased
information
mechanisms (one or to
risk
system
to:
organizational
g.
b. Provides
more): Updates
as
organizational needed; configuration
[Assignment:
malicious
operations code
and
monitoring
1. Perform
organization-defined
management
protection activities
policy
mechanisms periodic in scans
and
[Assignment:
assets,
accordance
of individuals,
the information organization-
with other
applicable
system
procedures;
information
whenever
definedlaws,
organizations, new system
frequency]]. themonitoring
orreleases Nationare
federal
[Assignment:
c. Configures
information]
available in Executive
organization-
to malicious
[Assignment:
accordance Orders,
withcode
based
directives,
defined onfrequency]
law enforcement
policies, or
and real-
protection
organization-defined
organizational
information, mechanisms
configuration
intelligence to:
personnel
regulations;
time
or roles]scans
1.
management Perform ofand
[Selection files from
periodic
(one scans
or
information,
g. Provides
external sources orpolicy
other
[Assignment:
atsystem
andcredible
[Selection
of the
more):
procedures;
sources information
asofneeded;
information;
organization-defined
(onec. or more);
[Assignment:
Configures endpoint;
organization-
malicious code
f. Obtains
information
network legal opinion
system
entry/exit monitoring
points] with
as
11.219 Information Security Policy 1.2 Incident Malicious Code Protection Each agency must ensure malicious code protection mechanisms SI-3 Malicious Code (1) The organization:
Threat and Vulnerability Management are configured to send an alert to information appropriate Protection a. Employs malicious code
Management personnel, to initiate appropriate actions in response to malicious
code detection.
protection mechanisms at
information system entry and
x x x P1
exit points to detect and
eradicate malicious code;
11.300 Patch Management: Each agency must ensure that flaws in its information systems are * Controls marked "x*" in this section are required, unless b. Updates malicious code
protection mechanisms
remediated appropriately. the agency performs a Business Impact Analysis (BIA) to whenever new releases are
estimate the impact of short term, long term, or permanent available in accordance with
loss of the relevant asset or function, and determines based
on the BIA that the control is not needed.
organizational configuration
management policy and
x x x P1
procedures;
c. Configures malicious code
protection mechanisms to:
11.301 Information Security Policy 1.3 Patch Management Flaw Remediation Each agency must develop and implement a process to identify, SI-2 Flaw Remediation (1) The1. Perform
organization: periodic scans
Threat and Vulnerability report, and correct information system flaws. of the information
a. Identifies,
[Assignment:
system
reports,
organization-
and x x xc P1
Management corrects information system
11.302 Information Security Policy 1.3 Patch Management Flaw Remediation Each agency must establish a formal process to test software and SI-2 Flaw Remediation defined
(1) frequency]
The organization:
flaws; and real-
Threat and Vulnerability firmware updates related to flaw remediation for effectiveness and timeb. scans
a. of files
Identifies,
Tests software from
reports, and and
external information
sources
updatesatrelated [Selection
Management identification of potential impact prior to implementation. corrects
firmware
(one remediation
flaws; or more); endpoint;
system to x x xc P1
flaw for
network entry/exit
b. Tests software
effectiveness points]
and as
and potential
the
sidefiles
firmware
effectsare downloaded,
updates
before related to
installation;
11.303 Information Security Policy 1.3 Patch Management Flaw Remediation Each agency must install latest stable versions of applicable security SI-2 Flaw Remediation opened,
(1)
flawc.The organization:
or executed
remediation
Installs for in
security-relevant
Threat and Vulnerability software and firmware updates. accordance
a. Identifies,
effectiveness
software andwithandreports,
organizational
potential
firmware and
updates x x xc P1
Management security
corrects
side
within policy;
effectsinformation
before
[Assignment: andinstallation;
system
11.304 Information Security Policy 1.3 Patch Management Flaw Remediation Each agency must establish a patch cycle that guides the normal SI-2 Flaw Remediation (1) The
flaws; 2. organization:
[Selection (one
c. Installs security-relevant or
Threat and Vulnerability application of patches and updates to systems. SI-2(5) Flaw Remediation | organization-defined
a. Identifies,
more):
b.
software
period] Tests
block
of software
and
the
reports,
malicious
firmware
release
time
and and
ofcode;
updates
the
x x xc P1
Management Automatic Software / corrects
quarantine
firmware
within information
updates
malicious
[Assignment: system
relatedcode;to
Firmware Updates updates;
flaws; and
11.305 Information Security Policy 1.3 Patch Management Flaw Remediation Each agency must establish a process of patch testing to verify the SI-7(15) Software, Firmware, And (1)
send
flawThe information
remediation
alert to administrator;
organization-defined
d. Incorporates for system
flaw time
Threat and Vulnerability source and integrity of the patch and ensure testing in a production Information Integrity | b. Tests
implements
[Assignment:
effectiveness
period] software
of thecryptographic
and and
organization-
potential
release of the
remediation
firmware into
updates the
Management mirrored environment for a smooth and predictable patch roll out. Code Authentication mechanisms
defined
side effects
updates; action]]
organizational and before inrelated
to authenticate
response to to
installation;
configuration x* x* x P1
flawd. remediation
[Assignment:
malicious
c. Installs code
Incorporates for
organization-
security-relevant
detection;
flaw and
management
effectiveness
defined software process.
and potential
or firmware
software
d. Addresses
remediation andintofirmware
the
thereceipt updates
of
side effects
components]
false positives
within before
prior
[Assignment:
organizational during installation;
to
configuration malicious
c. Installs
installation.
code
organization-defined
detection
management process. security-relevant
and eradication
time
12.100 Data Classification: Each agency must ensure the information processed, stored, or software and
and the of
period] thefirmware
resulting release
potentialofupdates
the
transmitted by its information systems and information repositories is appropriately within
impact[Assignment:
classified, so that compliance obligations may be identified.
updates; onandthe availability of
organization-defined time
x x x P1
thed.information
Incorporates system.
flaw
period]
remediation of theintorelease
the of the
12.101 Information Security Policy 1.1 Data Classification Security Categorization Each agency must categorize data in accordance with applicable RA-2 updates;
Security Categorization (1) and configuration
The organization:
organizational
Data Protection and statutory, regulatory, and contractual requirements. Each data d. Categorizes
a. Incorporates
management flaw
information
process.
Privacy asset must be classified into one of the following categories: remediation
and the information into thesystem in
1. Public: Information intended or required for sharing publicly, organizational configuration
accordance with applicable
where unauthorized disclosure would result in minimal or no risk to management
federal process. Orders,
laws, Executive
the agency. directives, policies, regulations,
2. Internal Use: Information that is used in daily operations of the (2) The organization
standards, and guidance; installs
agency, where unauthorized disclosure would result in little risk to [Assignment:
b. Documents organization-
the security
the agency. defined security-relevant
categorization results
3. Confidential: Confidential information refers to sensitive software and
(including firmwarerationale)
supporting
information, where unauthorized disclosure may result in updates]
in the securityautomatically
plan for the to
considerable risk to the agency. [Assignment: organization-
information system; and x x x P1
4. Restricted: Restricted information is highly sensitive information, defined information
c. Ensures that the security system
where unauthorized disclosure may result in considerable risk to components]. decision is
categorization
the agency, including statutory penalties. reviewed and approved by the
authorizing official or
authorizing official designated
representative.

12.102 Information Security Policy 1.1 Data Classification Security Categorization Each agency must ensure that users who encounter information RA-2 Security Categorization (1) The organization:
Data Protection and that is improperly classified must consult with the owner of the a. Categorizes information
Privacy information, agency information privacy personnel, or agency and the information system in
information security personnel to determine the appropriate data accordance with applicable x x x P1
classification. federal laws, Executive Orders,
directives, policies, regulations,
standards, and guidance;
12.103 Information Security Policy 1.1 Data Classification Security Categorization If multiple data fields with different classifications have been RA-2 Security Categorization (1) b.
TheDocuments the security
organization:
Data Protection and combined, the highest classification of information included must categorization
a. Categorizesresults
information
Privacy determine the classification of the entire set. (including
and supportingsystem
the information rationale)
in x x x P1
in the security
accordance plan
with for the
applicable
information
federal laws,system;
ExecutiveandOrders,
c. Ensures
directives, that the
policies, security
regulations,
categorization
standards, anddecision
guidance; is
reviewed and approved
b. Documents by the
the security
authorizing official
categorization or
results
authorizingsupporting
(including official designated
rationale)
12.200 Data Disposal: Each agency must ensure the information stored on its information
systems, information repositories, and media is securely erased or diestroyed prior to
the disposal of the device or media. x x x P1
12.201 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must develop a list of approved processes for MP-6 Media Sanitization (1) The organization:
Data Protection and sanitizing electronic and non-electronic media prior to disposal or a. Sanitizes [Assignment:
Privacy re-purposing, based on applicable regulatory requirements. organization-defined
information system media]
x x x P1
prior to disposal, release out of
organizational control, or
12.202 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must employ sanitization mechanisms with the MP-6 Media Sanitization (1) The organization:
release for reuse using
Data Protection and strength and integrity commensurate with the security category or a. Sanitizesorganization-
[Assignment:
Privacy classification of the information.
[Assignment:
organization-defined
defined sanitization techniques
x x x P1
information
and procedures] system media]
in accordance
12.203 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must implement controls to track media sanitization MP-6(1) Media Sanitization | prior
withThe
(1) to organization
disposal,federal
applicable release out of
and
reviews,
Data Protection and and disposal process, wherever compliance requirements dictate Review / Approve / organizational
organizational
approves, tracks,control,
standards orand
documents,
Privacy such actions must be tracked, documented, and verified. release
policies;
Track / Document / Verify and for reuse using
andmedia sanitization
verifies
Documentation must provide a record of the media sanitized, [Assignment:
andb.disposal organization-
Employsactions.
sanitization
when, how media was sanitized, the person who performed the defined
mechanisms sanitization
with the techniques
strength
sanitization, and the final disposition of the media. The record of and
and procedures] in accordance
integrity commensurate x P1
action taken must be maintained in a written or electronic format. with applicable federal
with the security category andor
organizational
classification ofstandards
the and
policies;
information. and
b. Employs sanitization
mechanisms with the strength
and integrity commensurate
12.204 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must test media sanitization equipment and MP-6(2) Media Sanitization | (1)
withThetheorganization
security category tests or
Data Protection and procedures at least annually to ensure correct performance. Equipment Testing sanitization
classificationequipment
of the and x P1
Privacy procedures
information.[Assignment:
12.205 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must ensure that electronic media are securely erased MP-6 Media Sanitization organization-defined
(1) The organization:
Data Protection and prior to being reassigned, or released for destruction. frequency]
a. Sanitizes to verify that the
[Assignment: x x P1
Privacy intended sanitization is being
organization-defined
12.206 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must define and implement mechanisms for disposal MP-6 Media Sanitization achieved.
information system media]
(1) The organization:
Data Protection and of digital media and data storage devices contained in equipment prior to disposal,
a. Sanitizes release out of
[Assignment:
Privacy to be released outside of the agency. organizational control, or
organization-defined x x P1
release for reuse
information system using
media]
[Assignment:
prior organization-
to organization:
disposal, release out of
12.207 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must destroy hardcopy media containing sensitive MP-6 Media Sanitization (1) The
defined sanitization techniques
Data Protection and information prior to disposal. organizational
anda.procedures]
release
control,
Sanitizes [Assignment:
for reuse in
or
accordance
using
x x P1
Privacy organization-defined
with applicable federal and
12.208 Information Security Policy 1.2 Data Disposal Media Sanitization Each agency must monitor the destruction of hard copy media, MP-6(1) Media Sanitization | [Assignment:
(1) The organization
information organization-
system reviews,
media]
Data Protection and where required for statutory or regulatory compliance. Review / Approve / organizational
defined
approves, tracks,standards
sanitization and
techniques
documents, x P1
prior to disposal,
policies; and release out of
Privacy and verifies
Track / Document / Verify and procedures]
organizational media in sanitization
control,accordance
or
and b. Employs
withdisposal
applicable sanitization
federal
actions. and
release for
mechanisms with reuse using
the strength
12.300 Data Protection: Each agency must ensure the information processed, stored, or * Controls marked "x*" in this section are required, unless organizational
[Assignment: standards
organization- and
transmitted during its business processes is appropriately protected. the agency performs a Business Impact Analysis (BIA) to and integrity
policies; and commensurate
defined
with the sanitization
security techniques
category or
estimate the impact of short term, long term, or permanent and b.procedures]
Employs sanitization
in accordance
loss of the relevant asset or function, and determines based classification
mechanisms of the
with the strength
on the BIA that the control is not needed.
with applicable
information.
and integrity
federal
commensurate
organizational standards and
and x x x P1
with the
policies; andsecurity category or
classification
b. Employsofsanitization
the
information. with the strength
mechanisms
12.301 Information Security Policy 1.3 Data Protection System and Each agency must ensure that its personnel follow the agencys SC-1 System And and integrity
(1) The commensurate
organization:
Data Protection and Communications acceptable use policies when transmitting data. Communications witha. the security
Develops, category or
documents, x x xc P1
Privacy Protection Policy and Protection Policy And classification
and disseminates of the to
12.302 Information Security Policy 1.3 Data Protection Cryptographic
Procedures Key Each agency implemented mechanisms to ensure availability of SC-12(1) Cryptographic
Procedures Key (1) The organization
information. organization-
[Assignment: maintains
Data Protection and Establishment and information in the event of the loss of cryptographic keys by users. Establishment And availability of information in
Privacy Management Management |
defined personnel or roles]:
the event of the loss
1. A system and of
x* x* x P1
Availability cryptographic
communications keys by users.
protection
12.303 Information Security Policy 1.3 Data Protection Cryptographic Key Each agency must implement mechanisms to ensure the SC-12 Cryptographic Key policy
(1) Thethat addressesestablishes
organization purpose,
Data Protection and Establishment and confidentiality of private keys. Establishment And scope,
and roles, responsibilities,
manages cryptographic x x x P1
Privacy Management Management management
keys for required commitment,
cryptography
12.304 Information Security Policy 1.3 Data Protection Cryptographic Key Each agency must develop a mechanism to randomly select a key SC-12(2) Cryptographic Key (1) The organization
coordination
employed among
within theproduces,
Data Protection and Establishment and from the entire key space, using effective randomization. SC-12(3) Establishment And controls,
organizational
information andsystem
distributes
entities,in and x x P1
Privacy Management Management | symmetric
compliance;cryptographic
accordance and [Assignment:
with keys
12.305 Information Security Policy 1.3 Data Protection Cryptographic Key Each agency must implement appropriate controls to physically and SC-12 Cryptographic
Symmetric KeysKey (1) The
using 2. Procedures toestablishes
organization
[Selection:
organization-defined NIST FIPS-
facilitate
Data Protection and Establishment and logically safeguard encryption keys through all phases of the key Establishment And
Cryptographic Key and manages
compliant; cryptographic
NSA-approved]
the implementation
requirements for keyof the key
Privacy Management lifecycle, from construction through receipt, installation, operation,
and removal from service.
Management
Establishment And keys forand
management
system
generation,
employed
required cryptography
technology
communications
distribution,
within the
and x x x P1
Management | processes.
protection
storage, policyand
access, and
Asymmetric Keys information system
associated system and
destruction]. in
accordance
(2) with [Assignment:
The organization
communications produces,
protection
12.306 Information Security Policy 1.3 Data Protection Cryptographic Protection Each agency must use Federal Information Processing Standards SC-13 Cryptographic Protection (1) The information
organization-defined
controls, system
Data Protection and FIPS-140 validated technology for encrypting sensitive data. controls; and
implements
distributes
and[Assignment:
Privacy
requirements
asymmetric
organization-defined
generation,
for key
b. Reviewscryptographic
and updates keys
distribution,
the x x P1
using
current: [Selection: NSA-approved
cryptographic
storage, access,
key management uses
and and type of
technology
1. System and
cryptography
and processes;required
destruction].
communications approved forPKI
protection
each
use]
Class in3 accordance
certificates or with
policy [Assignment:
applicable federal laws,
prepositioned keying material;
organization-defined
Executive
approved Orders,
PKIandClassdirectives,
3 or Class 4
frequency];
policies, regulations, and
certificates
2. System andand hardware
standards.
security tokens that protect
12.307 Information Security Policy 1.3 Data Protection Transmission Each agency must ensure that sensitive data transmitted by email SC-8(1) (1) Transmission (1) The information system
Data Protection and Confidentiality and must be securely encrypted. Confidentiality And implements cryptographic x x P1
Privacy Integrity Integrity | Cryptographic mechanisms to [Selection (one
12.308 Information Security Policy 1.3 Data Protection Transmission Each agency must ensure that sensitive information transmitted SC-8(1) Or Alternate
(1) Physical
Transmission or more):
(1) prevent system
The information
Data Protection and Confidentiality and through a public network must be encrypted prior to transmittal, or Protection
Confidentiality And unauthorizedcryptographic
implements disclosure of
Privacy Integrity be transmitted through an encrypted connection. Integrity | Cryptographic
Or Alternate Physical
information; detect
mechanisms
information]
or
changes
to [Selection
during
more): prevent
to
(one x x P1
Protection transmission unless
unauthorized otherwise
disclosure of
protected by detect
information; [Assignment:
changes to
12.309 Information Security Policy 1.3 Data Protection Transmission Each agency must ensure that sensitive information transmitted AC-18(1) Wireless Access | (1) The information
during system
organization-defined
information]
Data Protection and Confidentiality and wirelessly must be encrypted prior to transmittal, or be transmitted SC-8(1) Authentication And protects wireless
alternative access
physical to the
Privacy Integrity through an encrypted connection. Encryption
transmission
system using
safeguards].
protected
unless otherwise
by authentication
[Assignment: of
x x P1
Transmission [Selection (one or more):
organization-defined
Confidentiality And users; devices]
alternative and encryption.
physical
12.400 Data Privacy: Each agency must ensure that the interests of data subjects are Integrity | Cryptographic safeguards].
appropriately protected. Or Alternate Physical
Protection
(2) The information system
implements cryptographic
x xc P1
mechanisms to [Selection (one
12.401 Each agency must designate an individual who has primary AR-1 or more): prevent
responsibility for information privacy decisions. unauthorized disclosure of x xc P1
information; detect changes to
12.402 Information Security Policy 1.4 Privacy Privacy Impact Assessment Each agency must conduct a Privacy Impact Assessment (PIA) for AR-2 Privacy Impact And Risk (1) The organization:
information] during
Data Protection and each information system that will handle Personally Identifiable SE-1 Assessment a. Documents
transmission andotherwise
unless
Privacy Information (PII). Each PIA should examine the following privacy UL-2 implements a privacy risk
protected by [Assignment:
issues: DM-2 management process that
organization-defined
What PII is to be collected. IP-1 assesses privacy
alternative risk to
physical
What is the intended use of the PII. DM-1 individuals
safeguards]. resulting from the
What PII will be shared, and with whom. IP-4 collection, sharing, storing,
How long the PII will be retained. IP-3 transmitting, use, and disposal
What privacy risks are posed by the intended use and sharing of of personally identifiable
the collected PII. information (PII); and
What privacy risks are posed by unintended disclosure of the b. Conducts Privacy Impact
collected PII. Assessments (PIAs) for
What steps are taken to inform users about the PII collected and information systems, programs,
what mechanisms they can use to control it. or other activities that pose a
What opportunities individuals have to decline to provide PII. privacy risk in accordance with
What steps are taken to minimize the types of PII collected.
What mechanisms are available for data subjects to update or
applicable law, OMB policy, or
any existing organizational
x xc P0
correct their PII. policies and procedures.
What opportunities individuals have to remove PII once collected.
How the PII is to be secured.
What processes are established to resolve privacy issues.

12.403 Information Security Policy 1.4 Privacy Privacy Impact Assessment Each agency must update PIAs when a system change creates AR-2 Privacy Impact And Risk (1) The organization:
Data Protection and changes in privacy risks. Assessment a. Documents and x xc P0
Privacy implements a privacy risk
12.404 Information Security Policy 1.4 Privacy Privacy Impact Assessment Each agency must ensure that PIA documents are reviewed by an management process that
Data Protection and agency executive or designee with authority for issues of assesses privacy risk to
Privacy information privacy. individuals resulting from the
x xc P0
collection, sharing, storing,
12.405 Information Security Policy 1.4 Privacy Privacy Impact Assessment Each agency must require each member of agency personnel and AR-5 Privacy Awareness And transmitting, use, and disposal
(1) The organization:
Data Protection and third party with access to PII to sign a confidentiality agreement Training of personally
a. Develops, identifiable
implements,
Privacy defining responsibilities. information
and updates(PII); and
a comprehensive x xc P0
b. Conducts
training Privacy Impact
and awareness
Assessments
strategy aimed(PIAs) for
at ensuring that
information systems, programs,
personnel understand privacy
or other activities
responsibilities andthat pose a
privacy risk in accordance with
procedures;
applicable law, OMB
b. Administers policy,
basic or
privacy
any existing
training organizational
[Assignment:
policies and procedures.
organization-defined
frequency, at least annually]
and targeted, role-based
privacy training for personnel
having responsibility for
personally identifiable
information (PII) or for
activities that involve PII
[Assignment: organization-
defined frequency, at least
annually]; and
12.406 Information Security Policy 1.4 Privacy Privacy Impact Assessment Each agency must publish a privacy web statement on each agency TR-3 (1)Dissemination Of (1) The organization:
Data Protection and website used by the public. Each website privacy statement should Privacy Program a. Ensures that the public
Privacy include, as specifically applicable to the site: Information has access to information
What PII is to be collected. about its privacy activities and
What is the intended use of the PII. is able to communicate with its
What PII will be shared, and with whom. Senior Agency Official for
How long the PII will be retained. Privacy (SAOP)/Chief Privacy
What opportunities individuals have to decline to provide PII. Officer (CPO); and
What mechanisms are available for data subjects to update or b. Ensures that its privacy
correct their PII. practices are publicly available
What opportunities individuals have to remove PII once collected. through organizational
How the PII is to be secured, in a non-technical summary.. websites or otherwise. x xc P0
What processes are established to resolve privacy issues.

13.100 Change Management: Each agency must ensure that changes to information systems
are conducted in such a way that disruption to production is minimized, and
stakeholders are given appropriate awareness and opportunity for feedback. x xc P1

