Office of Environmental Management (EM) Cyber Security ... · Information Processing Standards...
Transcript of Office of Environmental Management (EM) Cyber Security ... · Information Processing Standards...
________________________________________________________________________
DOE EM RMAIP1 of 243
Office of Environmental Management (EM)Cyber Security Policy and
Risk Management Approach ImplementationPlan
February 2014
Office of Environmental ManagementU.S. Department of Energy
Washington, DC
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
3 of 243
Table of Contents
SCOPE........................................................................................................................................................... 5
APPENDICES .............................................................................................................................................. 5
REFERENCES ............................................................................................................................................. 6
INTRODUCTION ........................................................................................................................................ 6
AUTHORIZING OFFICIAL .............................................................................................................................11AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE..............................................................................11EM CYBER SECURITY PROGRAM MANAGER .................................................................................................12RISK EXECUTIVE (RE) ................................................................................................................................12INFORMATION SYSTEM SECURITY MANAGER ................................................................................................13CERTIFICATION AGENT (CA).......................................................................................................................14INFORMATION SYSTEM SECURITY OFFICER (ISSO) ......................................................................................14INFORMATION TECHNOLOGY CONTINGENCY PLANNING DIRECTOR ..............................................................14DATABASE ADMINISTRATOR (DBA) .............................................................................................................15APPLICATION ADMINISTRATOR (AA)............................................................................................................15NETWORK DEVICE ADMINISTRATOR (NDA) .................................................................................................15CONTRACTING OFFICER (CO) ....................................................................................................................16
CORE CONTROLS ....................................................................................................................................17
PROGRAM MANAGEMENT CONTROLS............................................................................................19
EM CENTRAL REPOSITORY, EGOV RISK PORTFOLIO MANAGER (EGOV RPM) ................22
EM CM TEAM RESPONSIBILITIES FOR WORKING WITH EM SITES.......................................23
EM SITES CONTINUOUS MONITORING RESPONSIBILITIES......................................................24
INHERITED CONTROL GUIDANCE ....................................................................................................27
AO’S ANNUAL REAUTHORIZATION RESPONSIBILITIES............................................................27
NATIONAL SECURITY SYSTEMS ........................................................................................................27
FEDERAL INFORMATION SYSTEMS MANAGEMENT ACT OF 2002 ..........................................28
EM HQ MISSION INFORMATION PROTECTION PROGRAM (MIPP) SUPPORT ANDPARTICIPATION.......................................................................................................................................29
CONTINGENCY PLANNING ..................................................................................................................30
CONTRACTOR REQUIREMENTS, SYSTEM ACQUISITION AND SERVICES............................31
SUPPLY CHAIN RISK MANAGEMENT ...............................................................................................31
DOE’S ENHANCED CYBER SECURITY SERVICES (DEX)..............................................................32
MOBILE DEVICE GUIDELINES FOR FOREIGN TRAVEL..............................................................32
FOREIGN NATIONALS............................................................................................................................32
HSPD-12 REQUIREMENTS AND PROJECTED MILESTONES .......................................................33
IPV6 REQUIREMENTS AND PROJECTED MILESTONES...............................................................33
DOMAIN NAME SYSTEM SECURITY EXTENSIONS (DNSSEC) ....................................................34
INDUSTRIAL CONTROL SYSTEMS .....................................................................................................34
WIRELESS INFORMATION SYSTEMS................................................................................................34
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
4 of 243
CONTROLLED UNCLASSIFIED INFORMATION (CUI) PROTECTION.......................................35
APPENDIX A – NIST SP 800-53 REV 4 SECURITY CONTROLS AND GUIDANCE ......................36
APPENDIX B – NSS SECURITY CONTROLS.....................................................................................121
APPENDIX C – NIST SP 800-53 REV 4 CONTROL FAMILY POLICIES.......................................219
APPENDIX D – EM CONTRACTOR REQUIREMENTS...................................................................234
ACRONYM LIST......................................................................................................................................242
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
5 of 243
Purpose
The purpose of this document is to implement the Department of Energy (DOE) RiskManagement Approach (RMA), as described in DOE O 205.1B, Chg.2, Department ofEnergy Cyber Security Program, within the Office of Environmental Management (EM).This document cancels the DOE Office of Environmental Management Program SecurityPlan, dated February 2009. This document is the Senior DOE Management (SDM)Cyber Security RMA Implementation Plan (IP) for EM Headquarters (HQ) and EM sites.