13.101 Information Security Policy 1.1 Change Management Configuration Change Each agency must establish a change management process, CM-3 Configuration Change (1) The organization:
Information Systems Control including the following elements: CM-3(2) Control a. Determines the types of
Acquisitions, Change requests are handled in a structured way that determines CM-4 Configuration Change changes to the information
Development, and the impact on the operational system and the business processes it Control | Test / Validate / system that are configuration-
Maintenance supports. Document Changes controlled;
Changes to production environments, including emergency Security Impact b. Reviews proposed
maintenance and patches, must be formally managed. Analysis configuration-controlled
Changes are categorized, prioritized, and authorized. changes to the information
After implementation, changes are reviewed ensure correct system and approves or
functionality. disapproves such changes with x x xc P1
Changes to production environments are adequately tested. explicit consideration for
An emergency change process is defined for testing, security impact analyses;
documenting, assessing, and authorizing changes that do not c. Documents configuration
follow the established change process. change decisions associated
with the information system;
d. Implements approved
configuration-controlled
changes to the information
system;
e. Retains records of
13.200 Configuration Management: Each agency must ensure that information system configuration-controlled
baseline configurations are managed to minimize risk of incompatibility and of changes to the information
unauthorized change. system for [Assignment: x xc P1
organization-defined time
period];
13.201 Information Security Policy 1.2 Configuration Baseline Configuration Each agency must ensure that system baseline configurations are CM-2 Baseline Configuration (1) f.The organization
Audits and reviews develops,
Information Systems Management developed, reviewed, and formally approved for critical information CM-2(1) Baseline Configuration documents, and maintains
activities associated with
Acquisitions, systems and infrastructure components. | Reviews And Updates under configuration
configuration-controlled control, a x x xc P1
Development, and current
changesbaseline configuration
to the information
13.202 MaintenanceSecurity Policy
Information 1.2 Configuration Baseline Configuration Each agency must ensure that changes to baseline configurations CM-3 Configuration Change of
(1)the
Theinformation
system; and
organization: system.
Information Systems Management include a process to identify, review, perform security impact CM-3(2) Control g. Coordinates
a. Determines the andtypes
provides
of
(2) The organization
oversighttoforthe reviews
configuration
Acquisitions,
Development, and
analysis, test, and approval such changes prior to implementation. CM-4 Configuration Change
Control | Test / Validate /
changes
and
system updates
change thatcontrol the
information
baseline
are activities
configuration-
x x xc P1
Maintenance Document Changes configuration
through
controlled; of the
[Assignment:
Security Impact information
b. Reviewssystem:
organization-defined proposed
13.203 Information Security Policy 1.2 Configuration Baseline Configuration Each agency must ensure that baseline configurations are recorded CM-2 Analysis
Baseline Configuration (1) (a)
The[Assignment:
organization
configuration changedevelops,
configuration-controlled control
Information Systems Management in a central repository, with access restrictions to prevent CM-5 Access Restrictions For organization-defined
documents, and maintains
Acquisitions, unauthorized changes. Change
element to
changes
frequency];
under
board)]
(e.g.,
the committee,
configuration
that
information
convenes
system and approves or control, a x x xc P1
Development, and (b) When
current
[Selection
disapprovesbaseline
(onerequired
such due to
orconfiguration
more):
changes with
13.204 MaintenanceSecurity Policy
Information 1.2 Configuration Baseline Configuration Each agency must ensure that prior versions of baseline CM-2(3) Baseline Configuration | [Assignment
of
(1)the
Theinformation
[Assignment:
explicit organization-
organization
consideration system.
organization-
retains
for
Information Systems Management configurations are retained to be able to support rollback. Retention Of Previous defined
(2)
[Assignment:
security
(c) As
documents,
circumstances];
The organization
defined frequency];
impact
an
organization-
analyses;
integral
approves, partand
and
defines,
ofof
x xc P1
Acquisitions, Configurations [Assignment:
defined previous
c. Documents organization-
versions
configuration
13.205 Information
Development, Security
and Policy 1.2 Configuration Baseline Configuration Each agency must ensure the review and update of baseline CM-2(1) Baseline Configuration | information
enforces
defined
(1) system
physical
The organization
baseline
change configuration
configurations
decisions component
and logical
reviews
change
of the
associated
Maintenance
Information Systems Management configurations periodically, and as an integral part of information Reviews And Updates installations
access
conditions]].
and
with updates
information
the and
restrictions upgrades.
associated
the baseline
system]
information to support
system;
Acquisitions, system component installations or upgrades. withd. changes
configuration
rollback.
Implements to
of the
the
approved x xc P1
Development, and information system.
(2) The organization
information system: tests,
configuration-controlled
Maintenance validates,
(a) [Assignment:
changes toand
thedocuments
information
changes
organization-defined
system; to the information
system
frequency];beforerecords
e. Retains implementing
of
the(b) changes
When on required
configuration-controlledthe operational
due to
system. to the
[Assignment
changes organization-
information
defined
system for circumstances];
[Assignment: and
(3) (c)
TheAsorganization
an integral part
organization-defined analyzes
timeof
13.206 Information Security Policy 1.2 Configuration Configuration The Each agency must ensure responsibilities are assigned for CM-9(1) Configuration (1) The organization assigns
Information Systems Management Management Plan developing and managing the configuration management process Management Plan | responsibility for developing
Acquisitions,
Development, and
to personnel that are not directly involved in system development
activities.
Assignment Of
Responsibility
the configuration management
process to organizational
x xc P1
Maintenance personnel that are not directly
involved in information system
development.
13.300 System Development and Maintenance: Each agency must ensure that system
development efforts are performed with appropriate consideration for information
confidentiality, integrity, and availability. x x P1
13.301 Information Security Policy 1.3 System Development System Security Plan Each agency must ensure that system security plans are PL-2 System Security Plan (1) The organization:
Information Systems and Maintenance documented for critical enterprise information systems in a. Develops a security plan
Acquisitions, production and under development. System security plans must for the information system
Development, and provide an overview of the security requirements of the system, that:
Maintenance and describe the controls in place for meeting the requirements
through all stages of the systems development life cycle.
1. Is consistent with the
organizations enterprise
x x x P1
architecture;
2. Explicitly defines the
authorization boundary for the
system;
13.302 Information Security Policy 1.3 System Development System Security Plan Each agency must ensure that when a system is modified in a PL-2 System Security Plan (1) The organization:
3. Describes the
Information Systems and Maintenance manner that affects security, system documentation is updated a. Develops a security of theplan
Acquisitions, accordingly.
operational
for the information
information
context
system system in terms of
x x x P1
Development, and that:
missions and business
13.303 Maintenance
Information Security Policy 1.3 System Development Vulnerability Scanning Each agency ensure that a vulnerability assessment is performed on RA-5 Vulnerability Scanning (1) The 1. Is
processes; consistent with the
organization:
Information Systems and Maintenance all enterprise information systems undergoing significant changes, organizations
a. 4.
ScansProvidesforenterprise
vulnerabilities
the security in
architecture;
Acquisitions,
Development, and
before the systems are moved into production. the informationofsystem
categorization
hosted 2. applications
Explicitly
the and
defines the x x xc P1
information system including
Maintenance authorization
[Assignment:
supporting rationale; boundary for the
organization-
system;
defined frequencythe
5. Describes and/or
13.304 Information Security Policy 1.3 System Development System and Services Each agency must develop and follow a set of procedures SA-1 System And Services The
randomlyorganization:
3. Describes
operational in environment
accordance the with for
Information Systems and Maintenance Acquisition Policy and consistent with state procurement standards. Acquisition Policy And a. Develops,
operational
organization-defined
the information contextdocuments,
system ofprocess]
the
and
x x xc P1
Acquisitions, Procedures Procedures and disseminates
information
and when new system toin terms
vulnerabilities of
relationships with or
13.305 Information
Development, Security
and Policy 1.3 System Development System and Services Each agency must ensure that information systems and services it [Assignment:
missions
potentially
connections and organization-
business
affecting
to other the
Maintenance
Information Systems and Maintenance Acquisition Policy and procures are implemented or conducted in compliance with all defined
processes; personnel
system/applications or roles]:
Acquisitions, Procedures provisions of the state's Information Security Program that are information systems;are
1.
4. A system andsecurity
services
Development, and applicable to the systems or services being procured. 6. Provides
identified
acquisition Providespolicy
the
and reported;
anthat overview of x x xc P0
categorization
theb.security
Employs of the
vulnerability
requirements for
Maintenance addresses
information
scanning purpose,
tools system scope,
including
and techniques
the
roles, system;
responsibilities,
supporting
that facilitate
7. Identifiesrationale;
interoperability
any relevant
management
among 5. tools
Describes commitment,
and the
automate
13.306 Information Security Policy 1.3 System Development System Development Life Each agency must ensure that appropriate security controls are SA-3 System Development Life overlays,
(1) The
coordination
operational
parts of
if applicable;
organization:
the among
environment
vulnerability for
Information Systems and Maintenance Cycle implemented at all stages of the information system life cycle. Cycle a. 8. Describes
Manages the the security
information
organizational entities, and
Acquisitions,
the information
management
controls
system
compliance;
relationships
in place
using
system
processor planned
[Assignment:
and
by and
usingfor x x xc P1
standards
meeting for:with
those or
requirements
Development, and organization-defined
2.
connections Procedures
1. Enumerating to other to system
facilitate
platforms,
MaintenanceSecurity Policy including
development
theThe a rationale
implementation lifeand cycle] for
of the
that
the
13.307 Information 1.3 System Development External Information Each agency must ensure that outsourced software development is SA-9 External Information information
(1)
tailoringorganization:
software flaws,systems;
decisions; improper
and
Information Systems and Maintenance System Services performed in compliance with all applicable provisions of the System Services incorporates
system
a. 6. and
Requires
Provides
configurations; information
services
thatan acquisition
providers
overview of
of
Acquisitions, state's Information Security Program. security
policy
the
external
9.andIsconsiderations;
security
approved
reviewed
associated
information
byrequirements
2. Formatting the
and system
system
checklists
authorizing for x x x P1
Development, and and b.
services Defines
services
testorcomply
the system;
and and
procedures; documents
acquisition
with and
official
information
controls; designated
and security roles and
13.308 Maintenance
Information Security Policy 1.3 System Development Developer Security Testing Each agency must ensure for any system development efforts CM-2(6) Baseline Configuration organizational
(1) The 7.
3. Identifies
representativeMeasuring
organization information
priorany torelevant
vulnerability
plan the
maintains
responsibilities
b.
security
overlays,
impact; Reviews and
requirements
if throughout
applicable; updates and the
Information Systems and Maintenance and Evaluation separate development, testing, and production environments are CM-4(1) aimplementation;
| Development And Test systembaseline configuration for
Acquisitions, established. Environments
current:
employ
c.
b. 8. development
Describes
[Assignment:
Analyzes
Distributes
information
c. Identifies
the
vulnerability
system copies
individuals
life cycle;
security
of the x xc P1
1. System
organization-defined
controls in place and services
security
Development, and Security Impact scan
securityreports
development
having
acquisition
plan
information andor
and
and planned
results
test
security
fromfor
Maintenance Analysis | Separate Test controls]
meeting
security
communicates
environments in policy
those
controlaccordance
that
[Assignment:
requirements
assessments;
subsequent with
isapproves,
managed
13.309 Information Security Policy 1.3 System Development Developer Security Testing Each agency must not use sensitive production data for testing SA-15(9) Development Process, (1) The
roles and organization
responsibilities;
organization-defined
applicable
including
d. Remediates a federal
rationale laws, for
legitimate theand
Information Systems and Maintenance and Evaluation purposes unless the data has been obfuscated, sanitized, or Environments
Standards, And Tools | changes
separately
documents, tofrom
the
andplan the to
controls
d. Integrates
frequency];
tailoring
Executive
vulnerabilities
[Assignment:
operational
and
decisions;
Orders, the and the
directives,
[Assignment:
organization-
baseline
Acquisitions, declassified. If production data must be temporarily used in these Use Of Live Data use of2. live
organizational
9. System
policies, data
Isregulations,
reviewed in development
information
andor services
andstandards,
Development, and environments, appropriate security controls, including organization-defined
definedtest personnel
configuration.
and environments response
roles];
for the
security
acquisition
approved
and inrisk management
byprocedures
c.guidance;
times] Reviews the
theauthorizing
accordance security with plan
an
Maintenance management approval, procedures to remove/delete data after
completion of tests, and documentation of activities, must be
information
process
[Assignment:
b.
official
organizational
for
(2) the
The
component,
development
into
Defines
or system,
system
organization-
and
designated
information
organization
or assessment
life
system
documents
system
information
cycle analyzes of x xc P2
defined
representative
government frequency].
oversight
prior
implemented. risk; and
[Assignment:
changes
system
activities. informationuser
to theorganization-
service.
to and
plan
roles
e. and
implementation;
Shares responsibilities
definedinfrequency];
system information
a separate test with
regard
b.
d. Distributes
obtained to from
Updates
environment external the
the
beforecopies
informationof the
vulnerability
plan to
system
addressservices;
security
scanning
implementation plan
process
changes andin and
and
to thesecurity
an
13.310 Information Security Policy 1.3 System Development Flaw Remediation Each agency must ensure for system development efforts that SI-10 Information Input communicates
(1) c.
control Employs
information
operational assessments
The information [Assignment:
subsequent
environment, with
system
organization-defined
changes to validity
theorganization-
planof toof
Information Systems and Maintenance appropriate testing is performed ensure correct processing. SI-15 Validation [Assignment:
system/environment
looking
checks
[Assignment:
processes,
defined
for
the security
methods,
personnel organization-
or
impacts
and
roles] to
x xc P1
Acquisitions, Information Output operation
due to flaws,
[Assignment: or problems
weaknesses,
organization-
Development, and Policy Filtering techniques]
defined
help
identified personnel
eliminate
incompatibility,
defined to similar
during
information monitor
orplanorinputs].
roles];
intentional
13.311 Information Security 1.3 System Development Session Authenticity Each agency must ensure for system development efforts that , SC-23 Session Authenticity (1) The
security information
c. Reviews
vulnerabilitiescontrol the system
incompliance
security
other plan
by
Maintenance
Information Systems and Maintenance where appropriate, controls are implemented to ensure user implementation
malice.
protects or
the authenticity security of
external
for the
information
control
(2) service
informationsystems
assessments;
The information providers and on
system
(i.e.,
system
Acquisitions,
Development, and
session isolation, information integrity, and protection of
information transmission.
communications
[Assignment:
an ongoing
systemic
e. Protects
validates basis. sessions.
organization-
weaknesses
the security
information or
output plan x xc P1
defined
deficiencies).frequency];disclosure
from unauthorized
[Assignment:
Maintenance
andd.modification.
Updates the plansoftware
organization-defined to
address
programschanges and/or to the
applications]
information
to ensure that the information
system/environment
is consistent with theof expected
operation
content. or problems
identified during plan
implementation or security
control assessments; and
e. Protects the security plan
 13.400 Release Management: Each agency must ensure that information system version
releases into production are conducted in a way that minimizes risk to the
confidentiality, integrity, and availability of those systems. x x xc P1
13.401 Information Security Policy 1.4 Release Management Allocation of Resources Each agency must ensure that production-ready release packages SA-2 Allocation of Resources
(1) The organization:
Information Systems of mission-critical systems are deployed using the release a. Determines information
Acquisitions, management lifecycle (i.e., plan, prepare, build and test, pilot, and security requirements for the x x xc P1
Development, and deploy). information system or
Maintenance information system service in
mission/business process
13.402 Information Security Policy 1.4 Release Management Allocation of Resources Each agency must determine as part of the release planning SA-2 Allocation of Resources (1) The organization:
planning;
Information Systems process: a.
b. Determines
Determines,information documents, and
Acquisitions, Resources required to deploy the release. security
allocatesrequirements
the resourcesfor the
Development, and Build and test plans prior to implementation. information
required to protect system the or
Maintenance Pass/fail criteria.
Pilot and deployment plans.
information system service
mission/business
information system
or
process
service as
in x x xc P1
Develop requirements for the release. planning;
part of its capital planning and
b. Determines,
investment control documents,process;and
allocates
and the resources
required to protect the
13.403 Information Security Policy 1.4 Release Management Information System Each agency must document, as part of a system release, the set of SA-5 Information System The organization:
information system or
Information Systems Documentation tools and processes used to manage the IT release lifecycle, and the Documentation a. Obtains administrator
information system service as
Acquisitions, prioritization of the release. documentation
part of its capitalfor the
planning and
x x xc P2
Development, and information
investment control system,process; system
13.404 Maintenance
Information Security Policy 1.4 Release Management Information System Each agency must validate the release design against the SA-5 Information System component,
and organization:
The or information
system service that describes:
Information Systems Documentation requirements, and identify the risks and potential issues. Documentation a. Obtains
1.
administrator
Secure configuration, x x xc P2
Acquisitions, documentation for the
Development, and Policy 1.4 Release Management Security Engineering installation,
information and
system, operationsystem of
13.405 Information Security Each agency must implement standardization and enforce SA-8 Security Engineering (1)
theThesystem,organization
component, applies or
Maintenance
Information Systems Principles operational controls through the use of change requests for Principles component,
information or information
system security
Acquisitions, deploying releases into production.
service;
system service
engineering
2.
that describes:
principles
and in the
x x xc P1
Development, and 1. Effective
specification,
use
Secure configuration, design,
maintenance
installation, and of security
operation of
Maintenance development,
functions/mechanisms; implementation, and
the system,
and modification component, of the or
3. Known vulnerabilities
service;
information
regarding system.
configuration and
2. Effective use and
use of administrative
maintenance of security (i.e.,
DIS Section HIPAA-Specific Controls -- to be applied to information systems and processes within scope of HIPAA NIST Control ID NIST Control Name privileged)
NIST Control
functions/mechanisms;functions
Description and
Public or Confidential HIPAA Priority Code
Control ID Objective (NIST 800-53) Obtains
3. Knownuser documentation
vulnerabilities Internal or Restricted
for the information
regarding configuration system, and
AC-12 SESSION TERMINATION system
Control:component,
The information or(i.e.,
use of administrative
system
information
privileged)
terminates
automatically
system service
functions
a user session after
x P2
that
Obtainsdescribes:
user documentation
[Assignment:
1. User-accessible organization-
security
SECURITY AWARENESS ANDfor the information
Control: The organization: system,
AT-1 defined conditions
functions/mechanisms or anda.
trigger
system
Develops,
events
how to
information
disseminates
component,
documents,
requiring
effectively
system
to
session
use
or and
those
service
[Assignment:
x P1
disconnect]. Supplemental
security
that describes:
organization-defined controlpersonnel
AT-2 SECURITY AWARENESS TRAGuidance:
Control:
1.
or roles]: The
User-accessible
This
functions/mechanisms;
1.theA organizationsecurity
addresses
2. Methods
provides basic
functions/mechanisms forsecurity
termination
user andof
security x P1
awareness
user-initiated and training
logical policyin
interaction,
awareness
how
that to which
training
effectively
addresses purpose, tosessions
enables
use those
scope,
contrast to to
individuals
information SC-10 use which
system the userssystem,
AT-4 security
roles,
SECURITY TRAINING RECO (including responsibilities,
Control: The
addresses theor organization:
termination a.
component, managers,
functions/mechanisms; service in
senior a of
management
Documents
network
more secure and
connectionscommitment,
manner; monitors that
and area.
executives,
2. Methods
coordination and
foramong contractors):
user
individual
associated
3. User
As
interaction,
information
with
part responsibilities
of initial
organizational which training
entities,enables
system
infor
and
x P3
security
communications
maintaining
new users; training
b.the When activities
sessions
security required of(i.e.,
the
individuals
compliance;
including
network to
basic anduse
disconnect). 2.the
security Asystem,
Procedures
logical
system,
by
component, component,
information or system
service or service;
in a
to facilitate
awareness
session (for the
training and specific
AU-7 c. Documents
AUDIT REDUCTION AND R changes;
Control:
more secure
implementation andlocal,
The network,
c.attempts
[Assignment:
information
manner; andto and
information
remote
obtain access) system isof the security
security
initiated
3. Userinformation
organization-defined
system
awareness
training;
whenever
provides
responsibilities
and aand b.
user
an
training
Retains
(or
system,
audit in
processpolicy x P2
system
frequency]
reduction
maintaining component,
andthereafter.
thereport security or offor
the
and
acting associated
individual
information training
on behalf system security
ofrecords
aservice
user)
Supplemental
generation
system, Guidance:
capability that: a.
CA-1 Control:component,
SECURITY ASSESSMENT ANawareness
[Assignment:
accesses
documentation
Organizations
Supports The
an and training
organization-
organization:
organizational
on-demand when
determine
or service;
such
audit thea.
c. Documents
controls; and b.attempts
Reviews toand
defined
Develops,
information
documentation
appropriate
review,
updates
Supplemental
disseminates
time
analysis,
obtain information
the
period].
documents,
system.
content
current:
to
is either
and
Guidance:
Such
of and user
1. security
reporting
system,
[Assignment:
x P1
sessions
unavailable
awareness
requirements cantraining
orbe terminated
nonexistent
and and
after-the- and
system
Security
Documentationcomponent,
awareness
organization-defined
(and thus terminate for or
and
specialized
personnel
user
CA-7 [Assignment:
security
fact
CONTINUOUS MONITORINtraining awareness
investigations
information
Control: The organization-
oftechniques
security
training
or roles]:
access)
defined
based
incidents; on
policy
may
1.
without
actions]
the
and Asystem
organization
be [Assignment:service
maintained
security
terminating
specific
b. in
Doesresponse;
not by
alter
documentation
develops
d. Protects
organizational
the original
documentation
monitoring
asupervisors
organization-defined
individual
assessment
network continuous
and
sessions. when
ization
documentation
content
strategy is orat
Session
requirements
eitherand
such theas
policy
time x P2
frequency];
option
that of
addresses
termination
required, the and
in audit 2.
organization.
purpose,
terminates
accordance Security scope,
all
with
and the information
ordering
unavailable
implements of or
a continuous systems
records.
nonexistent to
IA-3
awareness
Related
DEVICE IDENTIFICATION roles,
processes
the
which risk
Control:
and
controls:
responsibilities,
associated
management
The
personnel
Supplemental
training
AT-2,with
information
have
Guidance: AT-3, aand
strategy;
Audit
[Assignment:
monitoring
procedures
PM-14.
management
users program
References:
logical organization-
[Assignment:
commitment,
session that
None.
except
and
system
authorized
reduction
defined
includes:
e.
uniquely
a.isaccess.
actions]
organization-defined
coordination
those processes
Distributes
authenticates
a process identifies
in The
Establishment
among that response;
documentation
[Assignment: are
and
content
that of x P1
includes
manipulates
d.
[Assignment:
Protects
frequency]. a basic collectedunderstanding
documentation
organization-
Supplemental auditas
organizational
specifically
to [Assignment:
organization-defined
of the
informationneed created
for
and entities,
information
organizes anduser
byspecific
organization- the such
IA-7 CRYPTOGRAPHIC MODULEdefined
required,
Guidance:
Control:
compliance;
(i.e.,
defined
and/or
metrics]
session inThis
The
personnel
accordance to
control
information
and
owner) be
2.actions
Procedures
or
with
toroles].
the risktypes
security
information
monitored;
addresses and
management
b.
the of
user
in a devices]
summary
Establishment
establishment before
to of
strategy;
system
to
continue
establishing
maintain
format
and
[Assignment:
policy
implements
facilitate
and
after the
security
that the
isaorganization-
[Selection
more
procedures
session
and to
meaningful
for
is
(one x P1
mechanisms
implementation
terminated.
or
to more):
respond
analysts. to forremote;
Conditions
local;
suspected
Audit authentication
ofreduction or the
thesecurity
security
e.
defined
Distributes
effective
to a report
trigger frequencies]
cryptographic
assessment events and documentation
implementation for ofthat
module
authorization
requiring
network]
incidents.
and
to
monitoring
[Assignment:
selected connection.
The content
generation
and [Assignment:
security organization-
controls also
meet
policy
automaticthe
and
Supplemental
addresses requirements
associated
session not termination
doGuidance:
awareness of of and
security
capabilities
defined
organization-defined
control
applicable
assessment
can include,personnel
enhancements
federal
and
forthe
always
or
laws,
authorization
example, inthe
roles]. the
Organizational
need
emanate for
frequencies]
AT family.and operations
from
Policy for devices security.
same
assessments
and
Executive
controls;
requiring
Security
information Orders,
organization-defined
unique
awareness b. Reviews
system directives,
orperiods
device-to-
techniques
fromandthe of
supporting
procedures
policies,
updates
userinclude, such
reflect
regulations,
the
inactivity, current: monitoring;
targeted applicable
standards,
1. c.
device
can
same
Ongoing
federal identification
organizational
security
laws, for example,
Executive control and
entities
Orders,
and guidance
Security
responses
authentication
displaying
conducting assessment for
toauditing
certain
posters, may such and
betypes
offering defined
activities. of
assessments
directives,
authentication.
authorization
incidents, inpolicy
time-of-day accordance
regulations,Supplemental policies,
by type,
supplies
Audit by device,
inscribed
reduction or bysecurity
with
capability a can
MA-2 CONTROLLED MAINTENAN Control: The organization: a.
Schedules, performs,
documents, and reviews
x P2
records of maintenance and
MA-5 MAINTENANCE PERSONNErepairs
Control:onThe organization:
information system a.
Establishes
componentsa in
maintenance
process
accordance
personnel
for x P2
with manufacturer or vendor
authorization
specifications and
and/or maintains a
MA-6 IMELY MAINTENANCE Control:
list of authorizedThe organization maintenanceb.
organizational requirements;
obtains maintenance
organizations
Approves
and/or spare andparts or personnel;
monitors
support
for all
b. x P2
Ensures
maintenance that non-escorted
activities,
[Assignment: organization-
MP-1 MEDIA PROTECTION POLI personnel
Control:The
whether
defined
performing
performed
information organization: on sitea.or
maintenance on the system
Develops,
remotely
components]
information
documents,
and whether
within and
the x P1
disseminates
equipment
[Assignment: issystem
to
serviced
organization-
have
[Assignment: on site
required access
organization-defined
or removed authorizations;
personnel
MP-2 MEDIA ACCESS defined
Control:The timeto another
period] of failure.
and
or c. Designates
roles]:
location;
Supplemental c. Aorganization
1.Requires media
Guidance: protection
that
restricts
organizational
policy that access addresses
[Assignment: organization-
Organizations
organization-defined
to
personnel
specify
[Assignment:
purpose,
the
with x P1
required
scope,
defined
information
access
roles,
personnel or types
responsibilities,
system roles] of
authorizations
digital
and
management
explicitly and/or
technical approve non-digital
competence
commitment, the removal to
MP-3 MEDIA MARKING Control:The
components
media]
supervise to the organization:
that
[Assignment: result
maintenance in a.
coordination
of the information among system or
Marks
increased
organization-defined
activities
organizational
systemindicating
media
ofrisk
components
to organizational
personnel
entities,
thefrom
personnel
who
and do x P2
operations
or
not roles].
possess and
Supplemental
the assets,
required
compliance;
organizational
distribution
individuals, and
limitations,
other 2. Procedures
facilities for off-
PE-17 ALTERNATE WORK SITE to Guidance:Information
access
Control:The
site authorizations.
facilitate
maintenance the organization:or system a. d.
handling
organizations,
media
Supplemental caveats,
includes orboth
Guidance:andrepairs;
the Nation
digital This and
Employs
implementation
Sanitizes
applicable
when
non-digital
control the [Assignment:
equipment
security
functionality
applies
organization-defined media. to
of theto
markings
Digital
individuals
media
remove
security
(if x P2
protection
all information
any)
providedof the by policy from
information;
those and associated
components and b.
media
performing
controls]
associated
media includes,
prior at hardware
alternate
media
to for
removal example,
or
work
protection from
PE-18 LOCATION OF INFORMATI Exempts
is
Control:The
diskettes,
software
sites;
controls;
[Assignment:
not operational. magneticorganization
maintenance
b. Assesses
and as tapes,
b.facilities
Reviews on
feasible, and
organizational
organization-defined
Organizational actions types for
to off-
of
positions
external/removable
organizational
the
site
obtaineffectiveness
updates the
maintenance
information
components
information
maintenance system
information
current:
within
of
or hard
1. system
security
repairs;
media]
support
the
disk
Media
facility e. x P3
drives,
systems,
controls
protection
Checks flash
while
at
all drives,
alternate
policy
potentially PE-2 compact
addresses
work
[Assignment:
impacted
from
typically
to
disks,
physical marking
minimize
and include
access as
potential
digital for long
having
video as
damage
individuals the
disks.
PE-5 sites;
ACCESS CONTROL FOR OUTmedia and
organization-defined
security
Control:The
appropriate remain c.
controls Provides to verify
organization
within
contracts a means
in place.that
from
whose
for [Assignment:
Non-digital maintenance media includes,
duties for
theemployees
frequency];
controls
controls
[Assignment:
Related physical
controls:
organization-defined
and
are tostillcommunicate
2.access
organization- Media
CM-8, physicalto
CP-2, x P2
example,
place
with them
information
protection
functioning paper within
procedures
properly and the
securitymicrofilm.
physical
following
information
defined
CP-7,
and SA-14,controlled
environmental
Restricting system
SA-15.
non-digital output
areas].
References:
hazards]
media
protection
personnel
[Assignment:
maintenance
devices to in perimeter
preventcase
or ofactions;
of security
organization-
repair the
Supplemental
None. Guidance:The
PS-4 PERSONNEL TERMINATIONand
access
systemsto minimize
Control:The
incidents
defined
and
unauthorized
term
includes,
(e.g.,
or problems.
frequency].
f.security
Includes
theexample,
for
custodial
organization,
[Assignment:
individuals
marking
staff,
fromto
refers
opportunity
denying access for unauthorized
to patient
physical
upon
the
plant
termination
Supplemental
organization-defined
obtaining
application/use
access.
medical
personnel).
employment: Supplemental
records
maintenance
the Guidance:This
Technical
a. in
of
a
Disables
individual
of human- x P1
Guidance:Alternate
control addresses
maintenance-related
output.Supplemental
readable security the work
attributes. sites
Guidance:Physical
community
competence
information
may include,
establishment hospital
of
system
for and
supervising
example, unless
access
oforganizational
policy anda.the
PS-8 information]
PERSONNEL SANCTIONS Guidance:
The term
Control:The
environmental security in
Controlling
organization:
hazards labeling physical
include,
individuals
within
government
procedures
maintenance seeking
relates
[Assignment: facilities
for the
records. toaccess
the
or private
effective to
access
refers tototheaoutput Supplemental
application/use of
Employs
for
such example,
records
maintenance
organization-defined
residences
implementation
Supplemental
Guidance:Controlling
security
process
formal
offlooding,
attributes
for
are
performed
employees.
individuals of
Guidance:
sanctions
authorized
with time
selectedfire,
physicalon
This
regard
failing
the x P3
tornados,
healthcare
information
period];
While
security b.
commonly earthquakes,
providers.
systems
Terminates/revokes
controls while
distinct
and control from
control
access
to internal
comply
hurricanes, toaddresses
output
data
with
actsin the
devices
structures
established
of terrorism,
RA-1 Restricting
having
RISK ASSESSMENT POLICY any
enhancements
Control:The
information required access
authenticators/credentials
alternative processing
organization:
security to
access
the digital
MPsites,
aspects a. of
includes,
within
information
vandalism,
media forelectromagnetic
information
includes, example,
security for systems placing
policies
example,
authorizations
associated
alternate workwith refers
the
sites toand
individual;
may
family.
Develops,
the
output
limiting
maintenance
c. Conducts
provide
reflect
disseminates
maintenance
Policy
information
devices
(see procedures;
and
pulse, AC-16).
electrical
access
readily
applicable
and
documents,
exiton
to
in
Information
to
procedures
system
locked
and
design
and
interviews
available
program federal
[Assignment:
b.
interference,
near and
rooms
Notifies
thethat
laws,
x P1
or other
system
[Assignment:
and other
specifications secured
media forms includesareas
organization-
stored of incoming
on and
both
systems.
include
alternate
Executive Individuals
aaccess
organization-defined
applies
allowing to discussion
locations
Orders,
all types ofnot
as of part
directives,
toradiation. personnel
authorized of
SA-4 digital
ACQUISITION PROCESS defined
compact
Control:The
previously and
electromagnetic non-digital
personnel
disks in the
organization
identified or media.
roles]
media
as In
[Assignment:
contingency
regulations,
or roles]:
maintenance
individuals
Digital media 1.only, organization-
operations.
policies,
A to riskanyand
includes, standards,
assessment
system
placing
for
within
addition, [Assignment:
organizations
library
includes
authorized
defined
Organizations
and
policy
output
example,
and
toinformation
guidance.
component that the
the
devices
organization-defined
consider
theroles,
requirements,
personnel,
project
following
maintenance
may
addresses Security
(including
diskettes,
the
individuals
such
in locations
location
descriptions,
as
leader
security
define purpose,
magnetic
on time
of the
information
that x P1
topics];
different
program
scope,
applications)
can
tapes, be d. Retrieves
sets
policies
monitored of security
and
responsibilities,
external/removableconducted by all by any
period]
physical
development
and criteria,
technology
security-related
controls when
entry
for apoints
team. formal
explicitly
manufacturers,
specific where
Related
organizational or(e.g.,
alternate by
SC-8 TRANSMISSION CONFIDENT procedures
management
local
hard or
organizational
disk
Control:The
employee nonlocal at
drives, the
commitment,
information
sanctions organization
entity
personnel.
flash drives,
process is
unauthorized
controls:
reference,
vendors,
information
work
level sites
may AC-3,
or
make individuals,
inwarranty,
systems the IA-2,
system-related
types the MP-4,
acquisition
integrators,
ofneed sites while
forPE-
coordination
in-contract,
Monitors, among
printers, in-house,
copiers,
compact
system
initiated,
notPE-3,
2,
and being
contract
property;
depending
system-specific
organizational
software
scanners,
video
(one ordisks.
disks,
protects
identifying
PL-2.
for
consultants, granted
e. on the
Retains
maintenance
more):facsimile
and
the
Non-digital
the digital
[Selection
the
access,
References:FIPS
information
may require
access
work-related
policies
entities, machines,
confidentiality; and
and
media to x P1
individual
might
Publication
system,
privileged nonetheless
organizational
activities systemsanctioned
199;
access
conducted NIST
component,
toare
information be and
in
atSpecial
those the
closeandor
procedures
compliance;
agreement).
and audio
includes,
integrity]
reason forforof unnecessary.
and
System
devices
the example,
transmitted 2.
sanction. Procedures
paper The
SI-1 SYSTEM AND INFORMATION proximity
Publication
information
organizational
sites. This
Control:The
policy canof to
control
be information
800-111.
system
systemsinformation
organization:
included service
formerly
supports as part in
a.the
to facilitate
maintenance
examples
and microfilm.
information.
Supplemental
systems and the also
information
Security
Supplemental
therefore includes increase
accordance
systems,
controlled for by with
example, applicable
terminated when
contingency
Develops,
of
those
system
marking
Guidance:This output
Guidance:Organizational
the potential
federal
required
individual;
of laws,
organizations
disseminates
security policy
planning
istodocuments,
the components
general
implementation generally
for
conduct
and
information
of
devices.
control
Executive
the
notnot
unauthorized
f.information
toPE-3,
for Notifies
and
[Assignment:
activities
and
risk
directly
Related
applies
theOrders,
x P1
assessment
associated
controls:
required
to bothtointernal
sanctions
access PE-2,
for policy
withmedia
processes
organizational and and PE-4,
containing
external
reflect PE-
directives,
maintenance
[Assignment:
federal telework
organization-defined
organizations
associated
processing
18. References:None. policies,
risk
and/or activities
organization-
or regulations,
initiative.
conversely,
assessment with
personnel
SI-7 information
SOFTWARE, FIRMWARE, ANnetworks
applicable
communications
Control:The
standards,
little and
orrepresented
no determined
federal all types
organization
guidelines,
notice. laws,
(e.g.,
Based ofby
through
and on
defined
Related
or
can roles]:
be
controls;
data/information
organizations personnel
controls:
1.
and A system
b.
to Reviewsor
AC-17, by
retentionroles]
and
beverification CP-7.
multiple
in the or and
information
Executive system
Orders, directives,
the
within
such
public
use[Assignment:
employs
organizational
References:NIST
information
policies
updates as
components
regulations,
microphones).
tools
of
the
wireless
integrity
reflecting
scanners,
todomain
assessments
integrity
current:
from or
policies,
Related
sniffers
Special
the
copiers,
to be
which policy
1. complex
Risk and
publicly
standards,
of x P1
risk,
nature
assessment
printers.
releasable.
information
and ofdetect
mission/business
organizations
organization-defined
Publication
that addresses
guidance.
800-46.
certain
policy
Information
However,
can
unauthorized
be
needs:
purpose, may time
organizations.
Sanctions necessary
some
transmitted
a.
issue
scope,
controls:
changes
Security
temporary
period].
roles,
The toCP-2,credentials
Supplemental
responsibilities,
procedures PE-19,
[Assignment:
functional canrequire be RA-3.
to these
[Assignment:
for creating
organizations
(e.g.,
processesservers,
References:None. are organization-
effective
may
mobile
described devices,in
organization-defined
requirements;
individuals.
Guidance:Information
management
established
defined for
frequency]; b.
Temporary Security
commitment,
the software,
security
and system-
2. Risk
maintenance
markings
notebook
access
firmware, for
agreements
and records
public
computers, information].and includes,
printers,
can be
strength
credentials
related
coordination
program
assessment
for example: requirements;
property
in may among
general
procedures
(i) be
date for
includes,
and
and c.
one-
for for
time
information
copiers,
included
Supplemental
Security
time use scanners,
as
assurance
or indicating
part
for offacsimile
very general
limitedthat the
example,
organizational
particular
[Assignment:
of maintenance;
information hardware
information
is entities,
organization-
(ii)
publicly name and
systems,of
machines).
personnel
Guidance:Unauthorized
requirements;
time periods.
authentication Communication
policies d.
Related andcontrols:
Security-
tokens, system
compliance;
if needed.
defined
individuals
releasable.
paths
procedures outside The
frequency].
or and
Marking
for group
the 2. Procedures
organizationaloffirmware,
physical
organizations.
changes
related
AC-2,
to
risk IA-8,
administration
facilitate
management
Supplemental to MP-2,
software,
documentation
the PE-2,
technical
strategy
Guidance:This PE-3, isthea
performing
information
protection
Organizations
and information of system
a maintenance;
controlled
consultcan media with
occur due
requirements;
PE-4,
manuals,
key
(iii) RA-3.
implementation
factor
control
name keys,
addresses
of e.
inReferences:
establishing
escort, Requirements
identification
of thethe None.
system
if Counsel policy
reflects
boundary
Office
to
for errors of
protectingapplicable
the
orare exposed
General
malicious federal
security-related to
activity laws,
the
cards,
and andOrders,
information
procedures.
establishment
necessary;
Executive building of
(iv)interception passes.
integrity
Related
policy
a description
directives, and Exit
of
possibility
regarding
(e.g., tampering).
documentation;
interviews of
matters
ensure of employee
Software
f.performed;
Description
that and
policy
control:
procedures
the and PM-9.
maintenance
policies,
modification.
sanctions. associated
regulations,
Related References:NIST
forProtecting
the system
effective
standards,
controls: thePL-
includes,
of
and the
terminated
Specialinformation
implementation for
information example,
individuals
Publications system
integrity 800-12,
of selected
and
4, (v) information
guidance.
confidentiality
PS-6.
operating References:None.
systems Related
and/or system
(with controls:
integrity
key
development
understand
controls;
800-100.
security and
controls
components/equipment the environment
b. security
Reviews
and control and and
AC-16,
of
environment PL-2,
organizational
internal components RA-3.
in in information
which suchthe as
constraints
updates
enhancements
removed
References:FIPS the
or imposed
current:
replaced the
Publicationby
1.RA being
System
(including
can
system
former be
kernels, accomplished
isdrivers),
intended
employees middleware,
to by
operate;
and that
and
family.information
Policy
identification
199.
physical means and
numbers,integrity
procedures
(e.g., by if
and
proper
policy
reflectapplications.
g. Acceptance
accountability
[Assignment:
applicable Firmware
criteria.
federal is detail
laws,
applicable).
employing
includes, for The
physical
example, level of
distribution
the
Supplemental
achieved
organization-defined
Executivein
included for
Orders, information
maintenance directives,
systems)
Basic Input or
Guidance:Information
system-related by logical
Output property. Systemmeans
system
frequency];
regulations,
records
(e.g., can
employing and
policies,
be 2.
informed System
standards,by andthe
(BIOS).
components
Security
information
and Information
guidance.
security topics
categories are ofencryption
integrity
Security includes
discrete,
interest
of at
techniques).
metadata
identifiable
exit interviews such Organizations
as
information
can security
include, for
procedures
program
organizational
relying onpolicies [Assignment:
commercial and
information
attributes
technology
example,
organization-defined
procedures associated
assets
reminding (e.g.,
at the transmission with
organization
systems.
providers
information. Organizations
offeringState-of-the-
hardware,
terminated
frequency].
level mayas
consider software,
make
supply individuals
Supplemental
the
chain orissues
need of for
services
practice
firmware)
nondisclosure commodity
integrity-checking
that represent
agreements services
the and
Guidance:This
system-specific
associated
rather than with
as control
policies
replacement
fully dedicated and
mechanisms
building blocks
potential limitations
addresses
procedures the (e.g., of anparity
establishment
unnecessary. on future Theof
components
services
checks, cyclical for
(i.e.,system.services information
redundancy which
information
employment. Exit interviews
Gap Analysis and Remediation Tracking
Use this spreadsheet to evaluate agency practices versus each control.
Indicate compliance status, describe gaps, and describe remediation plans.
Progress may be tracked by approximating size of remediation effort (S/M/L), and tracking percent complete.

DIS Section Priority

SC State Policy Control
ID Objective Code
1.100 Information Security Plan: Each agency must formally P1
authorize, document, prioritize, and provide resources for
incorporating security and privacy controls into its business
processes.

1.101 Each agency must develop and communicate an P1

information security plan that underlines security
requirements, the security management controls,
and common controls in place for meeting those
requirements.

1.102 Each agencys security plan must identify and assign P1

security program roles, responsibilities and
management commitment, and ensure coordination
among the agencys business units, as well as
compliance with the security plan

1.103 Each agency must ensure coordination among the P1

agencys business units responsible for the different
aspects of information security (i.e., technical,
physical, personnel, etc.)

1.104 Each agency must ensure that the security plan is P1

approved by senior management
1.105 Each agency must periodically review the P1
information security plan, staging each full review
cycle across no more than a 3-year period.

1.106 Each agency must update the security plan to P1

address changes and problems identified during
plan implementation or security control
assessments.

1.107 Each agency must protect the information security P1

plan from unauthorized disclosure and modification.

1.108 Each agency must consider resources needed to P1

implement and maintain the information security
plan in capital planning and investment requests.
1.109 Each agency must follow a process for ensuring that P1
an implementation plan is developed and executed
to address identified security and privacy
deficiencies.

1.110 Each agency must review implementation plans for P1

consistency with the agencys risk management
strategy and priorities for risk response actions.

1.111 Each agency must develop, monitor, and report on P1

the results of information security and privacy
measures of performance, as directed by the SC
Division of Information Security or the SC Enterprise
Privacy Office.

0.000 0 0
1.200 Information Security Roles and Responsibilities: Each agency P1
must formally document authority for security and privacy
responsibilities within its organization.

1.201 Each agencys chief executive must ensure that the P1

agencys senior officials are given the necessary
authority to secure the operations and assets under
their control.

1.202 Each agency must appoint an information security P1

liaison with the mission and resources to:
coordinate, develop, implement, and maintain an
information security plan.

1.203 Each agency must establish an information security P1

workforce and professional development program
appropriately sized to the agencys information
security needs.

1.204 Each agency must provide role-based security P1

training to personnel with assigned security roles
and responsibilities.

0.000 0.000 0 0
1.300 Information Security Policy Management: Each agency must P1
formally evaluate its business processes, and ensure that these
processes are designed in compliance with the state
Information Security Program.

1.301 Each agency must adopt a risk-based approach to P1

identify State and agency-specific information
security and privacy objectives, and must develop
information security procedures in alignment with
the identified security objectives.
1.302 Each agency must allocate the appropriate subject P1
matter experts to the development of State and
agency-specific information security procedures.

1.303 Each agency must approach independent external P1

(third party) specialists to assist in the development
of information security policies, procedures, or
controls in cases where it is established that the
required skills do not exist within the agency and are
not available within any other state government
agency.

1.304 Each agency must work in collaboration with other P0

states, Federal government, and external special
interest groups in cases where procedures directly
or indirectly affect interfacing activities with them.

1.305 Each agency should ensure that information security P1

and privacy policies, standards, guidelines, and
procedures that are developed at the agency should
contain the following information, as appropriate:
version, issued date, effective date, owner of
document (identified by office or role), purpose,
definitions, scope, directives, guidance, and revision
history.

1.306 Each agency must review each draft procedure with P0

stakeholders who must be impacted by the
procedure, to ensure that the procedure is
enforceable and effective.

1.307 Each agency must identify gaps within the P1

procedures that are not enforceable and effective,
must document the gaps, and must assign the
appropriate resources to remediate the gaps.

1.308 Each agency must develop and implement a P1

communication plan to disseminate new procedures
or changes to existing procedures.

1.309 Each agency may establish a procedure governance P1

committee for the purpose of review and approval
of procedures.
1.310 Each agency must implement mechanisms to help P1
ensure that information security procedures will be
available to the agencys personnel on a continuous
basis and whenever required.

1.311 Each agency must require employees to review and P2

acknowledge understanding of information security
procedures prior to allowing access to sensitive data
or information systems.

0.000 0.000 0 0
1.400 Information Security Controls: Each agency must ensure that P1
security and privacy controls are implemented in compliance
with the state Information Security Program.

1.401 Each agency must adopt a risk-based approach to P2

prioritize deployment of controls.
1.402 Each agency must allocate the appropriate subject P1
matter experts to the deployment of State and
agency-specific information security controls.

1.403 Each agency must approach independent external P1

(third party) specialists to assist in the deployment
of information security controls in cases where it is
established that the required skills do not exist
within the agency and are not available within any
other state government agency.

1.404 Each agency must ensure that controls which cannot P1

be implemented due to the agencys resource or
other constraints must be reported as directed by
the SC Division of Information Security or SC
Enterprise Privacy Office.

1.405 Each agency must review each control with P0

stakeholders who must be impacted, to ensure that
the control is enforceable and effective.

1.406 Each agency must develop and implement a P1

communication plan to disseminate new controls or
changes to existing controls.

1.407 Each agency must periodically review information P1

security controls, staging each full review cycle
across no more than a 3-year period.

0.000 0.000 0 0
2.100 Access Management: Each agency must ensure the P1
management of information systems and user accounts, to
appropriately secure legitimate user and system access.

2.101 Each agency must establish or update formal, P1

documented procedures for secure and compliant
management of information systems, user accounts,
and networks.

2.102 Each agency must identify account types (e.g., P1

individual, group, system, application,
guest/anonymous, and temporary) and establish
conditions for group membership.

2.103 Each agency must identify authorized users of P1

information systems and specify access rights.
2.104 Each agency must establish a process to enforce P1
access requests to be approved by a business or
data owner (or delegate) prior to provisioning user
accounts.

2.105 Each agency must authorize and monitor the use of P1

guest/anonymous and temporary accounts, and
notify relevant personnel (e.g., account managers)
when temporary accounts are no longer required.

2.106 Each agency must establish a process to notify P1

relevant personnel (e.g., account managers, system
administrators) to remove or deactivate access
rights when users are terminated, transferred, or
access rights requirements change.

2.107 Each agency should remove, disable, or rename P1

default user accounts. Where such is not possible,
agency should increase the required length or
complexity of password, or use additional factors for
authentication.

2.108 Each agency must ensure that rights granted to P1

accounts must be based on the principles of need-
to-know, least-privilege, and separation of duties.
Access not explicitly permitted should be denied by
default.

2.109 Each agency must ensure that access requests from P1

users are recorded.
2.110 Each agency must ensure that privileged accounts P1
(e.g., system / network administrators having root
level access, database administrators) must only be
provisioned after approval by an agency information
security officer and/or similarly designated role. The
approval must be granted to a limited number of
individuals with the requisite skill, experience,
business need, and documented reason based on
role requirements.

2.111 Each agency must ensure that privileged accounts P1

are controlled, monitored, and can be reported on a
periodic basis.

2.112 Each agency must implement processes to enforce P1

periodic user access reviews to be performed by
information / data owners or their assigned
delegates to ensure the following: current access
rights are consistent with current agency access
provisioning criteria, and there are unnecessary
duplicate user identifiers. Privileged accounts must
be reviewed at least as often as semiannually.
Standard accounts must be reviewed at least as
often as annually.

2.113 Each agency must regulate information system P1

access and define security requirements for
contractors, vendors, and other service providers.

2.114 Each agency must establish procedures to P1

administer privileged user accounts in accordance
with a role-based access model.

2.115 Each agency must enforce approved authorizations P1

for logical (e.g. cyber or electronic) access to
information systems.

2.116 Each agency must implement encryption of data in P1

motion to protect remote connections.
2.117 Each agency must enforce information flow controls P1
for its systems, to allow large Restricted data flows
to transfer only to approved destinations.
2.118 Each agency should implement controls in P1
information systems to enforce separation of duties
through assigned access authorizations, such as
separation of security administration duties from
security audit duties, administration duties for
critical business systems separated among
personnel, separation of information system testing
and production duties.

2.119 Each agency should document and implement P1

separation of duties through assigned information
system access authorizations.

2.120 Each agency must ensure that only authorized P1

individuals have access to agency data, and that
such access is controlled and audited in accordance
with the concepts of need-to-know, least-privilege,
and separation of duties.

2.121 Each agency must implement processes or P1

mechanisms to disable file system access not
required for duties, restrict database management
to authorized database administrators, and restrict
access to removable device/media boot functions to
system administrators.

2.122 Each agency must ensure that its information P2

systems enforce a limit of unsuccessful logon
attempts during an agency-defined period. The
number of logon attempts must be commensurate
with the classification of data hosted, processed or
transferred by the information system.

2.123 Each agency must automatically lock user accounts P2

the after maximum logon attempts is reached, and
must establish an account lock time period
commensurate with the classification of data
hosted, processed or transferred by the information
system.
2.124 Each agency system interface intended for non- P1
public usage must display a warning before granting
system access, addressing issues such as intended
use of the system, applicable privacy disclosures,
and other warnings as required for applicable
regulatory or contractual obligations.

2.125 Each agency systems should disconnect sessions or P3

require reauthentication after (30) minutes of
inactivity.

0.000 0.000 0 0
2.200 Network Access Management: Each agency must ensure the P1
management of networks to appropriately secure legitimate
user and system access.

2.201 Each agency must document allowed methods for P1

remote access to the network and information
systems.

2.202 Each agency must utilize automated mechanisms to P1

enable management to monitor and control remote
connections into networks and information systems.

2.203 Each agency must require Virtual Private Network P1

(VPN) or equivalent encryption technology establish
remote connections into the agency's private
networks.

2.204 Each agency must restrict remote access to its P1

private networks and systems to the mechanisms
and protocols approved by the agency.

2.205 Each agency must require two-factor authentication P1

for remote connections by Virtual Private Network
(VPN) or other such tunneling technologies.

2.206 Each agency must develop formal procedures for P1

authorized individuals to access its information
systems from external systems, such as access
allowed from an alternate work site (if required).

2.207 Each agency must establishes usage restrictions, P1

configuration and connection requirements, and
implementation guidance for wireless access.
2.208 Each agency must only use wireless networking P1
technology that enforces user authentication for
access to non-public networks.

2.209 Each agency must authorize wireless access to P1

information systems prior to allowing use of wireless
networks for access to non-public networks.

2.210 Each agency prohibits wireless access points to be P1

installed independently by users.
2.211 Each agency requires that before agency data is P1
processed or stored on a third-party system, the
system must be approved for such use by data
owners, considering such issues as the
classifications of data which may be used with the
system, the permitted methods of connection to the
system, and compliance of the system with state
and agency policy.

2.212 Each agency segregates systems intended for P1

internal use from systems intended for public use by
means of separate physical or logical networks.

2.213 Each agency's networks and information systems P1

must not be accessible from pubic networks (e.g.,
Internet) except under secured and managed
interfaces employing boundary protection devices.

2.214 Each agency must limit network access points to a P1

minimum to enable effective monitoring of inbound
and outbound communications and network traffic.

0.000 0.000 0 0
2.300 Identity Management: Each agency must ensure that legitimate use P1
2.301 Each agency must establish processes to enforce the P1
use of unique identifiers assigned to each member
of agency personnel (User IDs), including system
users, technical support personnel, system
operators, network administrators, system
programmers, and database administrators.

2.302 Each agency must prevent reuse of a user ID until all P1

logs, documents, or other records referencing the
user ID have reached the end of their retention
periods.
2.303 Each agency must allow the use of group IDs only P1
where these are necessary for business or
operational reasons; group IDs must be formally
approved and documented.

2.304 Each agency must ensure that where the agency P1

requires use of group IDs, it requires users to be
authenticated with a user ID prior to, or
simultaneous with, using the group ID.

2.305 Each agency must minimize the use of system, P1

application, or service accounts; and must
document, formally approve, and designate a
individual owner of each such account.

2.306 Each agency must perform identification and P1

authentication of any user accessing any system
intended for internal-only use, and record logs
sufficient to identify each user's network address.

0.000 0.000 0 0
2.400 Authentication: Each agency must ensure that legitimate users P1
of systems are authenticated as appropriate to support security
requirements.

2.401 Each agency must use multifactor authentication for P1

remote user authentication to non-public systems,
such that one factor is generated by a device other
than the device from which the user connects.

2.402 Each agency must implement mechanisms to record P2

successful and failed authentication attempts.

0.000 0.000 0 0
2.500 Emergency Access: Each agency must ensure that privileged P1
accounts that are shared (e.g. administrator, root, system) are
appropriately protected, and usage is accounted to individual
users.

2.501 0.000 Each agency must establish processes and P1

procedures for users to obtain access to required
information systems on an emergency basis.
2.502 0.000 Each agency's emergency procedure must ensure P1
that only identified and authorized personnel are
allowed emergency access; all emergency actions
are documented in detail; emergency accounts are
removed, disabled, or resecured promptly upon
conclusion of the emergency conditions; and
emergency actions are reported to management.

0.000 0.000 0 0
2.600 Password Security: Each agency must ensure that passwords are P1
difficult to guess, and retained only by those persons who have
legitimate need to access the associated account.

2.601 Each agency must enforce the following password P1

selection criteria by policy and where possible by
technical means:
Users must change personal user account
passwords at least as frequently as every 180 days.
Privileged user account passwords must be
changed at least as frequently as every 60 days.
System account passwords must be changed at
least as frequently as every 180 days.
Each password must be at least 8 characters in
length, and be composed of at least one uppercase
letter, at least one lowercase letter, and at least one
digit or punctuation character.
Passwords must be encrypted when stored or
transmitted.
For Federal Tax Information (FTI): Change/refresh
passwords every 90 days at a minimum for a
standard user account, every 60 days at a minimum
for privileged users._x000D_

2.602 Each agency must prohibit its users from sharing P1

their personal account passwords with others.

2.603 Each agency must ensure that shared account P1

passwords must be changed immediately upon
termination, resignation, or reassignment of any
person with knowledge of the password.
2.604 Each agency must prohibit its users from using P1
common words or personal information as
passwords (e.g., username, social security number,
childrens names, pets names, hobbies, anniversary
dates, etc.).

2.605 Each agency must suspend user accounts after a P1

specified number of days of inactivity.
2.606 Each agency must implement a process to change P1
passwords immediately if there reason to believe a
password has been compromised or disclosed to
someone other than an authorized user.

0.000 0.000 0 0
2.700 Password Administration: Each agency must ensure that P1
processes and agreements are in place to support password
security.

2.701 Each agency must require its users of non-public P3

systems to sign an acknowledgement of their
understanding of authentication policies prior to
allowing access to non-public agency networks or
systems, including the agency's policies on password
selection and confidentiality.

2.702 Each agency must establish a process to verify the P1

identity of a user prior to providing a new,
replacement, or temporary password.

2.703 Each agency must establish a process to uniquely P1

identify and authenticate non-agency users of
internal-use agency systems.

2.704 Each agency must establish procedures to manage P1

new or removed privileged account passwords.

2.705 Each agency must require that passwords P1

administratively set on behalf of a user (e.g. new
password, password reset) must be set to a unique
value per user and changed by the user at first use.

2.706 Each agency must communicate temporary P1

passwords to users in a secure manner.
2.707 Each agency must obscure feedback of P2
authentication information during the
authentication process to protect the information
from possible exploitation/use by unauthorized
individuals.

0.000 0.000 0 0
3.100 Audit and Compliance: Each agency must ensure that its P1
security and privacy policies, procedures, and controls are
current and effective.

3.101 Each agency must identify and document its P0

obligations to applicable State, federal and other
third party laws and regulations in relation to
information security.

3.102 Each agency must periodically review or audit its P1

users' and systems' compliance with security
policies, standards, and procedures, and initiates
corrective actions where necessary.

3.103 Each agency must document and report findings P1

from compliance reviews or audits to agency
leadership.

3.104 Each agency must establish formal, documented P1

audit and accountability procedures.

3.105 Each agency must implement a process to P1

periodically review and update the audit and
accountability procedures.

0.000 0.000 0 0
3.200 Information System Audits: Each agency must ensure that its P1
procedures and controls for information systems are current
and appropriately designed.

3.201 Each agency must conduct audit procedures in a P1

way that minimizes the risk of disruption of
operational systems and business processes.

3.202 Each agency must implement security controls to P1

help prevent unauthorized access and/or access
abuse of audit tools.

3.203 Each agency must determine the types of events P1

that are to be audited within information systems,
such as authentication success, authentication
failure, user connections, system connections,
system updates, privileged user actions, record
accesses, record updates, system errors, application
starts, application stops, system debugging
operations.

3.204 Each agency must review and update the list of P1

audited events annually.
3.205 Each agency must ensure that leadership P1
coordinates the audit functions, information
security functions, and business functions to
facilitate the identification of auditable events.

3.206 Each agency must ensure its information systems P1

are enabled to generate audit records containing
details to help establish what type of event
occurred, when and where the event occurred, the
source and outcome of the event, and the identity
of any individuals or subjects associated with the
event.

3.207 Each agency must analyze information system audit P1

records periodically.
3.208 Each agency must report findings of audit record P1
reviews to information security personnel and
agency leadership.

3.209 Each agency must perform correlation and analysis P1

of information generated by security assessments
and monitoring.

3.210 Each agency must allocate sufficient audit storage P1

capacity to ensure compliance with audit log
retention requirements.

3.211 Each agency must implement provisions for P1

information systems to off-load audit records at
regular intervals onto a different system or media
than the system being audited.

0.000 0.000 0 0
3.300 Information Security Monitoring: Each agency must ensure that P2
its security controls for information systems are effective.

3.301 Each agency must ensure security controls are P2

monitored on an ongoing basis.
3.302 Each agency's security control assessment function P2
must be independent from operational or business
functions, or hired third parties.

3.303 Each agency must develop a plan of action and P3

milestones to document planned remedial actions
to correct deficiencies identified as result of risk
assessments, security reviews, or audits.
3.304 Each agency must update its plan of action and P3
milestones at least on a yearly basis, and also based
on the findings from continuous security monitoring
activities.

0.000 0.000 0 0
4.100 Risk Management: Each agency must establish its strategy for P1
risk management.

4.101 Each agency must define a schedule for an on-going P1

risk assessment and risk mitigation process.

4.102 Each agency must review and evaluate risk based on P1

the system categorization level and/or data
classification of their systems.

0.000 0.000 0 0
4.200 Risk Assessment: Each agency must conduct its risk assessment P1
processes in alignment with its risk management strategy.

4.201 Each agency must establish a risk assessment P1

framework based on applicable State and federal
laws, regulation, and industry standards (e.g. NIST
800-30). This assessment framework must clearly
define accountability, roles and responsibilities.

4.202 Each agency must periodically conduct a formal P2

assessment of its information security and privacy
processes and controls to determine the
appropriateness of the design and implementation
of controls, and the extent to which the controls are
operating as intended and producing the desired
outcome (e.g. NIST 800-115, NIST 800-53A).

4.203 Each agency must ensure that risk assessments P1

identify, quantify, and prioritize risks against criteria
for risk acceptance and objectives relevant to the
agency.

4.204 Each agency must develop and periodically update a P3

Plan of Action & Milestones (POAM) document that
must identify any deficiencies related to internal
security controls. The POAM must identify planned,
implemented, and evaluated remedial actions to
correct deficiencies noted during assessments.
4.205 Each agency must establish a process and assign a P1
senior-level executive or manager to determine
whether or not risks can be accepted, and for each
of the risks identified following the risk assessment,
the designated personnel within the agency must
make a decision regarding risk treatment.

0.000 0.000 0 0
4.300 Risk Mitigation: Each agency must mitigate its risks in alignment P2
with its risk management strategy.

4.301 Each agency must establish and implement controls P2

to ensure risks are reduced to an acceptable level
based on security requirements, once threats have
been identified and decisions for the management
of risks have been made.

4.302 Each agency must determine and document the P2

acceptable level for risk for various threats based on
the business requirements and the potential impact
of the risk to the agency.

0.000 0.000 0 0
5.100 Physical Access: Each agency must ensure that information P1
systems and media are appropriately protected against
unauthorized physical access.

5.101 Each agency must establish formal, documented P1

procedures to facilitate the implementation of
physical and environmental protection controls.

5.102 Each agency must establish procedures to review P1

and maintain current the physical and
environmental protection procedures.

5.103 Each agency must develop, approve, and maintain a P1

list of personnel with authorized access to the
facility where information systems are physically
located.

5.104 Each agency must establish a process to review, P1

approve, and issue credentials for facility access.

5.105 Each agency must remove individuals from the P1

facility access list when access is no longer required.

5.106 Each agency must ensure that facilities housing P1

systems containing sensitive data are protected
against unauthorized physical access (e.g. keycards,
keys, security guards).
5.107 Each agency must maintain physical access audit P1
logs for facilities housing systems containing
sensitive data.

5.108 Each agency must maintain, 24 hours per day, 7 days P1

per week, guards and/or alarms to monitor physical
access points to facilities housing systems containing
sensitive data.

5.109 Each agency must perform security assessments on P1

an annual basis at the physical boundary of facilities
housing sensitive data, to determine the risk of
unauthorized exfiltration of information or removal
of information system components.

5.110 Each agency must establish a process to escort P1

visitors and monitor their activity within facilities
housing systems containing sensitive data.

5.111 Each agency must change combinations and keys at P1

defined intervals, and when keys are lost,
combinations are compromised, or individuals are
transferred or terminated.

5.112 Each agency must control physical access to P1

information system distribution and transmission
lines within the data center(s) using physical access
control devices (e.g., keycard or keys).

5.113 Each agency must place output devices (e.g. P2

printers, fax, copiers) in secured areas and in
locations that can be monitored by authorized
personnel, and allow access to authorized
individuals only.

5.114 Each agency must review physical access logs at a P1

defined frequency and upon occurrence of security
incidents.

5.115 Each agency must ensure that visitor access records P3

to facilities housing systems containing sensitive
information, are retained for a minimum of 1 year.

5.116 Each agency must establish processes to authorize, P2

monitor, and control sensitive information systems
and media entering and exiting facilities.

0.000 0.000 0 0
5.200 Environmental Security: Each agency must ensure that P1
information systems and media are appropriately protected
against environmental hazards, in alignment with business
continuity risk management strategy.

5.201 Each agency must place power equipment and P1

cabling in safe locations to prevent environmental
and/or man-made damage and destruction.

5.202 Each agency must make available the capability of P1

shutting off power to data system facilities during an
incident.

5.203 Each agency must place emergency shutoff switches P1

or devices at locations which can be safely and
easily accessed by personnel during an incident.

5.204 Each agency must implement physical and logical P1

controls to protect emergency power shutoff
capability from unauthorized activation.

5.205 Each agency must implement uninterruptible power P1

supply to facilitate transition to long-term alternate
power in the event of a primary power source loss.

5.206 Each agency must install and maintain fire detection P1

and suppression devices that are supported by an
independent power source.

5.207 Each agency must employ fire detection devices/ P1

system that activate automatically and notify
emergency personnel and defined emergency
responder(s) in the event of a fire.

5.208 Each agency must employ an automatic fire P1

suppression system if the data system facility is not
staffed on a continuous basis.

5.209 Each agency must employ automatic temperature P1

and humidity controls in the data system facilities to
prevent fluctuations potentially harmful to
processing equipment.

5.210 Each agency must employ temperature and P1

humidity monitoring that provides an alarm or
notification of changes potentially harmful to
personnel or equipment.

5.211 Each agency must protect processing equipment P1

from damage resulting from water leakage.

0.000 0.000 0 0
5.300 Disposal of Equipment and Media: Each agency must ensure P1
that information systems and media are appropriately
disposed, to ensure the confidentiality of sensitive data.

5.301 Each agency must define and implement P1

mechanisms for disposal of digital media and data
storage devices.

5.302 Each agency must employ sanitization mechanisms P1

with the strength and integrity commensurate with
classification of data to be sanitized.

5.303 Each agency must establish processes for cleansing P1

and disposal of computers, hard drives, and
fax/printer/scanner devices.

5.304 Each agency must implement controls to track and P1

verify sanitization of devices prior to disposal.

0.000 0.000 0 0
6.100 Human Resource Compliance: Each agency must ensure that P1
human resource processes appropriately support security and
privacy processes and controls related to personnel.

6.101 Each agency must define security roles and P1

responsibilities of employees, contractors, and third
party personnel, and must document these in
accordance with the organizations information
security procedures.

6.102 Each agency must ensure background verification P1

checks on candidates for employment, including
contractors, and third party users. These checks
must be aligned with the nature and sensitivity of
data and systems the personnel will have access to,
and must be carried out in accordance with
applicable laws.

6.103 Each agency must ensure that upon termination or P1

transfer of employment for employees, termination
of engagement for non-employees, personnel must
return to the agency all agency physical documents
(and all copies thereof) and other agency property
and materials in their possession or control, and
must certify the secure erasure or destruction of any
agency electronic information.
6.104 Each agency must ensure that employees, P3
contractors, and third party users must agree and
sign an acceptable use policy, which must state
responsibilities for information security.

0.000 0.000 0 0
6.200 Security Awareness Training: Each agency must ensure that all P1
personnel receive training designed to improve their awareness
of basic security and privacy issues.

6.201 Each agency must require employees, contractors, P1

and third party users to apply security in accordance
with established policies and procedures of the
organization, where such personnel have
responsibilities for agency information, systems,
media, or facilities housing such items.

6.202 Each agency must ensure employees, contractors, P1

and third party users receive security and privacy
awareness training, and regular updates about
organizational policies and procedures, as relevant
for their job function.

6.203 Each agency must ensure that training is P1

accompanied by an assessment test, in order to
determine comprehension of key cyber security
concepts.

6.204 Each agency must require that each user of agency P1

information receives some minimum level of
awareness training prior to granting access to
agency information.

6.205 Each agency must appoint a cyber-security P1

awareness training coordinator to manage training
content, schedules, and user training completion
status.

6.206 Each agency must ensure that its cyber security P1

training coordinator, along with the agency
information security liaison, reviews training content
on an annual basis to ensure that it aligns with all
relevant compliance requirements.

0.000 0.000 0 0
7.100 Mobile Security: Each agency must ensure that all handheld P1
computing devices and portable storage devices used by agency
personnel for agency data are appropriately secured.
7.101 Each agency only allows portable storage devices to P1
be used for agency data when these devices are
assigned and identified to an individual owner.

7.102 Each agency only allows the use of portable storage P1

devices that allow secure erasure or destruction, for
use with non-public agency data.

7.103 Each agency only allows the use of handheld P1

computing devices that have the ability to be
remotely wiped / erased, for use with non-public
agency data.

7.104 Each agency must develop usage restrictions, P1

configuration requirements, connection
requirements, and implementation guidance for
organization-controlled handheld computing
devices.

7.105 Each agency must develop a list of approved P1

handheld computing device platforms, and ensure
that only approved devices are allowed to access
the agencys non-public networks and information
systems.

7.106 Each agency must develop and apply adequate asset P1

management procedures to all agency-issued
handheld computing devices.

7.107 Each agency must ensure that handheld computing P1

devices used to access non-public agency data are
configured with encryption of data at rest.

7.108 Each agency must implement controls to ensure the P1

installation of standardized operating system,
applications, and patches on agency-issued
handheld computing devices.

7.109 Each agency must ensure that non-public agency P1

information is securely erased from any handheld
computing device used to access such data, before
the device is disposed or transferred to another
person.