Scope
This RMAIP sets forth EM policy concerning cyber security requirements and providesEM sites with guidance and, where applicable, direction concerning specificrequirements. The requirements found in this document are in addition to therequirements set forth in National Institute of Standards and Technology (NIST) FederalInformation Processing Standards (FIPS)/Special Publications (SP), Committee onNational Security Systems (CNSS) and DOE O 205.1B, Chg.2. The latest versions ofNIST, FIPS and CNSS documents should be used in accordance with contractualrequirements. For the purposes of this document, the term “sites” includes EM HQ, sitesand facilities.
Applicability
This document applies to all EM sites and their respective information processingsystems, both government-owned and government owned/contractor-operated systems,that process, store, or communicate EM information/data. Field managers are to ensurethat contractor-developed Risk Management Approach documents required by DOE O205.1B, Chg 2, Attachment 1, meet the requirements of this RMAIP.
This document also applies to National Security Systems (NSS) operating on behalf of orlocated on EM sites that process, store, or communicate sensitive information (see NIST800-59 for determination of NSS systems). EM sites must use DOE O 205.1B, Chg.2,the most current versions of NIST SP 800 series specific to cyber security/accreditation,and CNSS Publications specific to the accreditation of NSS. The Office of CorporateInformation Technology, EM-72, has prepared Appendix B – NSS Security Controls, toassist the sites in system categorization and implementation of the CNSS securitycontrols. EM sites also must use the latest version of NIST SP 800-82 for securing theIndustrial Control Systems (ICS) that collect, process, or store data to support the EMmission.
Questions regarding this document should be directed to the EM Cyber Security ProgramManager (EM CSPM) at [email protected].
Appendices
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
6 of 243
Appendix A – NIST SP 800-53 Rev 3 Security Controls and GuidanceAppendix B – NSS Security ControlsAppendix C – Appendix C – NIST SP 800-53 Rev 3 -1 Control PoliciesAppendix D – EM Contractor RequirementsAppendix E – NIST 800-27 Rev A Engineering PrinciplesAppendix F – Sanitization and Disposal of Media and Mobile Devices
References
The most current versions of these documents are to be used by sites to secure IT systemsthat support the site missions.
1. Title III of the E-Government Act of 2002, entitled the Federal InformationSecurity Management Act (FISMA) of 2002
2. Office of Management and Budget (OMB) Circular A-130, Appendix III, 20003. DOE Order 205.1 B, Chg 2, DOE Cyber Security Management, May 20114. DOE Order 206.2, Identity, Credential, and Access Management, Feb 19, 20135. DOE 470.4-1B, chg.1, Safeguards and Security Program , July 20116. DOE Order 142.3A Unclassified Foreign Visits and Assignments Program,
October 14, 20107. FIPS 200, Minimum Security Requirements for Federal Information and
Information Systems, March 20068. FIPS 199, Standards for Security Categorization of Federal Information and
Information Systems, February 20049. NIST SP 800-18 (Feb 2006), 800-30 (Sept 2012), 800-34 (May 2010), 800-37
(Feb 2010), 800-40 (Sept 2012), 800-52 (2005), 800-53 (April 2013), 800-63 (Feb2013), 800-71, 800-73 (May 2013), 800-76 (July 2012), 800-78 (May 2013), 800-81 (April 2010), 800-82 (April 2013), 800-88 (Sept 2012), and 800-100 () (Oct2006)
10. Committee on National Security Systems (CNSS) 1253 (March 2012)
Introduction
EM information and information systems are critical to successful mission and businessoperations, and are dependent on the underlying information technology (IT)infrastructure. IT systems have become vital to performing and protecting the EMmission, assets, and personnel, and must be protected in a manner commensurate with theimpact to EM’s mission, acceptable risk levels, security requirements, and potentialmagnitude of harm. Disruption of IT systems can cause delays in achieving missionmilestones, productivity losses, loss of critical data, and can create data integrity issuesthat negatively impact mission success.