7.110 Each agency must deploy administrative and P1

technical controls to mitigate risks associated with
lost or stolen handheld computing devices.
7.111 Each agency must ensure for agency-issued P1
handheld computing devices, where feasible, the
testing of vendor recommended patches, hot-fixes,
or service packs before such changes are approved
for installation; and a process to keep system
hardware, operating system, and applications up-to-
date with the approved system updates.

7.112 Each agency must ensure that each agency-issued P1

handheld computing device is configured so that
only approved services and software are enabled
and/or installed.

7.113 Each agency must protect all handheld computing P1

devices with password or Personal Identification
Number (PIN).

7.114 Each agency must ensure all handheld computing P1

devices have timeout/locking features.

7.115 Each agency must develop controls for the P1

protection of data storage on handheld computing
devices, including their removable media.

7.116 Each agency must protect the storage and P1

transmission of information on agency-issued
portable storage and handheld computing devices
by scanning the devices for malicious code. If a
portable storage or handheld computing device is
used for transitional storage of sensitive data (e.g.,
copying data between systems), the data must be
securely deleted from the device immediately upon
completion.

7.117 Each agency must develop a process for users to P1

notify designated personnel when a device is lost or
stolen. The process must include remote wiping /
erasing of handheld computing devices.
7.118 Each agency must ensure that the physical security P1
of each portable storage or handheld computing
device is the responsibility of the person to whom
the device has been assigned. Each device must be
kept in the assigned persons physical presence
whenever possible. Whenever a device is being
stored, it must be stored in a secure place,
preferably out of-sight.

0.000 0.000 0 0
7.200 Removable Media Security: Each agency must ensure that all P1
removable media used by agency personnel for agency data are
appropriately secured.

7.201 Each agency must protect information system media P1

until the media is destroyed or sanitized using
approved processes.

7.202 Each agency must physically control and securely P1

store digital (e.g., CD, flash drives) and non-digital
(e.g., paper) media within secured locations, when
such media contains non-public information.

7.203 Each agency must employ encryption mechanisms P1

to protect the confidentiality of information stored
on digital media during transport outside of
controlled areas.

7.204 Each agency must ensure accountability for P1

removable media during transport outside of
controlled areas.

7.205 Each agency must ensure that removable media are P1

securely erased or destroyed, and that paper media
are securely destroyed, prior to disposal, for any
such media containing non-public information.

0.000 0.000 0 0
7.300 Portable Computing Device Security: Each agency must ensure P1
that all portable computing devices such as laptops used by
agency personnel for agency data are appropriately secured.

7.301 Each agency must employ encryption at rest to P1

protect the confidentiality of information stored on
portable computing devices such as laptops.
7.302 Each agency must ensure that each portable P1
computing device is configured so that only
approved services and software are enabled and/or
installed.

7.303 Each agency must ensure that each portable P1

computing device is covered by a configuration
management process that includes flaw
remediation, such as installing most current stable
security patches, critical security updates, and hot
fixes.

7.304 Each agency must ensure automatic update of virus P1

definition files on portable computing devices.

7.305 Each agency must ensure a firewall is configured on P1

each portable computing device, and prohibit users
from making firewall configuration changes.

7.306 Each agency must ensure asset tags are placed on P1

portable computing devices.
7.307 Each agency must ensure peer-to-peer (ad-hoc) P1
wireless connections on all portable computing
devices are disabled.

0.000 0.000 0 0
8.100 Asset Identification: Each agency must ensure that all of its P1
information assets, including agency-specific applications,
datastores, computing platforms, and network platforms are
inventoried and classified according to data sensitivity and
other compliance requirements.
8.101 Each agency must document and maintain P1
inventories of the important assets associated with
each information system. Asset inventories must
include a unique system name, a system/business
owner, a data classification, and a description of the
location of the asset. Examples of assets associated
with information systems are:
Information assets: databases and data files,
system documentation, user manuals, training
material, operational procedures, disaster recovery
plans, archived information.
Software assets: application software, system
software, development tools and utilities.
Computing assets: servers, desktops, laptops,
smartphones.
Networking assets: routers, switches, access
points.
Storage assets: disk arrays, SANs, tapes, portable
storage.
Services: computing, application, and storage
services.

8.102 Each agency must require user acknowledgement of P2

all rules and regulations pertinent to an asset, prior
to issuing or permiting access to the asset.

8.103 Each agency must periodically review asset records P1

to ensure that each is classified appropriately and
that the safeguards remain valid and operative.

8.104 Each agency must classify assets into the data P1

sensitivity classification types in the State of South
Carolina Data Classification Schema: Public, Internal,
Confidential, Restricted.

8.105 Each agency must ensure that each asset is P1

classified based on data classification type and
impact level, and the appropriate level of
information security safeguards are available and in
place.

0.000 0.000 0 0
9.100 Security Performance Metrics: Each agency must participate in P1
the DIS-defined collection and reporting of security
performance metrics, in order to inform the management
decisions of agency and state executive stakeholders.
9.101 Each agency must monitor and report performance P1
metrics as specified by the Division of Information
Security (DIS), to demonstrate progress in adoption
of security controls, and associated policies and
procedures, and effectiveness of the information
security program.

9.102 DIS must define performance measures to be able P1

to support the determination of information system
security posture, demonstrate compliance with
requirements, and identify areas of improvement.

9.103 DIS must ensure that the defined metrics are P1

meaningful, yield impact and outcome findings, and
are scheduled for collection with the time necessary
for stakeholders to use the results to address
performance gaps.

9.104 DIS must standardize the data collection methods P1

and data repositories used for metrics data
collection and reporting to ascertain the validity and
quality of data.

0.000 0.000 0 0
9.200 Third Party Risk Management: Each agency must ensure that P1
agency business functions conducted by third parties are
performed in compliance with all statues, regulations, and
other obligations encumbent on the agency.

9.201 Each agency must establish processes to ensure that P1

third parties comply with information security
requirements and employ defined security controls
in accordance with compliance requirements
encumbent on the agency.

9.202 Each agency must implement processes, methods, P1

and techniques to review compliance by third
parties on an ongoing basis.

9.203 Each agency must establish a process to conduct risk P1

assessments on third party service providers, and
document the risk assessment results.

9.204 Each agency must implement controls to help P1

ensure that risk assessments are updated in case of
major changes in scope of services or contractual
changes with third parties.
9.205 Each agency must authorize connections between P1
agency information systems and third party
information systems by entering into
Interconnection Security Agreements.

9.206 Each agency must ensure that for each third party P1
system interface with an agency system, the
interface characteristics, security requirements, and
the nature of the information communicated are
documented.

9.207 Each agency must establish terms and conditions for P1

trust relationships established with other entities
owning, operating, or maintaining external
information systems on behalf of agency. Terms and
conditions should control:
Access to agency information systems from third
party information systems.
Controls for processing, storing, or transmitting of
agency data by third party information systems.

9.208 Each agency must review and update third party P1

security agreements on an annual basis, or as
defined in the contract.

9.209 Each agency must share personally identifiable P0

information (PII) with third parties only for purposes
in compliance with applicable statutes and
regulations.

9.210 Each agency using a third party to process or store P0

unencrypted sensitive data must enter into a
binding agreement with the third party, describing
the types of sensitive data covered, and specifically
enumerating the purposes for which the data may
be used.

9.211 Each agency must monitor, audit, and train its staff P0
on the authorized sharing of sensitive data with
third parties and on the consequences of
unauthorized use or sharing of such data.

9.212 Each agency must evaluate any proposed new P0

instances of sharing sensitive data with third parties
to assess whether the sharing is authorized and
whether additional or new public notice is required.

0.000 0.000 0 0
10.100 Contingency Planning: Each agency must ensure that the P1
business functions supporting any critical agency missions can
be restored to functionality in the event of disruption, breach,
or failure.

10.101 Each agency must establish a formal, documented P1

contingency planning process that addresses
purpose, scope, roles, responsibilities, management
commitment, coordination among organizational
entities, and compliance.

10.102 Each agency must establish a formal process for P1

annual contingency planning policy and procedure
review and update.

10.103 Each agency must conduct a Business Impact P1

Analysis (BIA) to identify functions, processes, and
applications that are critical to the Each agency and
determine a point in time (i.e. recovery time
objective (RTO)) when the impact of an interruption
or disruption becomes unacceptable to the agency.

10.104 Each agency must utilize the BIA results to P1

determine potential impacts resulting from the
interruption or disruption of critical business
functions, processes, and applications.

10.105 Each agency must assign contingency roles and P1

responsibilities to key individuals from all business
functions.

10.106 Each agency must establish procedures to maintain P1

continuity of critical business functions in the cases
of critical information system disruption, breach, or
failure.

10.107 Each agency must document a Business Continuity P1

Plan (BCP) that addresses documented recovery
strategies designed to enable the agency to respond
to potential disruptions and recover its critical
business functions within a predetermined RTO
following a disruption.

10.108 Each agency must establish a process to ensure that P1

the BCP is reviewed and approved by senior
management.
10.109 Each agency must distribute copies of the BCP to key P1
personnel responsible for the recovery of the critical
business functions and other relevant personnel and
partners with contingency roles, as determined by
the agency.

10.110 Each agency must establish and implement P1

procedures to review the BCP at planned intervals
and at least on an annual basis.

10.111 Each agency must establish a process to update the P1

contingency plan, including BIA, when changes to
the organization, information system, or
environment of operation occurred.

10.112 Each agency must provide training to personnel with P2

assigned BCP roles and responsibilities.

10.113 Each agency must establish a process for evaluating P2

the effectiveness of its BCP training.

10.114 Each agency must incorporate simulated events and P2

lessons learned into contingency training to facilitate
effective response by personnel with contingency
roles when responding to disruption.

10.115 Each agency must test the BCP at least annually to P2

determine the effectiveness of the plan and the
agency's readiness to execute the plan.

10.116 Each agency must review the BCP test results, P2

record lessons learned and perform corrective
actions as needed.

10.117 Each agency must employ standard testing methods, P2

ranging from walk-through and tabletop exercises to
more elaborate parallel/full interrupt simulations, to
determine the effectiveness of the plan and to
identify potential weaknesses in the plans.

0.000 0.000 0 0
10.200 Disaster Recovery: Each agency must ensure that the business P1
functions supporting any critical agency missions can be
restored to functionality in the event of catastrophic disruption.
10.201 Each agency must develop a Disaster Recovery Plan P1
(DRP) that addresses scope, roles, responsibilities,
and coordination among organizational entities for
reallocating information systems operations to an
alternate location.

10.202 Each agency must establish recovery time objectives P1

for the BIA identified critical information systems.

10.203 Each agency must establish and document P1

procedures to fully restore critical information
systems, after an incident, minimizing deterioration
of the security safeguards originally planned and
implemented.

10.204 Each agency must assign disaster recovery roles and P1

responsibilities to key individuals.
10.205 Each agency must establish a process to ensure that P1
the DRP is reviewed and approved by senior
management.

10.206 Each agency must distribute copies of the DRP to P1

key personnel responsible for the recovery of the
critical information systems and other relevant
personnel and partners with contingency roles, as
determined by the Each agency.

10.207 Each agency must establish and implement P1

procedures to review the DRP at planned intervals
and at least on an annual basis.

10.208 Each agency must establish a process to update the P1

DRP when changes to the organization or
environment of operation occurred.

10.209 Each agency must identify and establish processes P1

to relocate to an alternate site to facilitate the
resumption of information system operations for
business-critical functions within the defined
recovery objectives (RTO and Recovery Point
Objective (RPO)) when the primary site is
unavailable due to disruption.

10.210 Each agency must ensure that equipment and P1

supplies required to resume operations at the
alternate processing site are available.
10.211 Each agency must ensure contracts are in place with P1
third parties and suppliers to support delivery to the
site within the defined time period for transfer/
resumption of critical business operations.

10.212 Each agency must ensure that the alternate P1

processing site provides information security
safeguards similar to that of the primary site.

10.213 Each agency must identify potential accessibility P1

problems to the alternate site in the event of an
area-wide disruption or disaster.

10.214 Each agency must establish primary and alternate P1

telecommunication service agreements with
priority-of-service provisions in accordance with
organizational availability requirements (including
RTOs), quality of service and access;

10.215 Each agency must establish alternate P1

telecommunications services to facilitate the
resumption of information system operations for
critical business functions within the defined
recovery objectives when the primary
telecommunications capabilities are unavailable.

10.216 Each agency must require primary and alternate P1

telecommunication service providers to have
contingency plans.

10.217 Each agency must establish documented procedures P1

to restore and recover critical business activities
from the temporary measures adopted to support
normal business requirements after an incident.

10.218 Each agency must implement procedures for the P1

recovery and reconstitution of the information
system to a known state after a disruption,
compromise, or failure.

10.219 Each agency must provide the capability to restore P1

information system components within defined
restoration time periods from configuration-
controlled and integrity-protected information
representing a known, operational state for the
components (for e.g. reimaging methods).
10.220 Each agency must establish measures to protect P1
backup and restoration hardware, firmware, and
software.

0.000 0.000 0 0
10.300 Data Backups: Each agency must ensure that the business data P1
supporting any critical agency missions can be restored to
functionality in the event of loss or corruption.

10.301 Each agency must develop, maintain and document P1

a data backup and storage process that ensures the
ability to recover electronic information in the event
of failure.

10.302 Each agency must identify and apply security P1

requirements for protecting data backups based on
the different types of data handled by the agency.

10.303 Each agency must identify an alternate storage site P1

that is separated from the primary site so as not to
be susceptible to same occurrences of hazards.

10.304 Each agency must establish necessary agreements P1

with the alternate storage site owner to ensure that
data storage and retrieval process are not hindered
during or after an incident.

10.305 Each agency must ensure that the alternate storage P1

site provides information security safeguards similar
to that of the primary storage site.

10.306 Each agency must identify potential accessibility P1

problems to the alternate storage site in the event
of a disruption or disaster.

10.307 Each agency must identify secure transfer methods P1

when transporting backup media off-site.

10.308 Each agency must establish and maintain an P2

authorization list to retrieve backups from the off-
site location.

10.309 Each agency must review on an annual basis the P1

security of the off-site location to ensure data is
protected against unauthorized disclosure or
modification while in storage.
10.310 Each agency must establish a process to perform P1
data backups of user-level and system-level
information at a defined frequency consistent with
the established RTOs and RPOs.

10.311 Each agency must establish safeguards and controls P1

to protect the confidentiality, integrity, and
availability of backup information at storage
locations.

10.312 Each agency must enforce dual authorization (two- P1

person control) for the deletion or destruction of
agency missions-critical data.

0.000 0.000 0 0
11.100 Vulnerability Management: Each agency must ensure that its P1
information systems are periodically checked for vulnerabilities,
and that findings are appropriately remediated.

11.101 Each agency ensure that processes are in place to P1

scan for vulnerabilities in information systems and
hosted applications at least annually and results are
reported to management.

11.102 Each agency must ensure that privileged access to P1

vulnerability scanning tools and vulnerability reports
are appropriately controlled.

11.103 Each agency must ensure remediation of identified P1

vulnerabilities is performed in accordance with the
agency risk management criteria and processes.

11.104 Each agency must ensure that penetration testing P2

exercises are performed on an annual basis, either
by use of internal resources or employing an third
party penetration team.

0.000 0.000 0 0
11.200 Incident Management: Each agency must ensure that P1
information security incidents occurring within the agency are
appropriately handled.

11.201 Each agency must develop, document, and P1

internally publish an incident response process that
addresses scope, roles, and responsibilities, internal
coordination efforts, and compliance.
11.202 Each agency incident response plan must include P1
the following:
Compatible interaction with the state level
incident reponse process published by DIS.
Types of information security incidents to be
reported.
Establish metrics to ensure incident response
capabilities remain effective.
Define resources, such as technology and
personnel, required to effectively support incident
response capabilities.
Roadmap for implementing incident response
capabilities.

11.203 Each agency must review and update the incident P1

response plan on an annual basis.
11.204 Each agency ensure that information security P1
incident handling processes include preparation,
detection and analysis, containment, eradication,
and recovery.

11.205 Each agency must ensure the implementation of P1

incident response tools such as intrusion detection,
firewalls, and incident investigation tools, to
effectively respond to security incidents.

11.206 Each agency must ensure that personnel are P1

required to report suspected information security
incidents to the incident response team or agency
leadership.

11.207 Each agency ensure that monitor information P1

systems are sufficiently monitored to detect attacks
and/or signs of potential attacks, including
unauthorized network local or remote connections.

11.208 Each agency must ensure that monitoring devices P1

are deployed strategically within information
technology environment to collect information
security events and associated information.

11.209 Each agency must ensure the protection of P1

information obtained from intrusion-monitoring
tools from unauthorized access, modification, and
deletion.
11.210 Each agency must ensure the monitoring of inbound P1
and outbound communications traffic from sensitive
information systems for unusual or unauthorized
activities or conditions.

11.211 Each agency must ensure that information system P1

monitoring activity is appropriately adjusted for new
and increased sources of risk.

11.212 Each agency must provide incident response training P2

within one (1) month of personnel assuming
incident response roles or responsibilities.

11.213 Each agency must provide training to incident P2

response personnel upon significant changes to
information systems and/or changes to the incident
response plan.

11.214 Each agency must establish a formal process to test P2

incident response capabilities on a yearly basis to
determine the incident response effectiveness and
adequacy.

11.215 Each agency must document the incident response P2

test results and update incident response processes
as applicable.

11.216 Each agency must ensure malicious code protection P1

mechanisms are employed for information systems,
to detect and eradicate malicious code.

11.217 Each agency must ensure malicious code protection P1

mechanisms are updated whenever new releases
are available.

11.218 Each agency must ensure malicious code protection P1

mechanisms are configured to perform periodic
scans at defined time intervals.

11.219 Each agency must ensure malicious code protection P1

mechanisms are configured to send an alert to
information appropriate personnel, to initiate
appropriate actions in response to malicious code
detection.

0.000 0.000 0 0
11.300 Patch Management: Each agency must ensure that flaws in its P1
information systems are remediated appropriately.
11.301 Each agency must develop and implement a process P1
to identify, report, and correct information system
flaws.

11.302 Each agency must establish a formal process to test P1

software and firmware updates related to flaw
remediation for effectiveness and identification of
potential impact prior to implementation.

11.303 Each agency must install latest stable versions of P1

applicable security software and firmware updates.

11.304 Each agency must establish a patch cycle that guides P1

the normal application of patches and updates to
systems.

11.305 Each agency must establish a process of patch P1

testing to verify the source and integrity of the
patch and ensure testing in a production mirrored
environment for a smooth and predictable patch roll
out.

0.000 0.000 0 0
12.100 Data Classification: Each agency must ensure the information P1
processed, stored, or transmitted by its information systems
and information repositories is appropriately classified, so that
compliance obligations may be identified.
12.101 Each agency must categorize data in accordance P1
with applicable statutory, regulatory, and
contractual requirements. Each data asset must be
classified into one of the following categories:
1. Public: Information intended or required for
sharing publicly, where unauthorized disclosure
would result in minimal or no risk to the agency.
2. Internal Use: Information that is used in daily
operations of the agency, where unauthorized
disclosure would result in little risk to the agency.
3. Confidential: Confidential information refers to
sensitive information, where unauthorized
disclosure may result in considerable risk to the
agency.
4. Restricted: Restricted information is highly
sensitive information, where unauthorized
disclosure may result in considerable risk to the
agency, including statutory penalties.

12.102 Each agency must ensure that users who encounter P1

information that is improperly classified must
consult with the owner of the information, agency
information privacy personnel, or agency
information security personnel to determine the
appropriate data classification.

12.103 If multiple data fields with different classifications P1

have been combined, the highest classification of
information included must determine the
classification of the entire set.

0.000 0.000 0 0
12.200 Data Disposal: Each agency must ensure the information stored P1
on its information systems, information repositories, and media
is securely erased or diestroyed prior to the disposal of the
device or media.

12.201 Each agency must develop a list of approved P1

processes for sanitizing electronic and non-
electronic media prior to disposal or re-purposing,
based on applicable regulatory requirements.
12.202 Each agency must employ sanitization mechanisms P1
with the strength and integrity commensurate with
the security category or classification of the
information.

12.203 Each agency must implement controls to track P1

media sanitization and disposal process, wherever
compliance requirements dictate such actions must
be tracked, documented, and verified.
Documentation must provide a record of the media
sanitized, when, how media was sanitized, the
person who performed the sanitization, and the
final disposition of the media. The record of action
taken must be maintained in a written or electronic
format.

12.204 Each agency must test media sanitization equipment P1

and procedures at least annually to ensure correct
performance.

12.205 Each agency must ensure that electronic media are P1

securely erased prior to being reassigned, or
released for destruction.

12.206 Each agency must define and implement P1

mechanisms for disposal of digital media and data
storage devices contained in equipment to be
released outside of the agency.

12.207 Each agency must destroy hardcopy media P1

containing sensitive information prior to disposal.

12.208 Each agency must monitor the destruction of hard P1

copy media, where required for statutory or
regulatory compliance.

0.000 0.000 0 0
12.300 Data Protection: Each agency must ensure the information P1
processed, stored, or transmitted during its business processes
is appropriately protected.

12.301 Each agency must ensure that its personnel follow P1

the agencys acceptable use policies when
transmitting data.

12.302 Each agency implemented mechanisms to ensure P1

availability of information in the event of the loss of
cryptographic keys by users.

12.303 Each agency must implement mechanisms to ensure P1

the confidentiality of private keys.
12.304 Each agency must develop a mechanism to P1
randomly select a key from the entire key space,
using effective randomization.

12.305 Each agency must implement appropriate controls P1

to physically and logically safeguard encryption keys
through all phases of the key lifecycle, from
construction through receipt, installation, operation,
and removal from service.

12.306 Each agency must use Federal Information P1

Processing Standards FIPS-140 validated technology
for encrypting sensitive data.

12.307 Each agency must ensure that sensitive data P1

transmitted by email must be securely encrypted.

12.308 Each agency must ensure that sensitive information P1

transmitted through a public network must be
encrypted prior to transmittal, or be transmitted
through an encrypted connection.

12.309 Each agency must ensure that sensitive information P1

transmitted wirelessly must be encrypted prior to
transmittal, or be transmitted through an encrypted
connection.

0.000 0.000 0 0
12.400 Data Privacy: Each agency must ensure that the interests of P1
data subjects are appropriately protected.

12.401 Each agency must designate an individual who has P1

primary responsibility for information privacy
decisions.
12.402 Each agency must conduct a Privacy Impact P0
Assessment (PIA) for each information system that
will handle Personally Identifiable Information (PII).
Each PIA should examine the following privacy
issues:
What PII is to be collected.
What is the intended use of the PII.
What PII will be shared, and with whom.
How long the PII will be retained.
What privacy risks are posed by the intended use
and sharing of the collected PII.
What privacy risks are posed by unintended
disclosure of the collected PII.
What steps are taken to inform users about the PII
collected and what mechanisms they can use to
control it.
What opportunities individuals have to decline to
provide PII.
What steps are taken to minimize the types of PII
collected.
What mechanisms are available for data subjects
to update or correct their PII.
What opportunities individuals have to remove PII
once collected.
How the PII is to be secured.
What processes are established to resolve privacy
issues.

12.403 Each agency must update PIAs when a system P0

change creates changes in privacy risks.
12.404 Each agency must ensure that PIA documents are P0
reviewed by an agency executive or designee with
authority for issues of information privacy.

12.405 Each agency must require each member of agency P0

personnel and third party with access to PII to sign a
confidentiality agreement defining responsibilities.
12.406 Each agency must publish a privacy web statement P0
on each agency website used by the public. Each
website privacy statement should include, as
specifically applicable to the site:
What PII is to be collected.
What is the intended use of the PII.
What PII will be shared, and with whom.
How long the PII will be retained.
What opportunities individuals have to decline to
provide PII.
What mechanisms are available for data subjects
to update or correct their PII.
What opportunities individuals have to remove PII
once collected.
How the PII is to be secured, in a non-technical
summary..
What processes are established to resolve privacy
issues.

0.000 0.000 0 0
13.100 Change Management: Each agency must ensure that changes to P1
information systems are conducted in such a way that
disruption to production is minimized, and stakeholders are
given appropriate awareness and opportunity for feedback.

13.101 Each agency must establish a change management P1

process, including the following elements:
Change requests are handled in a structured way
that determines the impact on the operational
system and the business processes it supports.
Changes to production environments, including
emergency maintenance and patches, must be
formally managed.
Changes are categorized, prioritized, and
authorized.
After implementation, changes are reviewed
ensure correct functionality.
Changes to production environments are
adequately tested.
An emergency change process is defined for
testing, documenting, assessing, and authorizing
changes that do not follow the established change
process.

0.000 0.000 0 0
13.200 Configuration Management: Each agency must ensure that P1
information system baseline configurations are managed to
minimize risk of incompatibility and of unauthorized change.

13.201 Each agency must ensure that system baseline P1

configurations are developed, reviewed, and
formally approved for critical information systems
and infrastructure components.

13.202 Each agency must ensure that changes to baseline P1

configurations include a process to identify, review,
perform security impact analysis, test, and approval
such changes prior to implementation.

13.203 Each agency must ensure that baseline P1

configurations are recorded in a central repository,
with access restrictions to prevent unauthorized
changes.

13.204 Each agency must ensure that prior versions of P1

baseline configurations are retained to be able to
support rollback.

13.205 Each agency must ensure the review and update of P1

baseline configurations periodically, and as an
integral part of information system component
installations or upgrades.

13.206 The Each agency must ensure responsibilities are P1

assigned for developing and managing the
configuration management process to personnel
that are not directly involved in system development
activities.

0.000 0.000 0 0
13.300 System Development and Maintenance: Each agency must P1
ensure that system development efforts are performed with
appropriate consideration for information confidentiality,
integrity, and availability.

13.301 Each agency must ensure that system security plans P1

are documented for critical enterprise information
systems in production and under development.
System security plans must provide an overview of
the security requirements of the system, and
describe the controls in place for meeting the
requirements through all stages of the systems
development life cycle.
13.302 Each agency must ensure that when a system is P1
modified in a manner that affects security, system
documentation is updated accordingly.

13.303 Each agency ensure that a vulnerability assessment P1

is performed on all enterprise information systems
undergoing significant changes, before the systems
are moved into production.

13.304 Each agency must develop and follow a set of P1

procedures consistent with state procurement
standards.

13.305 Each agency must ensure that information systems P0

and services it procures are implemented or
conducted in compliance with all provisions of the
state's Information Security Program that are
applicable to the systems or services being
procured.

13.306 Each agency must ensure that appropriate security P1

controls are implemented at all stages of the
information system life cycle.

13.307 Each agency must ensure that outsourced software P1

development is performed in compliance with all
applicable provisions of the state's Information
Security Program.

13.308 Each agency must ensure for any system P1

development efforts separate development, testing,
and production environments are established.

13.309 Each agency must not use sensitive production data P2

for testing purposes unless the data has been
obfuscated, sanitized, or declassified. If production
data must be temporarily used in these
environments, appropriate security controls,
including management approval, procedures to
remove/delete data after completion of tests, and
documentation of activities, must be implemented.

13.310 Each agency must ensure for system development P1

efforts that appropriate testing is performed ensure
correct processing.

13.311 Each agency must ensure for system development P1

efforts that , where appropriate, controls are
implemented to ensure user session isolation,
information integrity, and protection of information
transmission.
 0.000 0.000 0 0
13.400 Release Management: Each agency must ensure that P1
information system version releases into production are
conducted in a way that minimizes risk to the confidentiality,
integrity, and availability of those systems.

13.401 Each agency must ensure that production-ready P1

release packages of mission-critical systems are
deployed using the release management lifecycle
(i.e., plan, prepare, build and test, pilot, and deploy).

13.402 Each agency must determine as part of the release P1

planning process:
Resources required to deploy the release.
Build and test plans prior to implementation.
Pass/fail criteria.
Pilot and deployment plans.
Develop requirements for the release.

13.403 Each agency must document, as part of a system P2

release, the set of tools and processes used to
manage the IT release lifecycle, and the
prioritization of the release.

13.404 Each agency must validate the release design P2

against the requirements, and identify the risks and
potential issues.

13.405 Each agency must implement standardization and P1

enforce operational controls through the use of
change requests for deploying releases into
production.
M/L), and tracking percent complete.

Gaps Remediation Plans

 Total Progress: 0%

Remediation Remediation Exception Documentation Location

Effort (S/M/L) Progress %
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###

### ###
### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###

### ###
### ###
### ###

### ###

### ###

### ###

### ###

### ###
Minimum Acceptable Security for Hosted Services
Service hosting providers should be held to the standards marked "x" when state data will be processed, stored, or
transmitted through hosted systems. Low applies to Public and Internal Use data. Moderate applies to Confidential and
Restricted data. Guidance for acceptable variance is provided in FedRAMP standards.
This spreadsheet compares SC Standards to FedRAMP requirements. A hosted service that is certified for FedRAMP Low or
Moderate baseline will also satisfy the corresponding SC Standard if marked with an "X" in the FedRAMP column.

Find Text: Matches are highlighted

DIS Section Priority FedRAMP FedRAMP

ID Objective SC State Policy Control NIST ID Code Low Moderate
1.100 Information Security Plan: Each agency must formally P1
authorize, document, prioritize, and provide resources for
incorporating security and privacy controls into its business
processes.

1.101 Each agency must develop and communicate an PM-1 P1

information security plan that underlines security
requirements, the security management controls,
and common controls in place for meeting those
requirements.

1.102 Each agencys security plan must identify and PM-1 P1

assign security program roles, responsibilities and
management commitment, and ensure
coordination among the agencys business units, as
well as compliance with the security plan

1.103 Each agency must ensure coordination among the PM-1 P1

agencys business units responsible for the
different aspects of information security (i.e.,
technical, physical, personnel, etc.)

1.104 Each agency must ensure that the security plan is PM-1 P1
approved by senior management
1.105 Each agency must periodically review the PM-1 P1
information security plan, staging each full review
cycle across no more than a 3-year period.

1.106 Each agency must update the security plan to PM-1 P1

address changes and problems identified during
plan implementation or security control
assessments.

1.107 Each agency must protect the information security PM-1 P1

plan from unauthorized disclosure and
modification.

1.108 Each agency must consider resources needed to PM-1 P1

implement and maintain the information security
plan in capital planning and investment requests.
1.109 Each agency must follow a process for ensuring PM-4 P1
that an implementation plan is developed and
executed to address identified security and privacy
deficiencies.

1.110 Each agency must review implementation plans for PM-4 P1

consistency with the agencys risk management
strategy and priorities for risk response actions.

1.111 Each agency must develop, monitor, and report on PM-6 P1

the results of information security and privacy
measures of performance, as directed by the SC
Division of Information Security or the SC
Enterprise Privacy Office.

0.000 0 0 0
1.200 Information Security Roles and Responsibilities: Each agency P1
must formally document authority for security and privacy
responsibilities within its organization.

1.201 Each agencys chief executive must ensure that the PM-2 P1
agencys senior officials are given the necessary
authority to secure the operations and assets
under their control.

1.202 Each agency must appoint an information security PM-2 P1

liaison with the mission and resources to:
coordinate, develop, implement, and maintain an
information security plan.

1.203 Each agency must establish an information security PM-13 P1

workforce and professional development program
appropriately sized to the agencys information
security needs.

1.204 Each agency must provide role-based security AT-3 P1

training to personnel with assigned security roles
and responsibilities. x x
0.000 0.000 0 0 0
1.300 Information Security Policy Management: Each agency must P1
formally evaluate its business processes, and ensure that these
processes are designed in compliance with the state
Information Security Program.

1.301 Each agency must adopt a risk-based approach to PM-9 P1

identify State and agency-specific information
security and privacy objectives, and must develop
information security procedures in alignment with
the identified security objectives.

1.302 Each agency must allocate the appropriate subject PM-3 P1

matter experts to the development of State and
agency-specific information security procedures.
1.303 Each agency must approach independent external PM-15 P1
(third party) specialists to assist in the development
of information security policies, procedures, or
controls in cases where it is established that the
required skills do not exist within the agency and
are not available within any other state
government agency.

1.304 Each agency must work in collaboration with other P0

states, Federal government, and external special
interest groups in cases where procedures directly
or indirectly affect interfacing activities with them.

1.305 Each agency should ensure that information PL-1 P1

security and privacy policies, standards, guidelines,
and procedures that are developed at the agency
should contain the following information, as
appropriate: version, issued date, effective date,
owner of document (identified by office or role),
purpose, definitions, scope, directives, guidance, x x
and revision history.

1.306 Each agency must review each draft procedure P0

with stakeholders who must be impacted by the
procedure, to ensure that the procedure is
enforceable and effective.

1.307 Each agency must identify gaps within the PM-4 P1

procedures that are not enforceable and effective,
must document the gaps, and must assign the
appropriate resources to remediate the gaps.

1.308 Each agency must develop and implement a PL-1 P1

communication plan to disseminate new
procedures or changes to existing procedures. x x

1.309 Each agency may establish a procedure governance PL-1 P1

committee for the purpose of review and approval
of procedures. x x
1.310 Each agency must implement mechanisms to help PL-1 P1
ensure that information security procedures will be
available to the agencys personnel on a continuous
basis and whenever required. x x

1.311 Each agency must require employees to review and PL-4 P2

acknowledge understanding of information security
procedures prior to allowing access to sensitive
data or information systems. x x

0.000 0.000 0 0 0
1.400 Information Security Controls: Each agency must ensure that P1
security and privacy controls are implemented in compliance
with the state Information Security Program.

1.401 Each agency must adopt a risk-based approach to CA-2 P2

prioritize deployment of controls.
x x
1.402 Each agency must allocate the appropriate subject PM-3 P1
matter experts to the deployment of State and
agency-specific information security controls.

1.403 Each agency must approach independent external PM-15 P1

(third party) specialists to assist in the deployment
of information security controls in cases where it is
established that the required skills do not exist
within the agency and are not available within any
other state government agency.

1.404 Each agency must ensure that controls which PM-2 P1

cannot be implemented due to the agencys
resource or other constraints must be reported as
directed by the SC Division of Information Security
or SC Enterprise Privacy Office.

1.405 Each agency must review each control with P0

stakeholders who must be impacted, to ensure that
the control is enforceable and effective.

1.406 Each agency must develop and implement a PL-1 P1

communication plan to disseminate new controls
or changes to existing controls. x x
1.407 Each agency must periodically review information PL-1 P1
security controls, staging each full review cycle
across no more than a 3-year period. x x

0.000 0.000 0 0 0
2.100 Access Management: Each agency must ensure the P1
management of information systems and user accounts, to
appropriately secure legitimate user and system access.

2.101 Each agency must establish or update formal, AC-1 P1

documented procedures for secure and compliant
management of information systems, user x x
accounts, and networks.

2.102 Each agency must identify account types (e.g., AC-2 P1

individual, group, system, application,
guest/anonymous, and temporary) and establish x x
conditions for group membership.

2.103 Each agency must identify authorized users of AC-2 P1

information systems and specify access rights.
x x
2.104 Each agency must establish a process to enforce AC-2 P1
access requests to be approved by a business or
data owner (or delegate) prior to provisioning user x x
accounts.

2.105 Each agency must authorize and monitor the use of AC-2 P1
guest/anonymous and temporary accounts, and
notify relevant personnel (e.g., account managers)
when temporary accounts are no longer required. x x

2.106 Each agency must establish a process to notify AC-2 P1

relevant personnel (e.g., account managers, system
administrators) to remove or deactivate access
rights when users are terminated, transferred, or
access rights requirements change. x x

2.107 Each agency should remove, disable, or rename AC-2 P1

default user accounts. Where such is not possible,
agency should increase the required length or
complexity of password, or use additional factors x x
for authentication.

2.108 Each agency must ensure that rights granted to AC-5 P1

accounts must be based on the principles of need- AC-6
to-know, least-privilege, and separation of duties.
Access not explicitly permitted should be denied by x
default.

2.109 Each agency must ensure that access requests from AC-2 P1
users are recorded. x x
2.110 Each agency must ensure that privileged accounts AC-2 P1
(e.g., system / network administrators having root AC-6
level access, database administrators) must only be
provisioned after approval by an agency
information security officer and/or similarly
designated role. The approval must be granted to a
limited number of individuals with the requisite
skill, experience, business need, and documented x
reason based on role requirements.

2.111 Each agency must ensure that privileged accounts AC-2 P1

are controlled, monitored, and can be reported on
a periodic basis. x x
2.112 Each agency must implement processes to enforce AC-2 P1
periodic user access reviews to be performed by
information / data owners or their assigned
delegates to ensure the following: current access
rights are consistent with current agency access
provisioning criteria, and there are unnecessary
duplicate user identifiers. Privileged accounts must
be reviewed at least as often as semiannually. x x
Standard accounts must be reviewed at least as
often as annually.

2.113 Each agency must regulate information system AC-2 P1

access and define security requirements for
contractors, vendors, and other service providers. x x

2.114 Each agency must establish procedures to AC-6(5) P1

administer privileged user accounts in accordance
with a role-based access model. x
2.115 Each agency must enforce approved authorizations AC-3 P1
for logical (e.g. cyber or electronic) access to
information systems. x x
2.116 Each agency must implement encryption of data in AC-17(2) P1
motion to protect remote connections.
x
2.117 Each agency must enforce information flow AC-4 P1
controls for its systems, to allow large Restricted
data flows to transfer only to approved x
destinations.

2.118 Each agency should implement controls in AC-5 P1

information systems to enforce separation of duties
through assigned access authorizations, such as
separation of security administration duties from
security audit duties, administration duties for
critical business systems separated among
personnel, separation of information system testing
and production duties.
x

2.119 Each agency should document and implement AC-5 P1

separation of duties through assigned information
system access authorizations. x

2.120 Each agency must ensure that only authorized AC-6 P1

individuals have access to agency data, and that
such access is controlled and audited in accordance
with the concepts of need-to-know, least-privilege,
and separation of duties. x
2.121 Each agency must implement processes or AC-6 P1
mechanisms to disable file system access not AC-6(1)
required for duties, restrict database management AC-6(2)
to authorized database administrators, and restrict
access to removable device/media boot functions
to system administrators.
x

2.122 Each agency must ensure that its information AC-7 P2

systems enforce a limit of unsuccessful logon
attempts during an agency-defined period. The
number of logon attempts must be commensurate
with the classification of data hosted, processed or
transferred by the information system.
x x

2.123 Each agency must automatically lock user accounts AC-7 P2

the after maximum logon attempts is reached, and
must establish an account lock time period
commensurate with the classification of data
hosted, processed or transferred by the x x
information system.

2.124 Each agency system interface intended for non- AC-8 P1

public usage must display a warning before
granting system access, addressing issues such as
intended use of the system, applicable privacy
disclosures, and other warnings as required for
applicable regulatory or contractual obligations.
x x

2.125 Each agency systems should disconnect sessions or AC-11 P3

require reauthentication after (30) minutes of
inactivity. x
0.000 0.000 0 0 0
2.200 Network Access Management: Each agency must ensure the P1
management of networks to appropriately secure legitimate
user and system access.

2.201 Each agency must document allowed methods for AC-17 P1

remote access to the network and information
systems. x x
2.202 Each agency must utilize automated mechanisms to AC-17(1) P1
enable management to monitor and control
remote connections into networks and information x
systems.

2.203 Each agency must require Virtual Private Network AC-17(2) P1

(VPN) or equivalent encryption technology
establish remote connections into the agency's x
private networks.

2.204 Each agency must restrict remote access to its AC-17(3) P1

private networks and systems to the mechanisms
and protocols approved by the agency. x
2.205 Each agency must require two-factor IA-2 P1
authentication for remote connections by Virtual
Private Network (VPN) or other such tunneling x x
technologies.

2.206 Each agency must develop formal procedures for AC-17 P1

authorized individuals to access its information
systems from external systems, such as access
allowed from an alternate work site (if required). x x

2.207 Each agency must establishes usage restrictions, AC-18 P1

configuration and connection requirements, and
implementation guidance for wireless access. x x

2.208 Each agency must only use wireless networking AC-18(1) P1

technology that enforces user authentication for
access to non-public networks. x

2.209 Each agency must authorize wireless access to AC-18 P1

information systems prior to allowing use of
wireless networks for access to non-public x x
networks.

2.210 Each agency prohibits wireless access points to be AC-18(4) P1

installed independently by users.
2.211 Each agency requires that before agency data is AC-20 P1
processed or stored on a third-party system, the AC-20(1)
system must be approved for such use by data
owners, considering such issues as the
classifications of data which may be used with the
system, the permitted methods of connection to
the system, and compliance of the system with x
state and agency policy.

2.212 Each agency segregates systems intended for SC-7 P1

internal use from systems intended for public use
by means of separate physical or logical networks. x x

2.213 Each agency's networks and information systems SC-7 P1

must not be accessible from pubic networks (e.g.,
Internet) except under secured and managed
interfaces employing boundary protection devices. x x

2.214 Each agency must limit network access points to a SC-7(3) P1

minimum to enable effective monitoring of
inbound and outbound communications and x
network traffic.

0.000 0.000 0 0 0
2.300 Identity Management: Each agency must ensure that P1
legitimate users of systems are identified as appropriate to
support security requirements.
2.301 Each agency must establish processes to enforce IA-2 P1
the use of unique identifiers assigned to each
member of agency personnel (User IDs), including
system users, technical support personnel, system
operators, network administrators, system
programmers, and database administrators.
x x

2.302 Each agency must prevent reuse of a user ID until IA-4 P1

all logs, documents, or other records referencing
the user ID have reached the end of their retention x x
periods.

2.303 Each agency must allow the use of group IDs only AC-2 P1
where these are necessary for business or
operational reasons; group IDs must be formally x x
approved and documented.

2.304 Each agency must ensure that where the agency IA-2(5) P1
requires use of group IDs, it requires users to be
authenticated with a user ID prior to, or x
simultaneous with, using the group ID.

2.305 Each agency must minimize the use of system, AC-6(1) P1

application, or service accounts; and must AC-6(3)
document, formally approve, and designate a
individual owner of each such account.

2.306 Each agency must perform identification and IA-8 P1

authentication of any user accessing any system
intended for internal-only use, and record logs
sufficient to identify each user's network address. x x

0.000 0.000 0 0 0
2.400 Authentication: Each agency must ensure that legitimate users P1
of systems are authenticated as appropriate to support
security requirements.

2.401 Each agency must use multifactor authentication IA-2(4) P1

for remote user authentication to non-public IA-2(11)
systems, such that one factor is generated by a
device other than the device from which the user
connects.

2.402 Each agency must implement mechanisms to AC-7 P2

record successful and failed authentication
attempts. x x
0.000 0.000 0 0 0
2.500 Emergency Access: Each agency must ensure that privileged P1
accounts that are shared (e.g. administrator, root, system) are
appropriately protected, and usage is accounted to individual
users.
2.501 0.000 Each agency must establish processes and AC-2 P1
procedures for users to obtain access to required
information systems on an emergency basis. x x

2.502 0.000 Each agency's emergency procedure must ensure AC-2 P1

that only identified and authorized personnel are AC-2(2)
allowed emergency access; all emergency actions
are documented in detail; emergency accounts are
removed, disabled, or resecured promptly upon
conclusion of the emergency conditions; and x
emergency actions are reported to management.

0.000 0.000 0 0 0
2.600 Password Security: Each agency must ensure that passwords are P1
difficult to guess, and retained only by those persons who have
legitimate need to access the associated account.

2.601 Each agency must enforce the following password IA- P1

selection criteria by policy and where possible by 5_x000D_
technical means: IA-5(1)
Users must change personal user account
passwords at least as frequently as every 180 days.
Privileged user account passwords must be
changed at least as frequently as every 60 days.
System account passwords must be changed at
least as frequently as every 180 days.
Each password must be at least 8 characters in
length, and be composed of at least one uppercase
letter, at least one lowercase letter, and at least one
digit or punctuation character. x x
Passwords must be encrypted when stored or
transmitted.
For Federal Tax Information (FTI): Change/refresh
passwords every 90 days at a minimum for a
standard user account, every 60 days at a minimum
for privileged users._x000D_

2.602 Each agency must prohibit its users from sharing IA-5 P1
their personal account passwords with others.
x x
2.603 Each agency must ensure that shared account IA-5 P1
passwords must be changed immediately upon
termination, resignation, or reassignment of any
person with knowledge of the password. x x

2.604 Each agency must prohibit its users from using IA-5 P1
common words or personal information as
passwords (e.g., username, social security number,
childrens names, pets names, hobbies, x x
anniversary dates, etc.).
2.605 Each agency must suspend user accounts after a AC-2(3) P1
specified number of days of inactivity. x
2.606 Each agency must implement a process to change IA-5 P1
passwords immediately if there reason to believe a
password has been compromised or disclosed to
someone other than an authorized user. x x

0.000 0.000 0 0 0
2.700 Password Administration: Each agency must ensure that P1
processes and agreements are in place to support password
security.

2.701 Each agency must require its users of non-public PS-6 P3

systems to sign an acknowledgement of their
understanding of authentication policies prior to
allowing access to non-public agency networks or
systems, including the agency's policies on
password selection and confidentiality.
x x

2.702 Each agency must establish a process to verify the IA-5 P1

identity of a user prior to providing a new,
replacement, or temporary password. x x
2.703 Each agency must establish a process to uniquely IA-8 P1
identify and authenticate non-agency users of
internal-use agency systems. x x
2.704 Each agency must establish procedures to manage IA-5 P1
new or removed privileged account passwords. IA-5(1)
x x
2.705 Each agency must require that passwords IA-5(1) P1
administratively set on behalf of a user (e.g. new
password, password reset) must be set to a unique
value per user and changed by the user at first use. x x

2.706 Each agency must communicate temporary IA-5 P1

passwords to users in a secure manner. IA-5(1) x x
2.707 Each agency must obscure feedback of IA-6 P2
authentication information during the
authentication process to protect the information
from possible exploitation/use by unauthorized x x
individuals.

0.000 0.000 0 0 0
3.100 Audit and Compliance: Each agency must ensure that its P1
security and privacy policies, procedures, and controls are
current and effective.

3.101 Each agency must identify and document its P0

obligations to applicable State, federal and other
third party laws and regulations in relation to
information security.
3.102 Each agency must periodically review or audit its AU-2 P1
users' and systems' compliance with security
policies, standards, and procedures, and initiates
corrective actions where necessary. x x

3.103 Each agency must document and report findings AU-6 P1

from compliance reviews or audits to agency
leadership. x x
3.104 Each agency must establish formal, documented AU-1 P1
audit and accountability procedures.
x x
3.105 Each agency must implement a process to AU-1 P1
periodically review and update the audit and
accountability procedures. x x
0.000 0.000 0 0 0
3.200 Information System Audits: Each agency must ensure that its P1
procedures and controls for information systems are current
and appropriately designed.

3.201 Each agency must conduct audit procedures in a AU-2 P1

way that minimizes the risk of disruption of
operational systems and business processes. x x

3.202 Each agency must implement security controls to AU-9 P1

help prevent unauthorized access and/or access
abuse of audit tools. x x
3.203 Each agency must determine the types of events AU-2 P1
that are to be audited within information systems,
such as authentication success, authentication
failure, user connections, system connections,
system updates, privileged user actions, record
accesses, record updates, system errors,
application starts, application stops, system x x
debugging operations.

3.204 Each agency must review and update the list of AU-2 P1
audited events annually. x x
3.205 Each agency must ensure that leadership AU-2 P1
coordinates the audit functions, information
security functions, and business functions to
facilitate the identification of auditable events. x x

3.206 Each agency must ensure its information systems AU-3 P1

are enabled to generate audit records containing
details to help establish what type of event
occurred, when and where the event occurred, the
source and outcome of the event, and the identity
of any individuals or subjects associated with the x x
event.
3.207 Each agency must analyze information system audit AU-6 P1
records periodically. x x
3.208 Each agency must report findings of audit record AU-6 P1
reviews to information security personnel and
agency leadership. x x
3.209 Each agency must perform correlation and analysis AU-6 P1
of information generated by security assessments
and monitoring. x x
3.210 Each agency must allocate sufficient audit storage AU-4 P1
capacity to ensure compliance with audit log
retention requirements. x x
3.211 Each agency must implement provisions for AU-4 P1
information systems to off-load audit records at
regular intervals onto a different system or media x x
than the system being audited.

0.000 0.000 0 0 0
3.300 Information Security Monitoring: Each agency must ensure P2
that its security controls for information systems are effective.

3.301 Each agency must ensure security controls are CA-2 P2

monitored on an ongoing basis. x x
3.302 Each agency's security control assessment function CA-2(1) P2
must be independent from operational or business
functions, or hired third parties. x x

3.303 Each agency must develop a plan of action and CA-5 P3

milestones to document planned remedial actions
to correct deficiencies identified as result of risk
assessments, security reviews, or audits. x x

3.304 Each agency must update its plan of action and CA-5 P3
milestones at least on a yearly basis, and also
based on the findings from continuous security x x
monitoring activities.

0.000 0.000 0 0 0
4.100 Risk Management: Each agency must establish its strategy for P1
risk management.

4.101 Each agency must define a schedule for an on- PM-9 P1

going risk assessment and risk mitigation process.

4.102 Each agency must review and evaluate risk based RA-2 P1
on the system categorization level and/or data
classification of their systems. x x
0.000 0.000 0 0 0
4.200 Risk Assessment: Each agency must conduct its risk P1
assessment processes in alignment with its risk management
strategy.
4.201 Each agency must establish a risk assessment RA-3 P1
framework based on applicable State and federal
laws, regulation, and industry standards (e.g. NIST
800-30). This assessment framework must clearly
define accountability, roles and responsibilities. x x

4.202 Each agency must periodically conduct a formal CA-2 P2

assessment of its information security and privacy
processes and controls to determine the
appropriateness of the design and implementation
of controls, and the extent to which the controls
are operating as intended and producing the x x
desired outcome (e.g. NIST 800-115, NIST 800-
53A).

4.203 Each agency must ensure that risk assessments RA-1 P1

identify, quantify, and prioritize risks against criteria RA-3
for risk acceptance and objectives relevant to the x x
agency.

4.204 Each agency must develop and periodically update CA-5 P3

a Plan of Action & Milestones (POAM) document
that must identify any deficiencies related to
internal security controls. The POAM must identify
planned, implemented, and evaluated remedial
actions to correct deficiencies noted during
x x
assessments.

4.205 Each agency must establish a process and assign a RA-3 P1

senior-level executive or manager to determine CA-6
whether or not risks can be accepted, and for each
of the risks identified following the risk assessment,
the designated personnel within the agency must
make a decision regarding risk treatment.
x x

0.000 0.000 0 0 0
4.300 Risk Mitigation: Each agency must mitigate its risks in alignment P2
with its risk management strategy.

4.301 Each agency must establish and implement CA-6 P2

controls to ensure risks are reduced to an
acceptable level based on security requirements,
once threats have been identified and decisions for
the management of risks have been made. x x

4.302 Each agency must determine and document the CA-6 P2

acceptable level for risk for various threats based
on the business requirements and the potential
impact of the risk to the agency. x x

0.000 0.000 0 0 0
5.100 Physical Access: Each agency must ensure that information P1
systems and media are appropriately protected against
unauthorized physical access.

5.101 Each agency must establish formal, documented PE-1 P1

procedures to facilitate the implementation of
physical and environmental protection controls. x x

5.102 Each agency must establish procedures to review PE-1 P1

and maintain current the physical and
environmental protection procedures. x x
5.103 Each agency must develop, approve, and maintain PE-2 P1
a list of personnel with authorized access to the
facility where information systems are physically x x
located.

5.104 Each agency must establish a process to review, PE-2 P1

approve, and issue credentials for facility access.
x x
5.105 Each agency must remove individuals from the PE-2 P1
facility access list when access is no longer
required. x x
5.106 Each agency must ensure that facilities housing PE-3 P1
systems containing sensitive data are protected
against unauthorized physical access (e.g. keycards, x x
keys, security guards).

5.107 Each agency must maintain physical access audit PE-3 P1

logs for facilities housing systems containing
sensitive data. x x
5.108 Each agency must maintain, 24 hours per day, 7 PE-3(3) P1
days per week, guards and/or alarms to monitor
physical access points to facilities housing systems
containing sensitive data.

5.109 Each agency must perform security assessments on PE-3(2) P1

an annual basis at the physical boundary of
facilities housing sensitive data, to determine the
risk of unauthorized exfiltration of information or
removal of information system components.

5.110 Each agency must establish a process to escort PE-3 P1

visitors and monitor their activity within facilities
housing systems containing sensitive data. x x

5.111 Each agency must change combinations and keys at PE-3 P1

defined intervals, and when keys are lost,
combinations are compromised, or individuals are x x
transferred or terminated.
5.112 Each agency must control physical access to PE-4 P1
information system distribution and transmission
lines within the data center(s) using physical access
control devices (e.g., keycard or keys). x

5.113 Each agency must place output devices (e.g. PE-5(1) P2

printers, fax, copiers) in secured areas and in
locations that can be monitored by authorized
personnel, and allow access to authorized
individuals only.

5.114 Each agency must review physical access logs at a PE-6 P1

defined frequency and upon occurrence of security
incidents. x x
5.115 Each agency must ensure that visitor access PE-8 P3
records to facilities housing systems containing
sensitive information, are retained for a minimum x x
of 1 year.

5.116 Each agency must establish processes to authorize, PE-16 P2

monitor, and control sensitive information systems
and media entering and exiting facilities. x x

0.000 0.000 0 0 0
5.200 Environmental Security: Each agency must ensure that P1
information systems and media are appropriately protected
against environmental hazards, in alignment with business
continuity risk management strategy.

5.201 Each agency must place power equipment and PE-9 P1

cabling in safe locations to prevent environmental
and/or man-made damage and destruction. x

5.202 Each agency must make available the capability of PE-10 P1

shutting off power to data system facilities during
an incident. x
5.203 Each agency must place emergency shutoff PE-10 P1
switches or devices at locations which can be safely
and easily accessed by personnel during an x
incident.

5.204 Each agency must implement physical and logical PE-10 P1

controls to protect emergency power shutoff
capability from unauthorized activation. x

5.205 Each agency must implement uninterruptible PE-11(1) P1

power supply to facilitate transition to long-term
alternate power in the event of a primary power
source loss.

5.206 Each agency must install and maintain fire PE-13 P1

detection and suppression devices that are
supported by an independent power source. x x
5.207 Each agency must employ fire detection devices/ PE-13(2) P1
system that activate automatically and notify
emergency personnel and defined emergency
responder(s) in the event of a fire. x

5.208 Each agency must employ an automatic fire PE-13(3) P1

suppression system if the data system facility is not
staffed on a continuous basis. x
5.209 Each agency must employ automatic temperature PE-14(1) P1
and humidity controls in the data system facilities
to prevent fluctuations potentially harmful to
processing equipment.

5.210 Each agency must employ temperature and PE-14(2) P1

humidity monitoring that provides an alarm or
notification of changes potentially harmful to x
personnel or equipment.

5.211 Each agency must protect processing equipment PE-15 P1

from damage resulting from water leakage.
x x
0.000 0.000 0 0 0
5.300 Disposal of Equipment and Media: Each agency must ensure P1
that information systems and media are appropriately
disposed, to ensure the confidentiality of sensitive data.

5.301 Each agency must define and implement MP-6 P1

mechanisms for disposal of digital media and data
storage devices. x x
5.302 Each agency must employ sanitization mechanisms MP-6 P1
with the strength and integrity commensurate with
classification of data to be sanitized. x x

5.303 Each agency must establish processes for cleansing MP-6 P1

and disposal of computers, hard drives, and
fax/printer/scanner devices. x x
5.304 Each agency must implement controls to track and MP-6(1) P1
verify sanitization of devices prior to disposal.

0.000 0.000 0 0 0
6.100 Human Resource Compliance: Each agency must ensure that P1
human resource processes appropriately support security and
privacy processes and controls related to personnel.

6.101 Each agency must define security roles and PS-1 P1

responsibilities of employees, contractors, and
third party personnel, and must document these in
accordance with the organizations information
security procedures. x x
6.102 Each agency must ensure background verification PS-3 P1
checks on candidates for employment, including
contractors, and third party users. These checks
must be aligned with the nature and sensitivity of
data and systems the personnel will have access to,
and must be carried out in accordance with x x
applicable laws.

6.103 Each agency must ensure that upon termination or PS-4 P1

transfer of employment for employees, termination PS-5
of engagement for non-employees, personnel must
return to the agency all agency physical documents
(and all copies thereof) and other agency property
and materials in their possession or control, and
must certify the secure erasure or destruction of
any agency electronic information.
x x

6.104 Each agency must ensure that employees, PS-6 P3

contractors, and third party users must agree and
sign an acceptable use policy, which must state
responsibilities for information security. x x

0.000 0.000 0 0 0
6.200 Security Awareness Training: Each agency must ensure that all P1
personnel receive training designed to improve their
awareness of basic security and privacy issues.

6.201 Each agency must require employees, contractors, PS-1 P1

and third party users to apply security in PS-7
accordance with established policies and
procedures of the organization, where such
personnel have responsibilities for agency
information, systems, media, or facilities housing
x x
such items.

6.202 Each agency must ensure employees, contractors, AT-3 P1

and third party users receive security and privacy
awareness training, and regular updates about
organizational policies and procedures, as relevant
for their job function. x x

6.203 Each agency must ensure that training is AT-3(3) P1

accompanied by an assessment test, in order to
determine comprehension of key cyber security
concepts.

6.204 Each agency must require that each user of agency AT-3 P1
information receives some minimum level of
awareness training prior to granting access to x x
agency information.
6.205 Each agency must appoint a cyber-security PS-2 P1
awareness training coordinator to manage training
content, schedules, and user training completion x x
status.

6.206 Each agency must ensure that its cyber security PM-14 P1
training coordinator, along with the agency
information security liaison, reviews training
content on an annual basis to ensure that it aligns
with all relevant compliance requirements.

0.000 0.000 0 0 0
7.100 Mobile Security: Each agency must ensure that all handheld P1
computing devices and portable storage devices used by
agency personnel for agency data are appropriately secured.

7.101 Each agency only allows portable storage devices to MP-7 P1

be used for agency data when these devices are
assigned and identified to an individual owner. x x

7.102 Each agency only allows the use of portable storage MP-7 P1
devices that allow secure erasure or destruction,
for use with non-public agency data. x x

7.103 Each agency only allows the use of handheld MP-7 P1

computing devices that have the ability to be
remotely wiped / erased, for use with non-public x x
agency data.

7.104 Each agency must develop usage restrictions, AC-19 P1

configuration requirements, connection
requirements, and implementation guidance for
organization-controlled handheld computing x x
devices.

7.105 Each agency must develop a list of approved AC-19(4) P1

handheld computing device platforms, and ensure
that only approved devices are allowed to access
the agencys non-public networks and information
systems.

7.106 Each agency must develop and apply adequate AC-19 P1

asset management procedures to all agency-issued
handheld computing devices. x x

7.107 Each agency must ensure that handheld computing AC-19(5) P1

devices used to access non-public agency data are
configured with encryption of data at rest. x
7.108 Each agency must implement controls to ensure AC-19 P1
the installation of standardized operating system,
applications, and patches on agency-issued
handheld computing devices. x x

7.109 Each agency must ensure that non-public agency MP-6 P1

information is securely erased from any handheld
computing device used to access such data, before
the device is disposed or transferred to another x x
person.

7.110 Each agency must deploy administrative and P1

technical controls to mitigate risks associated with
lost or stolen handheld computing devices.

7.111 Each agency must ensure for agency-issued AC-19 P1

handheld computing devices, where feasible, the
testing of vendor recommended patches, hot-fixes,
or service packs before such changes are approved
for installation; and a process to keep system
hardware, operating system, and applications up- x x
to-date with the approved system updates.

7.112 Each agency must ensure that each agency-issued AC-20(2) P1

handheld computing device is configured so that
only approved services and software are enabled x
and/or installed.

7.113 Each agency must protect all handheld computing P1

devices with password or Personal Identification
Number (PIN).

7.114 Each agency must ensure all handheld computing P1

devices have timeout/locking features.

7.115 Each agency must develop controls for the AC-20 P1

protection of data storage on handheld computing AC-20(1)
devices, including their removable media. x

7.116 Each agency must protect the storage and AC-19 P1

transmission of information on agency-issued MP-6
portable storage and handheld computing devices MP-6(3)
by scanning the devices for malicious code. If a
portable storage or handheld computing device is
used for transitional storage of sensitive data (e.g.,
copying data between systems), the data must be
securely deleted from the device immediately upon
completion.
7.117 Each agency must develop a process for users to P1
notify designated personnel when a device is lost
or stolen. The process must include remote
wiping / erasing of handheld computing devices.

7.118 Each agency must ensure that the physical security MP-4 P1
of each portable storage or handheld computing
device is the responsibility of the person to whom
the device has been assigned. Each device must be
kept in the assigned persons physical presence
whenever possible. Whenever a device is being
stored, it must be stored in a secure place, x
preferably out of-sight.