Secure IT solutions will enable EM to:
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
7 of 243
Be more efficient and productive in delivering IT services to meet or exceedcleanup milestones
Execute business operations that result in more waste shipments and lower life-cycle cost
Increase productivity Leverage secure and enhanced wireless services for more efficient waste
monitoring, processing, removal, inventory, and storage Decrease energy costs by producing greener IT services
As government IT systems continue to be the target of daily sophisticated securityattacks, signature-based protection programs, annual assessments and three-year staticcertification and accreditation (C&A) processes are no longer effective against thisadvanced persistent threat. Systems change, threats emerge, and sophisticated attacksoccur on a daily basis. Only active monitoring of security controls can prevent or addressthe detection, analysis, eradication, and timely incident response activities associatedwith these attacks.
FISMA requirements, OMB memorandums/policy, and NIST standards and guidelinesrequire a Continuous Monitoring (CM) approach for all Federal agency systems whetheroperated by federal or contractor staff. CM is the process required to constantly monitorthe security posture and risk levels of an accreditation boundary or system to makecertain that changes or successful attacks have not degraded the performance, affected thelevel of security controls, or created vulnerabilities in an IT system. The objective of aCM process is to determine if the complete set of planned, required, and deployedsecurity controls within an information system, or controls inherited by the system,continue to be effective and adequate over time. A key aspect of a correctly planned andexecuted CM process ensures that current security controls are adequate to mitigatenewly discovered threats, access or use violations, escalation of privileges, alteration ofconfigurations, loss of confidentiality, and changes in data integrity or availability. CMalso requires additional controls, above and beyond the NIST SP 800 series to bedeveloped and implemented to mitigate evolving threats. When tailoring controls, EMHQ and EM sites are encouraged to add controls specific to their site and mission thatmay not be identified in NIST documentation.
An effective CM process validates that security safeguards are implemented correctly,operating as intended and produces valid security results sufficient to protect the system.CM is used to stay abreast of malicious activity, evolving threats, and identifiedvulnerabilities to enable sound decision making. This means that sites are expected to beproactive in meeting these new threats, vulnerabilities, and attacks without waiting forcontractual changes in their respective contracts. It is also expected that federal andcontractor staff will take appropriate action, based on sound risk-management decisions,to mitigate the evolving threat. This includes updating hardware and software that isoutdated and unsupported by vendors, purchasing additional tools as technologyadvances, and mitigating any vulnerability due to technologic advancements. IT systemsmust evolve based on the threat. As hardware and software is updated or replaced, site ITstaff should use sound engineering principles, as identified in NIST 800-27 (as modified),
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
8 of 243
while conducting daily tasks. Appendix E is provided as guidance for sites concerningengineering principles as they apply to IT systems.A key component of CM is the continuous assessment of risk and the deployment ofcontrols in a timely manner to mitigate the risk to an acceptable level. The Department’sRMA, as documented in DOE O 205.1B, Chg 2, governs the continuous assessment ofrisk. EM sites must use the six steps of the Risk Management Framework (RMF),including a full Security Test and Evaluation (ST&E) for Authority to Operate (ATO), asrequired by FISMA and addressed in NIST SP 800 series documents for initialaccreditation of a system and to protect DOE information systems and data(categorization, selection of security controls, implementation of controls, assessment ofthe security controls, system authorization to operate and continuous monitoring).Currently, all EM systems have an ATO and have varying reauthorization dates. Systemscurrently authorized to operate must follow the Department’s RMA, CM, and ContinuousAuthorization to Operate (CAO) instructions outlined in this document.
Cloud computing must use the Federal Risk and Authorization Management Program(FedRAMP) select controls for accreditation if providing cloud services to otherprogrammatic elements or federal agencies. Cloud services that are purchased must usethe FedRAMP services to ensure that they are accredited to federal standards. Purchaseagreements must contain appropriate language to ensure that the provider of service isFedRAMP accredited.
At the end of the CM year, the accumulation of scan results, verified data documents,updated Risk Assessment (RA), and Plan of Action and Milestones (POA&M) will allowthe Authorizing Official (AO) to make a risk-based decision on the system’s ATO. TheCM year begins the day the ATO is signed by the AO.