0.000 0.000 0 0 0
7.200 Removable Media Security: Each agency must ensure that all P1
removable media used by agency personnel for agency data
are appropriately secured.

7.201 Each agency must protect information system MP-4 P1

media until the media is destroyed or sanitized
using approved processes. x
7.202 Each agency must physically control and securely MP-4 P1
store digital (e.g., CD, flash drives) and non-digital
(e.g., paper) media within secured locations, when
such media contains non-public information. x

7.203 Each agency must employ encryption mechanisms MP-5(4) P1

to protect the confidentiality of information stored
on digital media during transport outside of x
controlled areas.

7.204 Each agency must ensure accountability for MP-5(3) P1

removable media during transport outside of
controlled areas.

7.205 Each agency must ensure that removable media MP-6 P1

are securely erased or destroyed, and that paper
media are securely destroyed, prior to disposal, for
any such media containing non-public information. x x

0.000 0.000 0 0 0
7.300 Portable Computing Device Security: Each agency must ensure P1
that all portable computing devices such as laptops used by
agency personnel for agency data are appropriately secured.

7.301 Each agency must employ encryption at rest to SC-28 P1

protect the confidentiality of information stored on SC-28(1)
portable computing devices such as laptops. x
7.302 Each agency must ensure that each portable CM-7(5) P1
computing device is configured so that only
approved services and software are enabled and/or x
installed.

7.303 Each agency must ensure that each portable CM-2 P1

computing device is covered by a configuration
management process that includes flaw
remediation, such as installing most current stable
security patches, critical security updates, and hot x x
fixes.

7.304 Each agency must ensure automatic update of virus SI-2(5) P1

definition files on portable computing devices.

7.305 Each agency must ensure a firewall is configured on SC-7 P1

each portable computing device, and prohibit users AC-3(5)
from making firewall configuration changes.

7.306 Each agency must ensure asset tags are placed on CM-8 P1
portable computing devices. x x
7.307 Each agency must ensure peer-to-peer (ad-hoc) CM-7(1) P1
wireless connections on all portable computing
devices are disabled. x
0.000 0.000 0 0 0
8.100 Asset Identification: Each agency must ensure that all of its P1
information assets, including agency-specific applications,
datastores, computing platforms, and network platforms are
inventoried and classified according to data sensitivity and
other compliance requirements.
8.101 Each agency must document and maintain CM-8 P1
inventories of the important assets associated with
each information system. Asset inventories must
include a unique system name, a system/business
owner, a data classification, and a description of
the location of the asset. Examples of assets
associated with information systems are:
Information assets: databases and data files,
system documentation, user manuals, training
material, operational procedures, disaster recovery
plans, archived information.
Software assets: application software, system
software, development tools and utilities.
Computing assets: servers, desktops, laptops,
smartphones.
Networking assets: routers, switches, access
points. x x
Storage assets: disk arrays, SANs, tapes, portable
storage.
Services: computing, application, and storage
services.

8.102 Each agency must require user acknowledgement PL-4 P2

of all rules and regulations pertinent to an asset,
prior to issuing or permiting access to the asset. x x

8.103 Each agency must periodically review asset records CM-8 P1

to ensure that each is classified appropriately and
that the safeguards remain valid and operative. x x

8.104 Each agency must classify assets into the data RA-2 P1
sensitivity classification types in the State of South
Carolina Data Classification Schema: Public, x x
Internal, Confidential, Restricted.

8.105 Each agency must ensure that each asset is RA-2 P1

classified based on data classification type and
impact level, and the appropriate level of
information security safeguards are available and in x x
place.

0.000 0.000 0 0 0
9.100 Security Performance Metrics: Each agency must participate in P1
the DIS-defined collection and reporting of security
performance metrics, in order to inform the management
decisions of agency and state executive stakeholders.
9.101 Each agency must monitor and report performance PM-6 P1
metrics as specified by the Division of Information
Security (DIS), to demonstrate progress in adoption
of security controls, and associated policies and
procedures, and effectiveness of the information
security program.

9.102 DIS must define performance measures to be able PM-6 P1

to support the determination of information
system security posture, demonstrate compliance
with requirements, and identify areas of
improvement.

9.103 DIS must ensure that the defined metrics are P1

meaningful, yield impact and outcome findings,
and are scheduled for collection with the time
necessary for stakeholders to use the results to
address performance gaps.

9.104 DIS must standardize the data collection methods P1

and data repositories used for metrics data
collection and reporting to ascertain the validity
and quality of data.

0.000 0.000 0 0 0
9.200 Third Party Risk Management: Each agency must ensure that P1
agency business functions conducted by third parties are
performed in compliance with all statues, regulations, and
other obligations encumbent on the agency.

9.201 Each agency must establish processes to ensure SA-9 P1

that third parties comply with information security
requirements and employ defined security controls
in accordance with compliance requirements
encumbent on the agency. x x

9.202 Each agency must implement processes, methods, SA-9 P1

and techniques to review compliance by third
parties on an ongoing basis. x x

9.203 Each agency must establish a process to conduct AC-20(1) P1

risk assessments on third party service providers, RA-3
and document the risk assessment results. SA-9(1) x

9.204 Each agency must implement controls to help CA-3 P1

ensure that risk assessments are updated in case of SA-9
major changes in scope of services or contractual x x
changes with third parties.

9.205 Each agency must authorize connections between CA-3 P1

agency information systems and third party
information systems by entering into x x
Interconnection Security Agreements.
 9.206 Each agency must ensure that for each third party CA-3 P1
system interface with an agency system, the
interface characteristics, security requirements,
and the nature of the information communicated x x
are documented.

9.207 Each agency must establish terms and conditions AC-20 P1

for trust relationships established with other
entities owning, operating, or maintaining external
information systems on behalf of agency. Terms
and conditions should control:
Access to agency information systems from third
party information systems.
Controls for processing, storing, or transmitting of x x
agency data by third party information systems.

9.208 Each agency must review and update third party CA-3 P1
security agreements on an annual basis, or as
defined in the contract. x x
9.209 Each agency must share personally identifiable UL-2 P0
information (PII) with third parties only for
purposes in compliance with applicable statutes
and regulations.

9.210 Each agency using a third party to process or store UL-2 P0

unencrypted sensitive data must enter into a
binding agreement with the third party, describing
the types of sensitive data covered, and specifically
enumerating the purposes for which the data may
be used.

9.211 Each agency must monitor, audit, and train its staff UL-2 P0
on the authorized sharing of sensitive data with
third parties and on the consequences of
unauthorized use or sharing of such data.

9.212 Each agency must evaluate any proposed new UL-2 P0

instances of sharing sensitive data with third
parties to assess whether the sharing is authorized
and whether additional or new public notice is
required.

0.000 0.000 0 0 0
10.100 Contingency Planning: Each agency must ensure that the P1
business functions supporting any critical agency missions can
be restored to functionality in the event of disruption, breach,
or failure.
10.101 Each agency must establish a formal, documented CP-1 P1
contingency planning process that addresses
purpose, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance. x x

10.102 Each agency must establish a formal process for CP-1 P1

annual contingency planning policy and procedure
review and update. x x
10.103 Each agency must conduct a Business Impact CP-2(3) P1
Analysis (BIA) to identify functions, processes, and
applications that are critical to the Each agency and
determine a point in time (i.e. recovery time
objective (RTO)) when the impact of an
interruption or disruption becomes unacceptable x
to the agency.

10.104 Each agency must utilize the BIA results to CP-2(3) P1

determine potential impacts resulting from the CP-2(4)
interruption or disruption of critical business
functions, processes, and applications.

10.105 Each agency must assign contingency roles and CP-2 P1

responsibilities to key individuals from all business
functions. x x
10.106 Each agency must establish procedures to maintain CP-2(5) P1
continuity of critical business functions in the cases
of critical information system disruption, breach, or
failure.

10.107 Each agency must document a Business Continuity CP-2 P1

Plan (BCP) that addresses documented recovery
strategies designed to enable the agency to
respond to potential disruptions and recover its
critical business functions within a predetermined
RTO following a disruption.
x x

10.108 Each agency must establish a process to ensure CP-2 P1

that the BCP is reviewed and approved by senior
management. x x
10.109 Each agency must distribute copies of the BCP to CP-2 P1
key personnel responsible for the recovery of the
critical business functions and other relevant
personnel and partners with contingency roles, as
determined by the agency. x x

10.110 Each agency must establish and implement CP-2 P1

procedures to review the BCP at planned intervals
and at least on an annual basis. x x
10.111 Each agency must establish a process to update the CP-2 P1
contingency plan, including BIA, when changes to
the organization, information system, or
environment of operation occurred. x x

10.112 Each agency must provide training to personnel CP-3 P2

with assigned BCP roles and responsibilities.
x x
10.113 Each agency must establish a process for evaluating CP-3 P2
the effectiveness of its BCP training.
x x
10.114 Each agency must incorporate simulated events CP-3(1) P2
and lessons learned into contingency training to
facilitate effective response by personnel with
contingency roles when responding to disruption.

10.115 Each agency must test the BCP at least annually to CP-4 P2
determine the effectiveness of the plan and the
agency's readiness to execute the plan. x x

10.116 Each agency must review the BCP test results, CP-4 P2
record lessons learned and perform corrective
actions as needed. x x
10.117 Each agency must employ standard testing CP-4 P2
methods, ranging from walk-through and tabletop
exercises to more elaborate parallel/full interrupt
simulations, to determine the effectiveness of the
plan and to identify potential weaknesses in the x x
plans.

0.000 0.000 0 0 0
10.200 Disaster Recovery: Each agency must ensure that the business P1
functions supporting any critical agency missions can be
restored to functionality in the event of catastrophic
disruption.

10.201 Each agency must develop a Disaster Recovery Plan CP-2 P1

(DRP) that addresses scope, roles, responsibilities, CP-2(1)
and coordination among organizational entities for
reallocating information systems operations to an
alternate location. x

10.202 Each agency must establish recovery time CP-2(3) P1

objectives for the BIA identified critical information
systems. x
10.203 Each agency must establish and document CP-2 P1
procedures to fully restore critical information
systems, after an incident, minimizing deterioration
of the security safeguards originally planned and
implemented. x x
10.204 Each agency must assign disaster recovery roles CP-2 P1
and responsibilities to key individuals. CP-2(1) x
10.205 Each agency must establish a process to ensure CP-2 P1
that the DRP is reviewed and approved by senior CP-2(1)
management. x
10.206 Each agency must distribute copies of the DRP to CP-2 P1
key personnel responsible for the recovery of the CP-2(1)
critical information systems and other relevant
personnel and partners with contingency roles, as
determined by the Each agency. x

10.207 Each agency must establish and implement CP-2 P1

procedures to review the DRP at planned intervals CP-2(1)
and at least on an annual basis. x
10.208 Each agency must establish a process to update the CP-2 P1
DRP when changes to the organization or CP-2(1)
environment of operation occurred. x

10.209 Each agency must identify and establish processes CP-7 P1

to relocate to an alternate site to facilitate the
resumption of information system operations for
business-critical functions within the defined
recovery objectives (RTO and Recovery Point
Objective (RPO)) when the primary site is x
unavailable due to disruption.

10.210 Each agency must ensure that equipment and CP-7 P1

supplies required to resume operations at the
alternate processing site are available. x
10.211 Each agency must ensure contracts are in place CP-7 P1
with third parties and suppliers to support delivery
to the site within the defined time period for
transfer/ resumption of critical business operations. x

10.212 Each agency must ensure that the alternate CP-7 P1

processing site provides information security
safeguards similar to that of the primary site. x
10.213 Each agency must identify potential accessibility CP-7(2) P1
problems to the alternate site in the event of an
area-wide disruption or disaster. x

10.214 Each agency must establish primary and alternate CP-8(1) P1

telecommunication service agreements with
priority-of-service provisions in accordance with
organizational availability requirements (including
RTOs), quality of service and access; x
10.215 Each agency must establish alternate CP-8 P1
telecommunications services to facilitate the
resumption of information system operations for
critical business functions within the defined
recovery objectives when the primary
telecommunications capabilities are unavailable.
x

10.216 Each agency must require primary and alternate CP-8(4) P1

telecommunication service providers to have
contingency plans.

10.217 Each agency must establish documented CP-10 P1

procedures to restore and recover critical business
activities from the temporary measures adopted to
support normal business requirements after an x x
incident.

10.218 Each agency must implement procedures for the CP-10 P1

recovery and reconstitution of the information
system to a known state after a disruption, x x
compromise, or failure.

10.219 Each agency must provide the capability to restore CP-10(4) P1

information system components within defined
restoration time periods from configuration-
controlled and integrity-protected information
representing a known, operational state for the
components (for e.g. reimaging methods).

10.220 Each agency must establish measures to protect CP-10(6) P1

backup and restoration hardware, firmware, and
software.

0.000 0.000 0 0 0
10.300 Data Backups: Each agency must ensure that the business data P1
supporting any critical agency missions can be restored to
functionality in the event of loss or corruption.

10.301 Each agency must develop, maintain and document CP-9 P1

a data backup and storage process that ensures the CP-1
ability to recover electronic information in the x x
event of failure.

10.302 Each agency must identify and apply security CP-9 P1

requirements for protecting data backups based on
the different types of data handled by the agency. x x

10.303 Each agency must identify an alternate storage site CP-6(1) P1

that is separated from the primary site so as not to
be susceptible to same occurrences of hazards. x
10.304 Each agency must establish necessary agreements CP-6 P1
with the alternate storage site owner to ensure
that data storage and retrieval process are not
hindered during or after an incident. x

10.305 Each agency must ensure that the alternate storage CP-6 P1
site provides information security safeguards
similar to that of the primary storage site. x

10.306 Each agency must identify potential accessibility CP-6(3) P1

problems to the alternate storage site in the event
of a disruption or disaster. x

10.307 Each agency must identify secure transfer methods MP-5 P1

when transporting backup media off-site.
x
10.308 Each agency must establish and maintain an P2
authorization list to retrieve backups from the off-
site location.

10.309 Each agency must review on an annual basis the CP-9 P1

security of the off-site location to ensure data is
protected against unauthorized disclosure or x x
modification while in storage.

10.310 Each agency must establish a process to perform CP-9 P1

data backups of user-level and system-level
information at a defined frequency consistent with
the established RTOs and RPOs. x x

10.311 Each agency must establish safeguards and controls CP-9 P1

to protect the confidentiality, integrity, and
availability of backup information at storage x x
locations.

10.312 Each agency must enforce dual authorization CP-9(7) P1

(two-person control) for the deletion or
destruction of agency missions-critical data.

0.000 0.000 0 0 0
11.100 Vulnerability Management: Each agency must ensure that its P1
information systems are periodically checked for
vulnerabilities, and that findings are appropriately remediated.

11.101 Each agency ensure that processes are in place to RA-5 P1

scan for vulnerabilities in information systems and
hosted applications at least annually and results
are reported to management. x x

11.102 Each agency must ensure that privileged access to RA-5(5) P1

vulnerability scanning tools and vulnerability
reports are appropriately controlled. x
11.103 Each agency must ensure remediation of identified RA-5 P1
vulnerabilities is performed in accordance with the
agency risk management criteria and processes. x x

11.104 Each agency must ensure that penetration testing CA-8 P2

exercises are performed on an annual basis, either
by use of internal resources or employing an third x
party penetration team.

0.000 0.000 0 0 0
11.200 Incident Management: Each agency must ensure that P1
information security incidents occurring within the agency are
appropriately handled.

11.201 Each agency must develop, document, and IR-1 P1

internally publish an incident response process that
addresses scope, roles, and responsibilities,
internal coordination efforts, and compliance. x x

11.202 Each agency incident response plan must include IR-8 P1

the following:
Compatible interaction with the state level
incident reponse process published by DIS.
Types of information security incidents to be
reported.
Establish metrics to ensure incident response
capabilities remain effective.
Define resources, such as technology and
personnel, required to effectively support incident
x x
response capabilities.
Roadmap for implementing incident response
capabilities.

11.203 Each agency must review and update the incident IR-8 P1
response plan on an annual basis. x x
11.204 Each agency ensure that information security IR-4 P1
incident handling processes include preparation,
detection and analysis, containment, eradication, x x
and recovery.

11.205 Each agency must ensure the implementation of IR-4(9) P1

incident response tools such as intrusion detection,
firewalls, and incident investigation tools, to
effectively respond to security incidents.

11.206 Each agency must ensure that personnel are IR-6 P1

required to report suspected information security
incidents to the incident response team or agency x x
leadership.
11.207 Each agency ensure that monitor information SI-4 P1
systems are sufficiently monitored to detect attacks
and/or signs of potential attacks, including
unauthorized network local or remote connections. x x

11.208 Each agency must ensure that monitoring devices SI-4 P1

are deployed strategically within information
technology environment to collect information
security events and associated information. x x

11.209 Each agency must ensure the protection of SI-4 P1

information obtained from intrusion-monitoring
tools from unauthorized access, modification, and x x
deletion.

11.210 Each agency must ensure the monitoring of SI-4(4) P1

inbound and outbound communications traffic
from sensitive information systems for unusual or
unauthorized activities or conditions. x

11.211 Each agency must ensure that information system SI-4 P1

monitoring activity is appropriately adjusted for
new and increased sources of risk. x x

11.212 Each agency must provide incident response IR-2 P2

training within one (1) month of personnel
assuming incident response roles or x x
responsibilities.

11.213 Each agency must provide training to incident IR-2 P2

response personnel upon significant changes to
information systems and/or changes to the incident x x
response plan.

11.214 Each agency must establish a formal process to test IR-3 P2

incident response capabilities on a yearly basis to
determine the incident response effectiveness and x
adequacy.

11.215 Each agency must document the incident response IR-3 P2

test results and update incident response processes
as applicable. x
11.216 Each agency must ensure malicious code SI-3 P1
protection mechanisms are employed for
information systems, to detect and eradicate x x
malicious code.

11.217 Each agency must ensure malicious code SI-3 P1

protection mechanisms are updated whenever new
releases are available. x x
11.218 Each agency must ensure malicious code SI-3 P1
protection mechanisms are configured to perform
periodic scans at defined time intervals. x x
11.219 Each agency must ensure malicious code SI-3 P1
protection mechanisms are configured to send an
alert to information appropriate personnel, to
initiate appropriate actions in response to x x
malicious code detection.

0.000 0.000 0 0 0
11.300 Patch Management: Each agency must ensure that flaws in its P1
information systems are remediated appropriately.

11.301 Each agency must develop and implement a SI-2 P1

process to identify, report, and correct information
system flaws. x x
11.302 Each agency must establish a formal process to test SI-2 P1
software and firmware updates related to flaw
remediation for effectiveness and identification of
potential impact prior to implementation. x x

11.303 Each agency must install latest stable versions of SI-2 P1

applicable security software and firmware updates.
x x
11.304 Each agency must establish a patch cycle that SI-2 P1
guides the normal application of patches and SI-2(5)
updates to systems.

11.305 Each agency must establish a process of patch SI-7(15) P1

testing to verify the source and integrity of the
patch and ensure testing in a production mirrored
environment for a smooth and predictable patch
roll out.

0.000 0.000 0 0 0
12.100 Data Classification: Each agency must ensure the information P1
processed, stored, or transmitted by its information systems
and information repositories is appropriately classified, so that
compliance obligations may be identified.
12.101 Each agency must categorize data in accordance RA-2 P1
with applicable statutory, regulatory, and
contractual requirements. Each data asset must be
classified into one of the following categories:
1. Public: Information intended or required for
sharing publicly, where unauthorized disclosure
would result in minimal or no risk to the agency.
2. Internal Use: Information that is used in daily
operations of the agency, where unauthorized
disclosure would result in little risk to the agency.
3. Confidential: Confidential information refers to
sensitive information, where unauthorized
disclosure may result in considerable risk to the
agency.
4. Restricted: Restricted information is highly x x
sensitive information, where unauthorized
disclosure may result in considerable risk to the
agency, including statutory penalties.

12.102 Each agency must ensure that users who encounter RA-2 P1
information that is improperly classified must
consult with the owner of the information, agency
information privacy personnel, or agency
information security personnel to determine the
appropriate data classification.
x x

12.103 If multiple data fields with different classifications RA-2 P1

have been combined, the highest classification of
information included must determine the
classification of the entire set. x x

0.000 0.000 0 0 0
12.200 Data Disposal: Each agency must ensure the information P1
stored on its information systems, information repositories,
and media is securely erased or diestroyed prior to the
disposal of the device or media.

12.201 Each agency must develop a list of approved MP-6 P1

processes for sanitizing electronic and non-
electronic media prior to disposal or re-purposing,
based on applicable regulatory requirements. x x

12.202 Each agency must employ sanitization mechanisms MP-6 P1

with the strength and integrity commensurate with
the security category or classification of the x x
information.
12.203 Each agency must implement controls to track MP-6(1) P1
media sanitization and disposal process, wherever
compliance requirements dictate such actions must
be tracked, documented, and verified.
Documentation must provide a record of the media
sanitized, when, how media was sanitized, the
person who performed the sanitization, and the
final disposition of the media. The record of action
taken must be maintained in a written or electronic
format.

12.204 Each agency must test media sanitization MP-6(2) P1

equipment and procedures at least annually to
ensure correct performance. x
12.205 Each agency must ensure that electronic media are MP-6 P1
securely erased prior to being reassigned, or
released for destruction. x x
12.206 Each agency must define and implement MP-6 P1
mechanisms for disposal of digital media and data
storage devices contained in equipment to be x x
released outside of the agency.

12.207 Each agency must destroy hardcopy media MP-6 P1

containing sensitive information prior to disposal.
x x
12.208 Each agency must monitor the destruction of hard MP-6(1) P1
copy media, where required for statutory or
regulatory compliance.

0.000 0.000 0 0 0
12.300 Data Protection: Each agency must ensure the information P1
processed, stored, or transmitted during its business processes
is appropriately protected.

12.301 Each agency must ensure that its personnel follow SC-1 P1
the agencys acceptable use policies when
transmitting data. x x
12.302 Each agency implemented mechanisms to ensure SC-12(1) P1
availability of information in the event of the loss of
cryptographic keys by users.

12.303 Each agency must implement mechanisms to SC-12 P1

ensure the confidentiality of private keys. x x
12.304 Each agency must develop a mechanism to SC-12(2) P1
randomly select a key from the entire key space, SC-12(3)
using effective randomization. x
12.305 Each agency must implement appropriate controls SC-12 P1
to physically and logically safeguard encryption
keys through all phases of the key lifecycle, from
construction through receipt, installation,
operation, and removal from service. x x
12.306 Each agency must use Federal Information SC-13 P1
Processing Standards FIPS-140 validated
technology for encrypting sensitive data. x x
12.307 Each agency must ensure that sensitive data SC-8(1) P1
transmitted by email must be securely encrypted.
x
12.308 Each agency must ensure that sensitive information SC-8(1) P1
transmitted through a public network must be
encrypted prior to transmittal, or be transmitted
through an encrypted connection. x

12.309 Each agency must ensure that sensitive information AC-18(1) P1

transmitted wirelessly must be encrypted prior to SC-8(1)
transmittal, or be transmitted through an
encrypted connection. x

0.000 0.000 0 0 0
12.400 Data Privacy: Each agency must ensure that the interests of P1
data subjects are appropriately protected.

12.401 Each agency must designate an individual who has AR-1 P1

primary responsibility for information privacy
decisions.

12.402 Each agency must conduct a Privacy Impact AR-2 P0

Assessment (PIA) for each information system that SE-1
will handle Personally Identifiable Information (PII). UL-2
Each PIA should examine the following privacy DM-2
issues: IP-1
What PII is to be collected. DM-1
What is the intended use of the PII. IP-4
What PII will be shared, and with whom. IP-3
How long the PII will be retained.
What privacy risks are posed by the intended use
and sharing of the collected PII.
What privacy risks are posed by unintended
disclosure of the collected PII.
What steps are taken to inform users about the
PII collected and what mechanisms they can use to
control it.
What opportunities individuals have to decline to
provide PII.
What steps are taken to minimize the types of PII
collected.
What mechanisms are available for data subjects
to update or correct their PII.
What opportunities individuals have to remove
PII once collected.
How the PII is to be secured.
What processes are established to resolve privacy
issues.
12.403 Each agency must update PIAs when a system AR-2 P0
change creates changes in privacy risks.
12.404 Each agency must ensure that PIA documents are P0
reviewed by an agency executive or designee with
authority for issues of information privacy.

12.405 Each agency must require each member of agency AR-5 P0

personnel and third party with access to PII to sign
a confidentiality agreement defining
responsibilities.

12.406 Each agency must publish a privacy web statement TR-3 P0

on each agency website used by the public. Each
website privacy statement should include, as
specifically applicable to the site:
What PII is to be collected.
What is the intended use of the PII.
What PII will be shared, and with whom.
How long the PII will be retained.
What opportunities individuals have to decline to
provide PII.
What mechanisms are available for data subjects
to update or correct their PII.
What opportunities individuals have to remove
PII once collected.
How the PII is to be secured, in a non-technical
summary..
What processes are established to resolve privacy
issues.

0.000 0.000 0 0 0
13.100 Change Management: Each agency must ensure that changes P1
to information systems are conducted in such a way that
disruption to production is minimized, and stakeholders are
given appropriate awareness and opportunity for feedback.
13.101 Each agency must establish a change management CM-3 P1
process, including the following elements: CM-3(2)
Change requests are handled in a structured way CM-4
that determines the impact on the operational
system and the business processes it supports.
Changes to production environments, including
emergency maintenance and patches, must be
formally managed.
Changes are categorized, prioritized, and
authorized.
After implementation, changes are reviewed
ensure correct functionality.
Changes to production environments are
adequately tested.
An emergency change process is defined for
testing, documenting, assessing, and authorizing
changes that do not follow the established change
process.

0.000 0.000 0 0 0
13.200 Configuration Management: Each agency must ensure that P1
information system baseline configurations are managed to
minimize risk of incompatibility and of unauthorized change.

13.201 Each agency must ensure that system baseline CM-2 P1

configurations are developed, reviewed, and CM-2(1)
formally approved for critical information systems
and infrastructure components. x

13.202 Each agency must ensure that changes to baseline CM-3 P1

configurations include a process to identify, review, CM-3(2)
perform security impact analysis, test, and approval CM-4
such changes prior to implementation.

13.203 Each agency must ensure that baseline CM-2 P1

configurations are recorded in a central repository, CM-5
with access restrictions to prevent unauthorized x
changes.

13.204 Each agency must ensure that prior versions of CM-2(3) P1

baseline configurations are retained to be able to
support rollback. x
13.205 Each agency must ensure the review and update of CM-2(1) P1
baseline configurations periodically, and as an
integral part of information system component
installations or upgrades. x
13.206 The Each agency must ensure responsibilities are CM-9(1) P1
assigned for developing and managing the
configuration management process to personnel
that are not directly involved in system
development activities.

0.000 0.000 0 0 0
13.300 System Development and Maintenance: Each agency must P1
ensure that system development efforts are performed with
appropriate consideration for information confidentiality,
integrity, and availability.

13.301 Each agency must ensure that system security PL-2 P1

plans are documented for critical enterprise
information systems in production and under
development. System security plans must provide
an overview of the security requirements of the
system, and describe the controls in place for
meeting the requirements through all stages of the x x
systems development life cycle.

13.302 Each agency must ensure that when a system is PL-2 P1

modified in a manner that affects security, system
documentation is updated accordingly. x x

13.303 Each agency ensure that a vulnerability assessment RA-5 P1

is performed on all enterprise information systems
undergoing significant changes, before the systems
are moved into production. x x

13.304 Each agency must develop and follow a set of SA-1 P1

procedures consistent with state procurement
standards. x x
13.305 Each agency must ensure that information systems P0
and services it procures are implemented or
conducted in compliance with all provisions of the
state's Information Security Program that are
applicable to the systems or services being
procured.

13.306 Each agency must ensure that appropriate security SA-3 P1

controls are implemented at all stages of the
information system life cycle. x x
13.307 Each agency must ensure that outsourced software SA-9 P1
development is performed in compliance with all
applicable provisions of the state's Information x x
Security Program.

13.308 Each agency must ensure for any system CM-2(6) P1

development efforts separate development, CM-4(1)
testing, and production environments are
established.
13.309 Each agency must not use sensitive production SA-15(9) P2
data for testing purposes unless the data has been
obfuscated, sanitized, or declassified. If production
data must be temporarily used in these
environments, appropriate security controls,
including management approval, procedures to
remove/delete data after completion of tests, and
documentation of activities, must be implemented.

13.310 Each agency must ensure for system development SI-10 P1

efforts that appropriate testing is performed ensure SI-15
correct processing.

13.311 Each agency must ensure for system development SC-23 P1

efforts that , where appropriate, controls are
implemented to ensure user session isolation,
information integrity, and protection of information
transmission. x

0.000 0.000 0 0 0
13.400 Release Management: Each agency must ensure that P1
information system version releases into production are
conducted in a way that minimizes risk to the confidentiality,
integrity, and availability of those systems.

13.401 Each agency must ensure that production-ready SA-2 P1

release packages of mission-critical systems are
deployed using the release management lifecycle
(i.e., plan, prepare, build and test, pilot, and x x
deploy).

13.402 Each agency must determine as part of the release SA-2 P1

planning process:
Resources required to deploy the release.
Build and test plans prior to implementation.
Pass/fail criteria.
Pilot and deployment plans.
x x
Develop requirements for the release.

13.403 Each agency must document, as part of a system SA-5 P2

release, the set of tools and processes used to
manage the IT release lifecycle, and the
prioritization of the release. x x

13.404 Each agency must validate the release design SA-5 P2

against the requirements, and identify the risks and
potential issues. x x
13.405 Each agency must implement standardization and SA-8 P1
enforce operational controls through the use of
change requests for deploying releases into x
production.
Minimum Acceptable Security for Contractors with Sensitive Data
Contract service providers should be held to the standards marked "x" when non-Public state data is to be
released into their control. Guidance for acceptable variance is provided in NIST 800-171 (draft).
NOTE that the marked controls only address protection of confidentiality, and not of integrity or availability.
Contractors processing data for mission-critical purposes should be required to address additional controls
beyond those marked.
This spreadsheet compares SC Standards to NIST 800-171 (draft) requirements. A contractor who complies
with NIST 800-171 -- security standards for Controlled Unclassified Information (CUI) -- will also satisfy the
corresponding SC Standard if marked with an "X" in the CUI column.

Find Text: Matches are highlighted

DIS Section Priority

SC State Policy Control NIST ID CUI
ID Objective Code
1.100 Information Security Plan: Each agency must formally P1
authorize, document, prioritize, and provide resources for
incorporating security and privacy controls into its business
processes.

1.101 Each agency must develop and communicate an PM-1 P1

information security plan that underlines security
requirements, the security management controls,
and common controls in place for meeting those
requirements.

1.102 Each agencys security plan must identify and PM-1 P1

assign security program roles, responsibilities and
management commitment, and ensure
coordination among the agencys business units, as
well as compliance with the security plan

1.103 Each agency must ensure coordination among the PM-1 P1

agencys business units responsible for the
different aspects of information security (i.e.,
technical, physical, personnel, etc.)

1.104 Each agency must ensure that the security plan is PM-1 P1
approved by senior management
1.105 Each agency must periodically review the PM-1 P1
information security plan, staging each full review
cycle across no more than a 3-year period.

1.106 Each agency must update the security plan to PM-1 P1

address changes and problems identified during
plan implementation or security control
assessments.

1.107 Each agency must protect the information security PM-1 P1

plan from unauthorized disclosure and
modification.
1.108 Each agency must consider resources needed to PM-1 P1
implement and maintain the information security
plan in capital planning and investment requests.

1.109 Each agency must follow a process for ensuring PM-4 P1

that an implementation plan is developed and
executed to address identified security and privacy
deficiencies.

1.110 Each agency must review implementation plans for PM-4 P1

consistency with the agencys risk management
strategy and priorities for risk response actions.

1.111 Each agency must develop, monitor, and report on PM-6 P1

the results of information security and privacy
measures of performance, as directed by the SC
Division of Information Security or the SC
Enterprise Privacy Office.

0.000 0 0 0
1.200 Information Security Roles and Responsibilities: Each agency P1
must formally document authority for security and privacy
responsibilities within its organization.

1.201 Each agencys chief executive must ensure that the PM-2 P1
agencys senior officials are given the necessary
authority to secure the operations and assets
under their control.

1.202 Each agency must appoint an information security PM-2 P1

liaison with the mission and resources to:
coordinate, develop, implement, and maintain an
information security plan.

1.203 Each agency must establish an information security PM-13 P1

workforce and professional development program
appropriately sized to the agencys information
security needs.

1.204 Each agency must provide role-based security AT-3 P1

training to personnel with assigned security roles
and responsibilities. x
0.000 0.000 0 0 0
1.300 Information Security Policy Management: Each agency must P1
formally evaluate its business processes, and ensure that these
processes are designed in compliance with the state
Information Security Program.

1.301 Each agency must adopt a risk-based approach to PM-9 P1

identify State and agency-specific information
security and privacy objectives, and must develop
information security procedures in alignment with
the identified security objectives.
1.302 Each agency must allocate the appropriate subject PM-3 P1
matter experts to the development of State and
agency-specific information security procedures.

1.303 Each agency must approach independent external PM-15 P1

(third party) specialists to assist in the development
of information security policies, procedures, or
controls in cases where it is established that the
required skills do not exist within the agency and
are not available within any other state
government agency.

1.304 Each agency must work in collaboration with other P0

states, Federal government, and external special
interest groups in cases where procedures directly
or indirectly affect interfacing activities with them.

1.305 Each agency should ensure that information PL-1 P1

security and privacy policies, standards, guidelines,
and procedures that are developed at the agency
should contain the following information, as
appropriate: version, issued date, effective date,
owner of document (identified by office or role),
purpose, definitions, scope, directives, guidance,
and revision history.

1.306 Each agency must review each draft procedure P0

with stakeholders who must be impacted by the
procedure, to ensure that the procedure is
enforceable and effective.

1.307 Each agency must identify gaps within the PM-4 P1

procedures that are not enforceable and effective,
must document the gaps, and must assign the
appropriate resources to remediate the gaps.

1.308 Each agency must develop and implement a PL-1 P1

communication plan to disseminate new
procedures or changes to existing procedures.

1.309 Each agency may establish a procedure governance PL-1 P1

committee for the purpose of review and approval
of procedures.

1.310 Each agency must implement mechanisms to help PL-1 P1

ensure that information security procedures will be
available to the agencys personnel on a continuous
basis and whenever required.
1.311 Each agency must require employees to review and PL-4 P2
acknowledge understanding of information security
procedures prior to allowing access to sensitive
data or information systems.

0.000 0.000 0 0 0
1.400 Information Security Controls: Each agency must ensure that P1
security and privacy controls are implemented in compliance
with the state Information Security Program.

1.401 Each agency must adopt a risk-based approach to CA-2 P2

prioritize deployment of controls.
x
1.402 Each agency must allocate the appropriate subject PM-3 P1
matter experts to the deployment of State and
agency-specific information security controls.

1.403 Each agency must approach independent external PM-15 P1

(third party) specialists to assist in the deployment
of information security controls in cases where it is
established that the required skills do not exist
within the agency and are not available within any
other state government agency.

1.404 Each agency must ensure that controls which PM-2 P1

cannot be implemented due to the agencys
resource or other constraints must be reported as
directed by the SC Division of Information Security
or SC Enterprise Privacy Office.

1.405 Each agency must review each control with P0

stakeholders who must be impacted, to ensure that
the control is enforceable and effective.

1.406 Each agency must develop and implement a PL-1 P1

communication plan to disseminate new controls
or changes to existing controls.

1.407 Each agency must periodically review information PL-1 P1

security controls, staging each full review cycle
across no more than a 3-year period.

0.000 0.000 0 0 0
2.100 Access Management: Each agency must ensure the P1
management of information systems and user accounts, to
appropriately secure legitimate user and system access.

2.101 Each agency must establish or update formal, AC-1 P1

documented procedures for secure and compliant
management of information systems, user
accounts, and networks.
2.102 Each agency must identify account types (e.g., AC-2 P1
individual, group, system, application,
guest/anonymous, and temporary) and establish x
conditions for group membership.

2.103 Each agency must identify authorized users of AC-2 P1

information systems and specify access rights.
x
2.104 Each agency must establish a process to enforce AC-2 P1
access requests to be approved by a business or
data owner (or delegate) prior to provisioning user x
accounts.

2.105 Each agency must authorize and monitor the use of AC-2 P1
guest/anonymous and temporary accounts, and
notify relevant personnel (e.g., account managers)
when temporary accounts are no longer required. x

2.106 Each agency must establish a process to notify AC-2 P1

relevant personnel (e.g., account managers, system
administrators) to remove or deactivate access
rights when users are terminated, transferred, or
access rights requirements change. x

2.107 Each agency should remove, disable, or rename AC-2 P1

default user accounts. Where such is not possible,
agency should increase the required length or
complexity of password, or use additional factors x
for authentication.

2.108 Each agency must ensure that rights granted to AC-5 P1

accounts must be based on the principles of need- AC-6
to-know, least-privilege, and separation of duties.
Access not explicitly permitted should be denied by x
default.

2.109 Each agency must ensure that access requests from AC-2 P1
users are recorded. x
2.110 Each agency must ensure that privileged accounts AC-2 P1
(e.g., system / network administrators having root AC-6
level access, database administrators) must only be
provisioned after approval by an agency
information security officer and/or similarly
designated role. The approval must be granted to a
limited number of individuals with the requisite
skill, experience, business need, and documented x
reason based on role requirements.

2.111 Each agency must ensure that privileged accounts AC-2 P1

are controlled, monitored, and can be reported on
a periodic basis. x
2.112 Each agency must implement processes to enforce AC-2 P1
periodic user access reviews to be performed by
information / data owners or their assigned
delegates to ensure the following: current access
rights are consistent with current agency access
provisioning criteria, and there are unnecessary
duplicate user identifiers. Privileged accounts must
be reviewed at least as often as semiannually. x
Standard accounts must be reviewed at least as
often as annually.

2.113 Each agency must regulate information system AC-2 P1

access and define security requirements for
contractors, vendors, and other service providers. x

2.114 Each agency must establish procedures to AC-6(5) P1

administer privileged user accounts in accordance
with a role-based access model. x
2.115 Each agency must enforce approved authorizations AC-3 P1
for logical (e.g. cyber or electronic) access to
information systems. x
2.116 Each agency must implement encryption of data in AC-17(2) P1
motion to protect remote connections.
x
2.117 Each agency must enforce information flow AC-4 P1
controls for its systems, to allow large Restricted
data flows to transfer only to approved x
destinations.

2.118 Each agency should implement controls in AC-5 P1

information systems to enforce separation of duties
through assigned access authorizations, such as
separation of security administration duties from
security audit duties, administration duties for
critical business systems separated among
personnel, separation of information system testing
and production duties.
x

2.119 Each agency should document and implement AC-5 P1

separation of duties through assigned information
system access authorizations. x

2.120 Each agency must ensure that only authorized AC-6 P1

individuals have access to agency data, and that
such access is controlled and audited in accordance
with the concepts of need-to-know, least-privilege,
and separation of duties. x
2.121 Each agency must implement processes or AC-6 P1
mechanisms to disable file system access not AC-6(1)
required for duties, restrict database management AC-6(2)
to authorized database administrators, and restrict
access to removable device/media boot functions
to system administrators.
x

2.122 Each agency must ensure that its information AC-7 P2

systems enforce a limit of unsuccessful logon
attempts during an agency-defined period. The
number of logon attempts must be commensurate
with the classification of data hosted, processed or
transferred by the information system.
x

2.123 Each agency must automatically lock user accounts AC-7 P2

the after maximum logon attempts is reached, and
must establish an account lock time period
commensurate with the classification of data
hosted, processed or transferred by the x
information system.

2.124 Each agency system interface intended for non- AC-8 P1

public usage must display a warning before
granting system access, addressing issues such as
intended use of the system, applicable privacy
disclosures, and other warnings as required for
applicable regulatory or contractual obligations.
x

2.125 Each agency systems should disconnect sessions or AC-11 P3

require reauthentication after (30) minutes of
inactivity. x
0.000 0.000 0 0 0
2.200 Network Access Management: Each agency must ensure the P1
management of networks to appropriately secure legitimate
user and system access.

2.201 Each agency must document allowed methods for AC-17 P1

remote access to the network and information
systems. x
2.202 Each agency must utilize automated mechanisms to AC-17(1) P1
enable management to monitor and control
remote connections into networks and information x
systems.

2.203 Each agency must require Virtual Private Network AC-17(2) P1

(VPN) or equivalent encryption technology
establish remote connections into the agency's x
private networks.
2.204 Each agency must restrict remote access to its AC-17(3) P1
private networks and systems to the mechanisms
and protocols approved by the agency. x

2.205 Each agency must require two-factor IA-2 P1

authentication for remote connections by Virtual
Private Network (VPN) or other such tunneling x
technologies.

2.206 Each agency must develop formal procedures for AC-17 P1

authorized individuals to access its information
systems from external systems, such as access
allowed from an alternate work site (if required). x

2.207 Each agency must establishes usage restrictions, AC-18 P1

configuration and connection requirements, and
implementation guidance for wireless access. x

2.208 Each agency must only use wireless networking AC-18(1) P1

technology that enforces user authentication for
access to non-public networks. x

2.209 Each agency must authorize wireless access to AC-18 P1

information systems prior to allowing use of
wireless networks for access to non-public x
networks.

2.210 Each agency prohibits wireless access points to be AC-18(4) P1

installed independently by users.
2.211 Each agency requires that before agency data is AC-20 P1
processed or stored on a third-party system, the AC-20(1)
system must be approved for such use by data
owners, considering such issues as the
classifications of data which may be used with the
system, the permitted methods of connection to
the system, and compliance of the system with x
state and agency policy.

2.212 Each agency segregates systems intended for SC-7 P1

internal use from systems intended for public use
by means of separate physical or logical networks. x

2.213 Each agency's networks and information systems SC-7 P1

must not be accessible from pubic networks (e.g.,
Internet) except under secured and managed
interfaces employing boundary protection devices. x
2.214 Each agency must limit network access points to a SC-7(3) P1
minimum to enable effective monitoring of
inbound and outbound communications and
network traffic.

0.000 0.000 0 0 0
2.300 Identity Management: Each agency must ensure that P1
legitimate users of systems are identified as appropriate to
support security requirements.

2.301 Each agency must establish processes to enforce IA-2 P1

the use of unique identifiers assigned to each
member of agency personnel (User IDs), including
system users, technical support personnel, system
operators, network administrators, system
programmers, and database administrators.
x

2.302 Each agency must prevent reuse of a user ID until IA-4 P1

all logs, documents, or other records referencing
the user ID have reached the end of their retention x
periods.

2.303 Each agency must allow the use of group IDs only AC-2 P1
where these are necessary for business or
operational reasons; group IDs must be formally x
approved and documented.

2.304 Each agency must ensure that where the agency IA-2(5) P1
requires use of group IDs, it requires users to be
authenticated with a user ID prior to, or
simultaneous with, using the group ID.

2.305 Each agency must minimize the use of system, AC-6(1) P1

application, or service accounts; and must AC-6(3)
document, formally approve, and designate a
individual owner of each such account.

2.306 Each agency must perform identification and IA-8 P1

authentication of any user accessing any system
intended for internal-only use, and record logs
sufficient to identify each user's network address.

0.000 0.000 0 0 0
2.400 Authentication: Each agency must ensure that legitimate users P1
of systems are authenticated as appropriate to support
security requirements.

2.401 Each agency must use multifactor authentication IA-2(4) P1

for remote user authentication to non-public IA-2(11)
systems, such that one factor is generated by a
device other than the device from which the user
connects.
2.402 Each agency must implement mechanisms to AC-7 P2
record successful and failed authentication
attempts. x
0.000 0.000 0 0 0
2.500 Emergency Access: Each agency must ensure that privileged P1
accounts that are shared (e.g. administrator, root, system) are
appropriately protected, and usage is accounted to individual
users.

2.501 0.000 Each agency must establish processes and AC-2 P1

procedures for users to obtain access to required
information systems on an emergency basis. x

2.502 0.000 Each agency's emergency procedure must ensure AC-2 P1

that only identified and authorized personnel are AC-2(2)
allowed emergency access; all emergency actions
are documented in detail; emergency accounts are
removed, disabled, or resecured promptly upon
conclusion of the emergency conditions; and
emergency actions are reported to management.

0.000 0.000 0 0 0
2.600 Password Security: Each agency must ensure that passwords are P1
difficult to guess, and retained only by those persons who have
legitimate need to access the associated account.

2.601 Each agency must enforce the following password IA- P1

selection criteria by policy and where possible by 5_x000D_
technical means: IA-5(1)
Users must change personal user account
passwords at least as frequently as every 180 days.
Privileged user account passwords must be
changed at least as frequently as every 60 days.
System account passwords must be changed at
least as frequently as every 180 days.
Each password must be at least 8 characters in
length, and be composed of at least one uppercase
letter, at least one lowercase letter, and at least one
digit or punctuation character. x
Passwords must be encrypted when stored or
transmitted.
For Federal Tax Information (FTI): Change/refresh
passwords every 90 days at a minimum for a
standard user account, every 60 days at a minimum
for privileged users._x000D_

2.602 Each agency must prohibit its users from sharing IA-5 P1
their personal account passwords with others.
x
2.603 Each agency must ensure that shared account IA-5 P1
passwords must be changed immediately upon
termination, resignation, or reassignment of any
person with knowledge of the password. x

2.604 Each agency must prohibit its users from using IA-5 P1
common words or personal information as
passwords (e.g., username, social security number,
childrens names, pets names, hobbies, x
anniversary dates, etc.).

2.605 Each agency must suspend user accounts after a AC-2(3) P1

specified number of days of inactivity.
2.606 Each agency must implement a process to change IA-5 P1
passwords immediately if there reason to believe a
password has been compromised or disclosed to
someone other than an authorized user. x

0.000 0.000 0 0 0
2.700 Password Administration: Each agency must ensure that P1
processes and agreements are in place to support password
security.

2.701 Each agency must require its users of non-public PS-6 P3

systems to sign an acknowledgement of their
understanding of authentication policies prior to
allowing access to non-public agency networks or
systems, including the agency's policies on
password selection and confidentiality.

2.702 Each agency must establish a process to verify the IA-5 P1

identity of a user prior to providing a new,
replacement, or temporary password. x
2.703 Each agency must establish a process to uniquely IA-8 P1
identify and authenticate non-agency users of
internal-use agency systems.

2.704 Each agency must establish procedures to manage IA-5 P1

new or removed privileged account passwords. IA-5(1)
x
2.705 Each agency must require that passwords IA-5(1) P1
administratively set on behalf of a user (e.g. new
password, password reset) must be set to a unique
value per user and changed by the user at first use. x

2.706 Each agency must communicate temporary IA-5 P1

passwords to users in a secure manner. IA-5(1) x
2.707 Each agency must obscure feedback of IA-6 P2
authentication information during the
authentication process to protect the information
from possible exploitation/use by unauthorized x
individuals.

0.000 0.000 0 0 0
3.100 Audit and Compliance: Each agency must ensure that its P1
security and privacy policies, procedures, and controls are
current and effective.

3.101 Each agency must identify and document its P0

obligations to applicable State, federal and other
third party laws and regulations in relation to
information security.

3.102 Each agency must periodically review or audit its AU-2 P1

users' and systems' compliance with security
policies, standards, and procedures, and initiates
corrective actions where necessary. x

3.103 Each agency must document and report findings AU-6 P1

from compliance reviews or audits to agency
leadership. x
3.104 Each agency must establish formal, documented AU-1 P1
audit and accountability procedures.

3.105 Each agency must implement a process to AU-1 P1

periodically review and update the audit and
accountability procedures.

0.000 0.000 0 0 0
3.200 Information System Audits: Each agency must ensure that its P1
procedures and controls for information systems are current
and appropriately designed.

3.201 Each agency must conduct audit procedures in a AU-2 P1

way that minimizes the risk of disruption of
operational systems and business processes. x

3.202 Each agency must implement security controls to AU-9 P1

help prevent unauthorized access and/or access
abuse of audit tools. x
3.203 Each agency must determine the types of events AU-2 P1
that are to be audited within information systems,
such as authentication success, authentication
failure, user connections, system connections,
system updates, privileged user actions, record
accesses, record updates, system errors,
application starts, application stops, system x
debugging operations.
3.204 Each agency must review and update the list of AU-2 P1
audited events annually. x
3.205 Each agency must ensure that leadership AU-2 P1
coordinates the audit functions, information
security functions, and business functions to
facilitate the identification of auditable events. x

3.206 Each agency must ensure its information systems AU-3 P1

are enabled to generate audit records containing
details to help establish what type of event
occurred, when and where the event occurred, the
source and outcome of the event, and the identity
of any individuals or subjects associated with the x
event.

3.207 Each agency must analyze information system audit AU-6 P1

records periodically. x
3.208 Each agency must report findings of audit record AU-6 P1
reviews to information security personnel and
agency leadership. x
3.209 Each agency must perform correlation and analysis AU-6 P1
of information generated by security assessments
and monitoring. x
3.210 Each agency must allocate sufficient audit storage AU-4 P1
capacity to ensure compliance with audit log
retention requirements.

3.211 Each agency must implement provisions for AU-4 P1

information systems to off-load audit records at
regular intervals onto a different system or media
than the system being audited.

0.000 0.000 0 0 0
3.300 Information Security Monitoring: Each agency must ensure P2
that its security controls for information systems are effective.

3.301 Each agency must ensure security controls are CA-2 P2

monitored on an ongoing basis. x
3.302 Each agency's security control assessment function CA-2(1) P2
must be independent from operational or business
functions, or hired third parties.

3.303 Each agency must develop a plan of action and CA-5 P3

milestones to document planned remedial actions
to correct deficiencies identified as result of risk
assessments, security reviews, or audits. x
3.304 Each agency must update its plan of action and CA-5 P3
milestones at least on a yearly basis, and also
based on the findings from continuous security x
monitoring activities.

0.000 0.000 0 0 0
4.100 Risk Management: Each agency must establish its strategy for P1
risk management.

4.101 Each agency must define a schedule for an on- PM-9 P1

going risk assessment and risk mitigation process.

4.102 Each agency must review and evaluate risk based RA-2 P1
on the system categorization level and/or data
classification of their systems.

0.000 0.000 0 0 0
4.200 Risk Assessment: Each agency must conduct its risk P1
assessment processes in alignment with its risk management
strategy.

4.201 Each agency must establish a risk assessment RA-3 P1

framework based on applicable State and federal
laws, regulation, and industry standards (e.g. NIST
800-30). This assessment framework must clearly
define accountability, roles and responsibilities. x

4.202 Each agency must periodically conduct a formal CA-2 P2

assessment of its information security and privacy
processes and controls to determine the
appropriateness of the design and implementation
of controls, and the extent to which the controls
are operating as intended and producing the x
desired outcome (e.g. NIST 800-115, NIST 800-
53A).

4.203 Each agency must ensure that risk assessments RA-1 P1

identify, quantify, and prioritize risks against criteria RA-3
for risk acceptance and objectives relevant to the
agency.

4.204 Each agency must develop and periodically update CA-5 P3

a Plan of Action & Milestones (POAM) document
that must identify any deficiencies related to
internal security controls. The POAM must identify
planned, implemented, and evaluated remedial
actions to correct deficiencies noted during
x
assessments.
4.205 Each agency must establish a process and assign a RA-3 P1
senior-level executive or manager to determine CA-6
whether or not risks can be accepted, and for each
of the risks identified following the risk assessment,
the designated personnel within the agency must
make a decision regarding risk treatment.

0.000 0.000 0 0 0
4.300 Risk Mitigation: Each agency must mitigate its risks in alignment P2
with its risk management strategy.

4.301 Each agency must establish and implement CA-6 P2

controls to ensure risks are reduced to an
acceptable level based on security requirements,
once threats have been identified and decisions for
the management of risks have been made.

4.302 Each agency must determine and document the CA-6 P2

acceptable level for risk for various threats based
on the business requirements and the potential
impact of the risk to the agency.

0.000 0.000 0 0 0
5.100 Physical Access: Each agency must ensure that information P1
systems and media are appropriately protected against
unauthorized physical access.

5.101 Each agency must establish formal, documented PE-1 P1

procedures to facilitate the implementation of
physical and environmental protection controls.

5.102 Each agency must establish procedures to review PE-1 P1

and maintain current the physical and
environmental protection procedures.

5.103 Each agency must develop, approve, and maintain PE-2 P1

a list of personnel with authorized access to the
facility where information systems are physically x
located.

5.104 Each agency must establish a process to review, PE-2 P1

approve, and issue credentials for facility access.
x
5.105 Each agency must remove individuals from the PE-2 P1
facility access list when access is no longer
required. x
5.106 Each agency must ensure that facilities housing PE-3 P1
systems containing sensitive data are protected
against unauthorized physical access (e.g. keycards, x
keys, security guards).
5.107 Each agency must maintain physical access audit PE-3 P1
logs for facilities housing systems containing
sensitive data. x
5.108 Each agency must maintain, 24 hours per day, 7 PE-3(3) P1
days per week, guards and/or alarms to monitor
physical access points to facilities housing systems
containing sensitive data.

5.109 Each agency must perform security assessments on PE-3(2) P1

an annual basis at the physical boundary of
facilities housing sensitive data, to determine the
risk of unauthorized exfiltration of information or
removal of information system components.

5.110 Each agency must establish a process to escort PE-3 P1

visitors and monitor their activity within facilities
housing systems containing sensitive data. x

5.111 Each agency must change combinations and keys at PE-3 P1

defined intervals, and when keys are lost,
combinations are compromised, or individuals are x
transferred or terminated.

5.112 Each agency must control physical access to PE-4 P1

information system distribution and transmission
lines within the data center(s) using physical access
control devices (e.g., keycard or keys).

5.113 Each agency must place output devices (e.g. PE-5(1) P2

printers, fax, copiers) in secured areas and in
locations that can be monitored by authorized
personnel, and allow access to authorized
individuals only.

5.114 Each agency must review physical access logs at a PE-6 P1

defined frequency and upon occurrence of security
incidents. x
5.115 Each agency must ensure that visitor access PE-8 P3
records to facilities housing systems containing
sensitive information, are retained for a minimum
of 1 year.

5.116 Each agency must establish processes to authorize, PE-16 P2

monitor, and control sensitive information systems
and media entering and exiting facilities.

0.000 0.000 0 0 0
5.200 Environmental Security: Each agency must ensure that P1
information systems and media are appropriately protected
against environmental hazards, in alignment with business
continuity risk management strategy.
5.201 Each agency must place power equipment and PE-9 P1
cabling in safe locations to prevent environmental
and/or man-made damage and destruction.

5.202 Each agency must make available the capability of PE-10 P1

shutting off power to data system facilities during
an incident.

5.203 Each agency must place emergency shutoff PE-10 P1

switches or devices at locations which can be safely
and easily accessed by personnel during an
incident.

5.204 Each agency must implement physical and logical PE-10 P1

controls to protect emergency power shutoff
capability from unauthorized activation.

5.205 Each agency must implement uninterruptible PE-11(1) P1

power supply to facilitate transition to long-term
alternate power in the event of a primary power
source loss.

5.206 Each agency must install and maintain fire PE-13 P1

detection and suppression devices that are
supported by an independent power source.

5.207 Each agency must employ fire detection devices/ PE-13(2) P1

system that activate automatically and notify
emergency personnel and defined emergency
responder(s) in the event of a fire.

5.208 Each agency must employ an automatic fire PE-13(3) P1

suppression system if the data system facility is not
staffed on a continuous basis.

5.209 Each agency must employ automatic temperature PE-14(1) P1

and humidity controls in the data system facilities
to prevent fluctuations potentially harmful to
processing equipment.

5.210 Each agency must employ temperature and PE-14(2) P1

humidity monitoring that provides an alarm or
notification of changes potentially harmful to
personnel or equipment.

5.211 Each agency must protect processing equipment PE-15 P1

from damage resulting from water leakage.

0.000 0.000 0 0 0
5.300 Disposal of Equipment and Media: Each agency must ensure P1
that information systems and media are appropriately
disposed, to ensure the confidentiality of sensitive data.

5.301 Each agency must define and implement MP-6 P1

mechanisms for disposal of digital media and data
storage devices. x
5.302 Each agency must employ sanitization mechanisms MP-6 P1
with the strength and integrity commensurate with
classification of data to be sanitized. x

5.303 Each agency must establish processes for cleansing MP-6 P1

and disposal of computers, hard drives, and
fax/printer/scanner devices. x
5.304 Each agency must implement controls to track and MP-6(1) P1
verify sanitization of devices prior to disposal.

0.000 0.000 0 0 0
6.100 Human Resource Compliance: Each agency must ensure that P1
human resource processes appropriately support security and
privacy processes and controls related to personnel.

6.101 Each agency must define security roles and PS-1 P1

responsibilities of employees, contractors, and
third party personnel, and must document these in
accordance with the organizations information
security procedures.

6.102 Each agency must ensure background verification PS-3 P1

checks on candidates for employment, including
contractors, and third party users. These checks
must be aligned with the nature and sensitivity of
data and systems the personnel will have access to,
and must be carried out in accordance with x
applicable laws.

6.103 Each agency must ensure that upon termination or PS-4 P1

transfer of employment for employees, termination PS-5
of engagement for non-employees, personnel must
return to the agency all agency physical documents
(and all copies thereof) and other agency property
and materials in their possession or control, and
must certify the secure erasure or destruction of
any agency electronic information.
x

6.104 Each agency must ensure that employees, PS-6 P3

contractors, and third party users must agree and
sign an acceptable use policy, which must state
responsibilities for information security.

0.000 0.000 0 0 0
6.200 Security Awareness Training: Each agency must ensure that all P1
personnel receive training designed to improve their
awareness of basic security and privacy issues.
6.201 Each agency must require employees, contractors, PS-1 P1
and third party users to apply security in PS-7
accordance with established policies and
procedures of the organization, where such
personnel have responsibilities for agency
information, systems, media, or facilities housing
such items.

6.202 Each agency must ensure employees, contractors, AT-3 P1

and third party users receive security and privacy
awareness training, and regular updates about
organizational policies and procedures, as relevant
for their job function. x

6.203 Each agency must ensure that training is AT-3(3) P1

accompanied by an assessment test, in order to
determine comprehension of key cyber security
concepts.

6.204 Each agency must require that each user of agency AT-3 P1
information receives some minimum level of
awareness training prior to granting access to x
agency information.

6.205 Each agency must appoint a cyber-security PS-2 P1

awareness training coordinator to manage training
content, schedules, and user training completion
status.

6.206 Each agency must ensure that its cyber security PM-14 P1
training coordinator, along with the agency
information security liaison, reviews training
content on an annual basis to ensure that it aligns
with all relevant compliance requirements.

0.000 0.000 0 0 0
7.100 Mobile Security: Each agency must ensure that all handheld P1
computing devices and portable storage devices used by
agency personnel for agency data are appropriately secured.

7.101 Each agency only allows portable storage devices to MP-7 P1

be used for agency data when these devices are
assigned and identified to an individual owner. x

7.102 Each agency only allows the use of portable storage MP-7 P1
devices that allow secure erasure or destruction,
for use with non-public agency data. x

7.103 Each agency only allows the use of handheld MP-7 P1

computing devices that have the ability to be
remotely wiped / erased, for use with non-public x
agency data.
7.104 Each agency must develop usage restrictions, AC-19 P1
configuration requirements, connection
requirements, and implementation guidance for
organization-controlled handheld computing x
devices.

7.105 Each agency must develop a list of approved AC-19(4) P1

handheld computing device platforms, and ensure
that only approved devices are allowed to access
the agencys non-public networks and information
systems.

7.106 Each agency must develop and apply adequate AC-19 P1

asset management procedures to all agency-issued
handheld computing devices. x

7.107 Each agency must ensure that handheld computing AC-19(5) P1

devices used to access non-public agency data are
configured with encryption of data at rest. x

7.108 Each agency must implement controls to ensure AC-19 P1

the installation of standardized operating system,
applications, and patches on agency-issued
handheld computing devices. x

7.109 Each agency must ensure that non-public agency MP-6 P1

information is securely erased from any handheld
computing device used to access such data, before
the device is disposed or transferred to another x
person.

7.110 Each agency must deploy administrative and P1

technical controls to mitigate risks associated with
lost or stolen handheld computing devices.

7.111 Each agency must ensure for agency-issued AC-19 P1

handheld computing devices, where feasible, the
testing of vendor recommended patches, hot-fixes,
or service packs before such changes are approved
for installation; and a process to keep system
hardware, operating system, and applications up- x
to-date with the approved system updates.

7.112 Each agency must ensure that each agency-issued AC-20(2) P1

handheld computing device is configured so that
only approved services and software are enabled x
and/or installed.

7.113 Each agency must protect all handheld computing P1

devices with password or Personal Identification
Number (PIN).
7.114 Each agency must ensure all handheld computing P1
devices have timeout/locking features.

7.115 Each agency must develop controls for the AC-20 P1

protection of data storage on handheld computing AC-20(1)
devices, including their removable media. x

7.116 Each agency must protect the storage and AC-19 P1

transmission of information on agency-issued MP-6
portable storage and handheld computing devices MP-6(3)
by scanning the devices for malicious code. If a
portable storage or handheld computing device is
used for transitional storage of sensitive data (e.g.,
copying data between systems), the data must be
securely deleted from the device immediately upon
completion.

7.117 Each agency must develop a process for users to P1

notify designated personnel when a device is lost
or stolen. The process must include remote
wiping / erasing of handheld computing devices.

7.118 Each agency must ensure that the physical security MP-4 P1
of each portable storage or handheld computing
device is the responsibility of the person to whom
the device has been assigned. Each device must be
kept in the assigned persons physical presence
whenever possible. Whenever a device is being
stored, it must be stored in a secure place, x
preferably out of-sight.

0.000 0.000 0 0 0
7.200 Removable Media Security: Each agency must ensure that all P1
removable media used by agency personnel for agency data
are appropriately secured.

7.201 Each agency must protect information system MP-4 P1

media until the media is destroyed or sanitized
using approved processes. x
7.202 Each agency must physically control and securely MP-4 P1
store digital (e.g., CD, flash drives) and non-digital
(e.g., paper) media within secured locations, when
such media contains non-public information. x

7.203 Each agency must employ encryption mechanisms MP-5(4) P1

to protect the confidentiality of information stored
on digital media during transport outside of x
controlled areas.
7.204 Each agency must ensure accountability for MP-5(3) P1
removable media during transport outside of
controlled areas.

7.205 Each agency must ensure that removable media MP-6 P1

are securely erased or destroyed, and that paper
media are securely destroyed, prior to disposal, for
any such media containing non-public information. x

0.000 0.000 0 0 0
7.300 Portable Computing Device Security: Each agency must ensure P1
that all portable computing devices such as laptops used by
agency personnel for agency data are appropriately secured.

7.301 Each agency must employ encryption at rest to SC-28 P1

protect the confidentiality of information stored on SC-28(1)
portable computing devices such as laptops.

7.302 Each agency must ensure that each portable CM-7(5) P1

computing device is configured so that only
approved services and software are enabled and/or x
installed.

7.303 Each agency must ensure that each portable CM-2 P1

computing device is covered by a configuration
management process that includes flaw
remediation, such as installing most current stable
security patches, critical security updates, and hot x
fixes.

7.304 Each agency must ensure automatic update of virus SI-2(5) P1

definition files on portable computing devices.

7.305 Each agency must ensure a firewall is configured on SC-7 P1

each portable computing device, and prohibit users AC-3(5)
from making firewall configuration changes.

7.306 Each agency must ensure asset tags are placed on CM-8 P1
portable computing devices. x
7.307 Each agency must ensure peer-to-peer (ad-hoc) CM-7(1) P1
wireless connections on all portable computing
devices are disabled. x
0.000 0.000 0 0 0
8.100 Asset Identification: Each agency must ensure that all of its P1
information assets, including agency-specific applications,
datastores, computing platforms, and network platforms are
inventoried and classified according to data sensitivity and
other compliance requirements.
8.101 Each agency must document and maintain CM-8 P1
inventories of the important assets associated with
each information system. Asset inventories must
include a unique system name, a system/business
owner, a data classification, and a description of
the location of the asset. Examples of assets
associated with information systems are:
Information assets: databases and data files,
system documentation, user manuals, training
material, operational procedures, disaster recovery
plans, archived information.
Software assets: application software, system
software, development tools and utilities.
Computing assets: servers, desktops, laptops,
smartphones.
Networking assets: routers, switches, access
points. x
Storage assets: disk arrays, SANs, tapes, portable
storage.
Services: computing, application, and storage
services.

8.102 Each agency must require user acknowledgement PL-4 P2

of all rules and regulations pertinent to an asset,
prior to issuing or permiting access to the asset.

8.103 Each agency must periodically review asset records CM-8 P1

to ensure that each is classified appropriately and
that the safeguards remain valid and operative. x

8.104 Each agency must classify assets into the data RA-2 P1
sensitivity classification types in the State of South
Carolina Data Classification Schema: Public,
Internal, Confidential, Restricted.

8.105 Each agency must ensure that each asset is RA-2 P1

classified based on data classification type and
impact level, and the appropriate level of
information security safeguards are available and in
place.

0.000 0.000 0 0 0
9.100 Security Performance Metrics: Each agency must participate in P1
the DIS-defined collection and reporting of security
performance metrics, in order to inform the management
decisions of agency and state executive stakeholders.
9.101 Each agency must monitor and report performance PM-6 P1
metrics as specified by the Division of Information
Security (DIS), to demonstrate progress in adoption
of security controls, and associated policies and
procedures, and effectiveness of the information
security program.

9.102 DIS must define performance measures to be able PM-6 P1

to support the determination of information
system security posture, demonstrate compliance
with requirements, and identify areas of
improvement.

9.103 DIS must ensure that the defined metrics are P1

meaningful, yield impact and outcome findings,
and are scheduled for collection with the time
necessary for stakeholders to use the results to
address performance gaps.

9.104 DIS must standardize the data collection methods P1

and data repositories used for metrics data
collection and reporting to ascertain the validity
and quality of data.

0.000 0.000 0 0 0
9.200 Third Party Risk Management: Each agency must ensure that P1
agency business functions conducted by third parties are
performed in compliance with all statues, regulations, and
other obligations encumbent on the agency.

9.201 Each agency must establish processes to ensure SA-9 P1

that third parties comply with information security
requirements and employ defined security controls
in accordance with compliance requirements
encumbent on the agency.

9.202 Each agency must implement processes, methods, SA-9 P1

and techniques to review compliance by third
parties on an ongoing basis.

9.203 Each agency must establish a process to conduct AC-20(1) P1

risk assessments on third party service providers, RA-3
and document the risk assessment results. SA-9(1)

9.204 Each agency must implement controls to help CA-3 P1

ensure that risk assessments are updated in case of SA-9
major changes in scope of services or contractual
changes with third parties.

9.205 Each agency must authorize connections between CA-3 P1

agency information systems and third party
information systems by entering into
Interconnection Security Agreements.
 9.206 Each agency must ensure that for each third party CA-3 P1
system interface with an agency system, the
interface characteristics, security requirements,
and the nature of the information communicated
are documented.

9.207 Each agency must establish terms and conditions AC-20 P1

for trust relationships established with other
entities owning, operating, or maintaining external
information systems on behalf of agency. Terms
and conditions should control:
Access to agency information systems from third
party information systems.
Controls for processing, storing, or transmitting of x
agency data by third party information systems.

9.208 Each agency must review and update third party CA-3 P1
security agreements on an annual basis, or as
defined in the contract.

9.209 Each agency must share personally identifiable UL-2 P0

information (PII) with third parties only for
purposes in compliance with applicable statutes
and regulations.

9.210 Each agency using a third party to process or store UL-2 P0

unencrypted sensitive data must enter into a
binding agreement with the third party, describing
the types of sensitive data covered, and specifically
enumerating the purposes for which the data may
be used.

9.211 Each agency must monitor, audit, and train its staff UL-2 P0
on the authorized sharing of sensitive data with
third parties and on the consequences of
unauthorized use or sharing of such data.

9.212 Each agency must evaluate any proposed new UL-2 P0

instances of sharing sensitive data with third
parties to assess whether the sharing is authorized
and whether additional or new public notice is
required.

0.000 0.000 0 0 0
10.100 Contingency Planning: Each agency must ensure that the P1
business functions supporting any critical agency missions can
be restored to functionality in the event of disruption, breach,
or failure.
10.101 Each agency must establish a formal, documented CP-1 P1
contingency planning process that addresses
purpose, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance.

10.102 Each agency must establish a formal process for CP-1 P1

annual contingency planning policy and procedure
review and update.

10.103 Each agency must conduct a Business Impact CP-2(3) P1

Analysis (BIA) to identify functions, processes, and
applications that are critical to the Each agency and
determine a point in time (i.e. recovery time
objective (RTO)) when the impact of an
interruption or disruption becomes unacceptable
to the agency.

10.104 Each agency must utilize the BIA results to CP-2(3) P1

determine potential impacts resulting from the CP-2(4)
interruption or disruption of critical business
functions, processes, and applications.

10.105 Each agency must assign contingency roles and CP-2 P1

responsibilities to key individuals from all business
functions.

10.106 Each agency must establish procedures to maintain CP-2(5) P1

continuity of critical business functions in the cases
of critical information system disruption, breach, or
failure.

10.107 Each agency must document a Business Continuity CP-2 P1

Plan (BCP) that addresses documented recovery
strategies designed to enable the agency to
respond to potential disruptions and recover its
critical business functions within a predetermined
RTO following a disruption.

10.108 Each agency must establish a process to ensure CP-2 P1

that the BCP is reviewed and approved by senior
management.

10.109 Each agency must distribute copies of the BCP to CP-2 P1

key personnel responsible for the recovery of the
critical business functions and other relevant
personnel and partners with contingency roles, as
determined by the agency.

10.110 Each agency must establish and implement CP-2 P1

procedures to review the BCP at planned intervals
and at least on an annual basis.
10.111 Each agency must establish a process to update the CP-2 P1
contingency plan, including BIA, when changes to
the organization, information system, or
environment of operation occurred.

10.112 Each agency must provide training to personnel CP-3 P2

with assigned BCP roles and responsibilities.

10.113 Each agency must establish a process for evaluating CP-3 P2

the effectiveness of its BCP training.

10.114 Each agency must incorporate simulated events CP-3(1) P2

and lessons learned into contingency training to
facilitate effective response by personnel with
contingency roles when responding to disruption.

10.115 Each agency must test the BCP at least annually to CP-4 P2
determine the effectiveness of the plan and the
agency's readiness to execute the plan.

10.116 Each agency must review the BCP test results, CP-4 P2
record lessons learned and perform corrective
actions as needed.

10.117 Each agency must employ standard testing CP-4 P2

methods, ranging from walk-through and tabletop
exercises to more elaborate parallel/full interrupt
simulations, to determine the effectiveness of the
plan and to identify potential weaknesses in the
plans.

0.000 0.000 0 0 0
10.200 Disaster Recovery: Each agency must ensure that the business P1
functions supporting any critical agency missions can be
restored to functionality in the event of catastrophic
disruption.

10.201 Each agency must develop a Disaster Recovery Plan CP-2 P1

(DRP) that addresses scope, roles, responsibilities, CP-2(1)
and coordination among organizational entities for
reallocating information systems operations to an
alternate location.

10.202 Each agency must establish recovery time CP-2(3) P1

objectives for the BIA identified critical information
systems.
10.203 Each agency must establish and document CP-2 P1
procedures to fully restore critical information
systems, after an incident, minimizing deterioration
of the security safeguards originally planned and
implemented.

10.204 Each agency must assign disaster recovery roles CP-2 P1

and responsibilities to key individuals. CP-2(1)
10.205 Each agency must establish a process to ensure CP-2 P1
that the DRP is reviewed and approved by senior CP-2(1)
management.

10.206 Each agency must distribute copies of the DRP to CP-2 P1

key personnel responsible for the recovery of the CP-2(1)
critical information systems and other relevant
personnel and partners with contingency roles, as
determined by the Each agency.

10.207 Each agency must establish and implement CP-2 P1

procedures to review the DRP at planned intervals CP-2(1)
and at least on an annual basis.

10.208 Each agency must establish a process to update the CP-2 P1

DRP when changes to the organization or CP-2(1)
environment of operation occurred.

10.209 Each agency must identify and establish processes CP-7 P1

to relocate to an alternate site to facilitate the
resumption of information system operations for
business-critical functions within the defined
recovery objectives (RTO and Recovery Point
Objective (RPO)) when the primary site is
unavailable due to disruption.

10.210 Each agency must ensure that equipment and CP-7 P1

supplies required to resume operations at the
alternate processing site are available.

10.211 Each agency must ensure contracts are in place CP-7 P1

with third parties and suppliers to support delivery
to the site within the defined time period for
transfer/ resumption of critical business operations.

10.212 Each agency must ensure that the alternate CP-7 P1

processing site provides information security
safeguards similar to that of the primary site.

10.213 Each agency must identify potential accessibility CP-7(2) P1

problems to the alternate site in the event of an
area-wide disruption or disaster.
10.214 Each agency must establish primary and alternate CP-8(1) P1
telecommunication service agreements with
priority-of-service provisions in accordance with
organizational availability requirements (including
RTOs), quality of service and access;

10.215 Each agency must establish alternate CP-8 P1

telecommunications services to facilitate the
resumption of information system operations for
critical business functions within the defined
recovery objectives when the primary
telecommunications capabilities are unavailable.

10.216 Each agency must require primary and alternate CP-8(4) P1

telecommunication service providers to have
contingency plans.

10.217 Each agency must establish documented CP-10 P1

procedures to restore and recover critical business
activities from the temporary measures adopted to
support normal business requirements after an
incident.

10.218 Each agency must implement procedures for the CP-10 P1

recovery and reconstitution of the information
system to a known state after a disruption,
compromise, or failure.

10.219 Each agency must provide the capability to restore CP-10(4) P1

information system components within defined
restoration time periods from configuration-
controlled and integrity-protected information
representing a known, operational state for the
components (for e.g. reimaging methods).

10.220 Each agency must establish measures to protect CP-10(6) P1

backup and restoration hardware, firmware, and
software.

0.000 0.000 0 0 0
10.300 Data Backups: Each agency must ensure that the business data P1
supporting any critical agency missions can be restored to
functionality in the event of loss or corruption.

10.301 Each agency must develop, maintain and document CP-9 P1

a data backup and storage process that ensures the CP-1
ability to recover electronic information in the
event of failure.

10.302 Each agency must identify and apply security CP-9 P1

requirements for protecting data backups based on
the different types of data handled by the agency. x
10.303 Each agency must identify an alternate storage site CP-6(1) P1
that is separated from the primary site so as not to
be susceptible to same occurrences of hazards.

10.304 Each agency must establish necessary agreements CP-6 P1

with the alternate storage site owner to ensure
that data storage and retrieval process are not
hindered during or after an incident.

10.305 Each agency must ensure that the alternate storage CP-6 P1
site provides information security safeguards
similar to that of the primary storage site.

10.306 Each agency must identify potential accessibility CP-6(3) P1

problems to the alternate storage site in the event
of a disruption or disaster.

10.307 Each agency must identify secure transfer methods MP-5 P1

when transporting backup media off-site.
x
10.308 Each agency must establish and maintain an P2
authorization list to retrieve backups from the off-
site location.

10.309 Each agency must review on an annual basis the CP-9 P1

security of the off-site location to ensure data is
protected against unauthorized disclosure or x
modification while in storage.

10.310 Each agency must establish a process to perform CP-9 P1

data backups of user-level and system-level
information at a defined frequency consistent with
the established RTOs and RPOs. x

10.311 Each agency must establish safeguards and controls CP-9 P1

to protect the confidentiality, integrity, and
availability of backup information at storage x
locations.

10.312 Each agency must enforce dual authorization CP-9(7) P1

(two-person control) for the deletion or
destruction of agency missions-critical data.

0.000 0.000 0 0 0
11.100 Vulnerability Management: Each agency must ensure that its P1
information systems are periodically checked for
vulnerabilities, and that findings are appropriately remediated.
11.101 Each agency ensure that processes are in place to RA-5 P1
scan for vulnerabilities in information systems and
hosted applications at least annually and results
are reported to management. x

11.102 Each agency must ensure that privileged access to RA-5(5) P1

vulnerability scanning tools and vulnerability
reports are appropriately controlled. x

11.103 Each agency must ensure remediation of identified RA-5 P1

vulnerabilities is performed in accordance with the
agency risk management criteria and processes. x

11.104 Each agency must ensure that penetration testing CA-8 P2

exercises are performed on an annual basis, either
by use of internal resources or employing an third
party penetration team.

0.000 0.000 0 0 0
11.200 Incident Management: Each agency must ensure that P1
information security incidents occurring within the agency are
appropriately handled.

11.201 Each agency must develop, document, and IR-1 P1

internally publish an incident response process that
addresses scope, roles, and responsibilities,
internal coordination efforts, and compliance.

11.202 Each agency incident response plan must include IR-8 P1

the following:
Compatible interaction with the state level
incident reponse process published by DIS.
Types of information security incidents to be
reported.
Establish metrics to ensure incident response
capabilities remain effective.
Define resources, such as technology and
personnel, required to effectively support incident
response capabilities.
Roadmap for implementing incident response
capabilities.

11.203 Each agency must review and update the incident IR-8 P1
response plan on an annual basis.
11.204 Each agency ensure that information security IR-4 P1
incident handling processes include preparation,
detection and analysis, containment, eradication, x
and recovery.
11.205 Each agency must ensure the implementation of IR-4(9) P1
incident response tools such as intrusion detection,
firewalls, and incident investigation tools, to
effectively respond to security incidents.

11.206 Each agency must ensure that personnel are IR-6 P1

required to report suspected information security
incidents to the incident response team or agency x
leadership.

11.207 Each agency ensure that monitor information SI-4 P1

systems are sufficiently monitored to detect attacks
and/or signs of potential attacks, including
unauthorized network local or remote connections. x

11.208 Each agency must ensure that monitoring devices SI-4 P1

are deployed strategically within information
technology environment to collect information
security events and associated information. x

11.209 Each agency must ensure the protection of SI-4 P1

information obtained from intrusion-monitoring
tools from unauthorized access, modification, and x
deletion.

11.210 Each agency must ensure the monitoring of SI-4(4) P1

inbound and outbound communications traffic
from sensitive information systems for unusual or
unauthorized activities or conditions. x

11.211 Each agency must ensure that information system SI-4 P1

monitoring activity is appropriately adjusted for
new and increased sources of risk. x

11.212 Each agency must provide incident response IR-2 P2

training within one (1) month of personnel
assuming incident response roles or x
responsibilities.

11.213 Each agency must provide training to incident IR-2 P2

response personnel upon significant changes to
information systems and/or changes to the incident x
response plan.

11.214 Each agency must establish a formal process to test IR-3 P2

incident response capabilities on a yearly basis to
determine the incident response effectiveness and x
adequacy.

11.215 Each agency must document the incident response IR-3 P2

test results and update incident response processes
as applicable. x
11.216 Each agency must ensure malicious code SI-3 P1
protection mechanisms are employed for
information systems, to detect and eradicate x
malicious code.

11.217 Each agency must ensure malicious code SI-3 P1

protection mechanisms are updated whenever new
releases are available. x
11.218 Each agency must ensure malicious code SI-3 P1
protection mechanisms are configured to perform
periodic scans at defined time intervals. x

11.219 Each agency must ensure malicious code SI-3 P1

protection mechanisms are configured to send an
alert to information appropriate personnel, to
initiate appropriate actions in response to x
malicious code detection.

0.000 0.000 0 0 0
11.300 Patch Management: Each agency must ensure that flaws in its P1
information systems are remediated appropriately.

11.301 Each agency must develop and implement a SI-2 P1

process to identify, report, and correct information
system flaws. x
11.302 Each agency must establish a formal process to test SI-2 P1
software and firmware updates related to flaw
remediation for effectiveness and identification of
potential impact prior to implementation. x

11.303 Each agency must install latest stable versions of SI-2 P1

applicable security software and firmware updates.
x
11.304 Each agency must establish a patch cycle that SI-2 P1
guides the normal application of patches and SI-2(5)
updates to systems.

11.305 Each agency must establish a process of patch SI-7(15) P1

testing to verify the source and integrity of the
patch and ensure testing in a production mirrored
environment for a smooth and predictable patch
roll out.

0.000 0.000 0 0 0
12.100 Data Classification: Each agency must ensure the information P1
processed, stored, or transmitted by its information systems
and information repositories is appropriately classified, so that
compliance obligations may be identified.
12.101 Each agency must categorize data in accordance RA-2 P1
with applicable statutory, regulatory, and
contractual requirements. Each data asset must be
classified into one of the following categories:
1. Public: Information intended or required for
sharing publicly, where unauthorized disclosure
would result in minimal or no risk to the agency.
2. Internal Use: Information that is used in daily
operations of the agency, where unauthorized
disclosure would result in little risk to the agency.
3. Confidential: Confidential information refers to
sensitive information, where unauthorized
disclosure may result in considerable risk to the
agency.
4. Restricted: Restricted information is highly
sensitive information, where unauthorized
disclosure may result in considerable risk to the
agency, including statutory penalties.

12.102 Each agency must ensure that users who encounter RA-2 P1
information that is improperly classified must
consult with the owner of the information, agency
information privacy personnel, or agency
information security personnel to determine the
appropriate data classification.

12.103 If multiple data fields with different classifications RA-2 P1

have been combined, the highest classification of
information included must determine the
classification of the entire set.

0.000 0.000 0 0 0
12.200 Data Disposal: Each agency must ensure the information P1
stored on its information systems, information repositories,
and media is securely erased or diestroyed prior to the
disposal of the device or media.

12.201 Each agency must develop a list of approved MP-6 P1

processes for sanitizing electronic and non-
electronic media prior to disposal or re-purposing,
based on applicable regulatory requirements. x

12.202 Each agency must employ sanitization mechanisms MP-6 P1

with the strength and integrity commensurate with
the security category or classification of the x
information.
12.203 Each agency must implement controls to track MP-6(1) P1
media sanitization and disposal process, wherever
compliance requirements dictate such actions must
be tracked, documented, and verified.
Documentation must provide a record of the media
sanitized, when, how media was sanitized, the
person who performed the sanitization, and the
final disposition of the media. The record of action
taken must be maintained in a written or electronic
format.

12.204 Each agency must test media sanitization MP-6(2) P1

equipment and procedures at least annually to
ensure correct performance.

12.205 Each agency must ensure that electronic media are MP-6 P1
securely erased prior to being reassigned, or
released for destruction. x
12.206 Each agency must define and implement MP-6 P1
mechanisms for disposal of digital media and data
storage devices contained in equipment to be x
released outside of the agency.

12.207 Each agency must destroy hardcopy media MP-6 P1

containing sensitive information prior to disposal.
x
12.208 Each agency must monitor the destruction of hard MP-6(1) P1
copy media, where required for statutory or
regulatory compliance.

0.000 0.000 0 0 0
12.300 Data Protection: Each agency must ensure the information P1
processed, stored, or transmitted during its business processes
is appropriately protected.

12.301 Each agency must ensure that its personnel follow SC-1 P1
the agencys acceptable use policies when
transmitting data.

12.302 Each agency implemented mechanisms to ensure SC-12(1) P1

availability of information in the event of the loss of
cryptographic keys by users.

12.303 Each agency must implement mechanisms to SC-12 P1

ensure the confidentiality of private keys. x
12.304 Each agency must develop a mechanism to SC-12(2) P1
randomly select a key from the entire key space, SC-12(3)
using effective randomization.
12.305 Each agency must implement appropriate controls SC-12 P1
to physically and logically safeguard encryption
keys through all phases of the key lifecycle, from
construction through receipt, installation,
operation, and removal from service. x

12.306 Each agency must use Federal Information SC-13 P1

Processing Standards FIPS-140 validated
technology for encrypting sensitive data. x
12.307 Each agency must ensure that sensitive data SC-8(1) P1
transmitted by email must be securely encrypted.

12.308 Each agency must ensure that sensitive information SC-8(1) P1

transmitted through a public network must be
encrypted prior to transmittal, or be transmitted
through an encrypted connection.

12.309 Each agency must ensure that sensitive information AC-18(1) P1

transmitted wirelessly must be encrypted prior to SC-8(1)
transmittal, or be transmitted through an
encrypted connection.

0.000 0.000 0 0 0
12.400 Data Privacy: Each agency must ensure that the interests of P1
data subjects are appropriately protected.

12.401 Each agency must designate an individual who has AR-1 P1

primary responsibility for information privacy
decisions.
12.402 Each agency must conduct a Privacy Impact AR-2 P0
Assessment (PIA) for each information system that SE-1
will handle Personally Identifiable Information (PII). UL-2
Each PIA should examine the following privacy DM-2
issues: IP-1
What PII is to be collected. DM-1
What is the intended use of the PII. IP-4
What PII will be shared, and with whom. IP-3
How long the PII will be retained.
What privacy risks are posed by the intended use
and sharing of the collected PII.
What privacy risks are posed by unintended
disclosure of the collected PII.
What steps are taken to inform users about the
PII collected and what mechanisms they can use to
control it.
What opportunities individuals have to decline to
provide PII.
What steps are taken to minimize the types of PII
collected.
What mechanisms are available for data subjects
to update or correct their PII.
What opportunities individuals have to remove
PII once collected.
How the PII is to be secured.
What processes are established to resolve privacy
issues.

12.403 Each agency must update PIAs when a system AR-2 P0

change creates changes in privacy risks.
12.404 Each agency must ensure that PIA documents are P0
reviewed by an agency executive or designee with
authority for issues of information privacy.

12.405 Each agency must require each member of agency AR-5 P0

personnel and third party with access to PII to sign
a confidentiality agreement defining
responsibilities.
12.406 Each agency must publish a privacy web statement TR-3 P0
on each agency website used by the public. Each
website privacy statement should include, as
specifically applicable to the site:
What PII is to be collected.
What is the intended use of the PII.
What PII will be shared, and with whom.
How long the PII will be retained.
What opportunities individuals have to decline to
provide PII.
What mechanisms are available for data subjects
to update or correct their PII.
What opportunities individuals have to remove
PII once collected.
How the PII is to be secured, in a non-technical
summary..
What processes are established to resolve privacy
issues.

0.000 0.000 0 0 0
13.100 Change Management: Each agency must ensure that changes P1
to information systems are conducted in such a way that
disruption to production is minimized, and stakeholders are
given appropriate awareness and opportunity for feedback.

13.101 Each agency must establish a change management CM-3 P1

process, including the following elements: CM-3(2)
Change requests are handled in a structured way CM-4
that determines the impact on the operational
system and the business processes it supports.
Changes to production environments, including
emergency maintenance and patches, must be
formally managed.
Changes are categorized, prioritized, and
authorized.
After implementation, changes are reviewed
ensure correct functionality.
Changes to production environments are
adequately tested.
An emergency change process is defined for
testing, documenting, assessing, and authorizing
changes that do not follow the established change
process.

0.000 0.000 0 0 0
13.200 Configuration Management: Each agency must ensure that P1
information system baseline configurations are managed to
minimize risk of incompatibility and of unauthorized change.

13.201 Each agency must ensure that system baseline CM-2 P1

configurations are developed, reviewed, and CM-2(1)
formally approved for critical information systems
and infrastructure components.

13.202 Each agency must ensure that changes to baseline CM-3 P1

configurations include a process to identify, review, CM-3(2)
perform security impact analysis, test, and approval CM-4
such changes prior to implementation.

13.203 Each agency must ensure that baseline CM-2 P1

configurations are recorded in a central repository, CM-5
with access restrictions to prevent unauthorized x
changes.

13.204 Each agency must ensure that prior versions of CM-2(3) P1

baseline configurations are retained to be able to
support rollback.

13.205 Each agency must ensure the review and update of CM-2(1) P1
baseline configurations periodically, and as an
integral part of information system component
installations or upgrades.

13.206 The Each agency must ensure responsibilities are CM-9(1) P1

assigned for developing and managing the
configuration management process to personnel
that are not directly involved in system
development activities.

0.000 0.000 0 0 0
13.300 System Development and Maintenance: Each agency must P1
ensure that system development efforts are performed with
appropriate consideration for information confidentiality,
integrity, and availability.

13.301 Each agency must ensure that system security PL-2 P1

plans are documented for critical enterprise
information systems in production and under
development. System security plans must provide
an overview of the security requirements of the
system, and describe the controls in place for
meeting the requirements through all stages of the
systems development life cycle.
13.302 Each agency must ensure that when a system is PL-2 P1
modified in a manner that affects security, system
documentation is updated accordingly.

13.303 Each agency ensure that a vulnerability assessment RA-5 P1

is performed on all enterprise information systems
undergoing significant changes, before the systems
are moved into production. x

13.304 Each agency must develop and follow a set of SA-1 P1

procedures consistent with state procurement
standards.

13.305 Each agency must ensure that information systems P0

and services it procures are implemented or
conducted in compliance with all provisions of the
state's Information Security Program that are
applicable to the systems or services being
procured.

13.306 Each agency must ensure that appropriate security SA-3 P1

controls are implemented at all stages of the
information system life cycle.

13.307 Each agency must ensure that outsourced software SA-9 P1

development is performed in compliance with all
applicable provisions of the state's Information
Security Program.

13.308 Each agency must ensure for any system CM-2(6) P1

development efforts separate development, CM-4(1)
testing, and production environments are
established.

13.309 Each agency must not use sensitive production SA-15(9) P2

data for testing purposes unless the data has been
obfuscated, sanitized, or declassified. If production
data must be temporarily used in these
environments, appropriate security controls,
including management approval, procedures to
remove/delete data after completion of tests, and
documentation of activities, must be implemented.

13.310 Each agency must ensure for system development SI-10 P1

efforts that appropriate testing is performed ensure SI-15
correct processing.

13.311 Each agency must ensure for system development SC-23 P1

efforts that , where appropriate, controls are
implemented to ensure user session isolation,
information integrity, and protection of information
transmission. x
 0.000 0.000 0 0 0
13.400 Release Management: Each agency must ensure that P1
information system version releases into production are
conducted in a way that minimizes risk to the confidentiality,
integrity, and availability of those systems.

13.401 Each agency must ensure that production-ready SA-2 P1

release packages of mission-critical systems are
deployed using the release management lifecycle
(i.e., plan, prepare, build and test, pilot, and
deploy).

13.402 Each agency must determine as part of the release SA-2 P1

planning process:
Resources required to deploy the release.
Build and test plans prior to implementation.
Pass/fail criteria.
Pilot and deployment plans.
Develop requirements for the release.

13.403 Each agency must document, as part of a system SA-5 P2

release, the set of tools and processes used to
manage the IT release lifecycle, and the
prioritization of the release.

13.404 Each agency must validate the release design SA-5 P2

against the requirements, and identify the risks and
potential issues.

13.405 Each agency must implement standardization and SA-8 P1

enforce operational controls through the use of
change requests for deploying releases into x
production.
Dropdown Lists
Compliance
non-applicable
partial
full
Remediation Effort
0
large 100
medium 10
small 1