The CM process outlined in this document moves EM sites from a document intensiveand three-year certification process to a more proactive, less laborious, and less expensiveCM process which will result in a risk-based decision annually regarding the ATO of thesystem(s). This RMAIP will be periodically updated and revised to reflect new andongoing cyber security risks and issues, as well as changes to national policy,Departmental policy, and other security guidance.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
9 of 243
Department of Energy Risk Management Approach (RMA)
For systems that are currently operational and have an ATO, the Department’s RMA (seeFig 1) is a four-step process used in the assessment of risk during step 6 (see Fig. 2) ofthe NIST Risk Management Framework (RMF). The RMA integrates into the NISTRMF, a six-step process that addresses the life-cycle of an information system. Thesetwo concepts are to be used in the management of risk for all EM IT systems. The firstthree steps of the RMA integrate into RMF step 2 (select security controls) and RMF step3, (the implementation of controls), when authorizing a new system (see Fig. 2). Step 4of the RMA is to be used in concert with and replaces RMF step 6, (see Fig. 2). TheRMA specifically calls out the stakeholders that should be involved in the riskdetermination and mitigation process.
The RMA deals mainly with the identification, monitoring, and management of riskbased on mission needs. All operational and accredited systems should be in the CM stepof the RMF. New systems, not yet accredited or approved for operation by the AO, mustundergo the entire six-step RMF and four-step RMA before they are allowed to operate,unless given temporary and conditional authorization by the AO. If mission dictates thata system must become operational, the AO has the authority to grant conditionalauthorization to operate prior to a full certification of the system. The four-step RMA isto be used to assess risk when major changes in the system, threat, or risk are identifiedfor all systems operating with a current ATO. For systems that are already operational,the four-step RMA is used to assess risk and to make risk-based decisions for futureATOs.
In order to accomplish the assessment of risk, a Business Impact Assessment (BIA) mustbe conducted. Each system must have a current BIA on file, or be identified in a BIA forthe site network, with the authorization documentation. The BIA must be completed withinput from the business stakeholders, IT staff, and system owners. A single BIA for anentire network, regardless of the number of authorized boundaries, is an acceptableapproach.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
10 of 243
Figure 1
Figure 2
DOE Risk Management Approach (RMA) Process
DOE Department RMA
Senior DOE Management (SDM) Cyber Security RMA Implementation Plans (IP)
Inputs Approved cyber
security protections Risk Management
Strategy
Step 4: Risk MonitoringInvolves
Federal Site Manager Senior Site Manager Authorizing Official
Activities Risk monitoring strategy Risk monitoring Contractor assurance
Federal oversight
Inputs Threat Statements Risk Response Risk Monitoring
Step 1: Risk FramingInvolves
SDM & Federal Site Manager Senior Site Manager Authorizing Official
Activities Establish risk assumptions,
constraints, & tolerance
ID priorities & trade-offs
Outputs Cyber security
effectivenessevaluation
RMA processassessment
Outputs Risk Management
Strategycommunicated toAO and Site CIO
Inputs Risk Assessment SDM RMA IP NIST Requirements
& Guides
Step 3: Risk ResponseInvolves Authorizing Official Site CIO
Activities ID and evaluate risk response
alternatives Determine appropriate risk response Implement cyber security
protections
Inputs SDM RMA IP Risk Response Risk Monitoring
Step 2: Risk AssessmentInvolves Authorizing Official Site CIO
Activities ID threats and vulnerabilities
Determine risk in context of missionOutputs
Approved &implemented cybersecurity protections
Outputs Risk Determination Residual Risk Resource
Requirements
Communications
How the RMF and RMA work together for EM
PROCESS
OVERVIEW
StartingPoint
Architecture DescriptionArchitecture Reference Models
Segment and Solution ArchitecturesMission and Business ProcessesInformation System Boundaries
Organizational InputsLaws, Directives, Policy Guidance
Strategic Goals and ObjectivesPriorities and Resource Availability
Supply Chain Considerations
Step 4
ASSESSSecurity Controls
Step 6
MONITOR
Security Controls
Step 3
IMPLEMENTSecurity Controls
Repeat as necessaryStep 1
CATEGORIZEInformation System Step 2
SELECT
Security Controls
Step 5
AUTHORIZEInformation System
RISK
MANAGEMENT
FRAMEWORKRMA Step 3
RiskResponse
RMA Step 4Risk
Monitoring
RMA Step 1Risk Framing
RMA Step 2Risk
Assessment
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
11 of 243
Roles and Responsibilities
This section describes the roles and responsibilities of key participants involved in anorganization’s CM process. Recognizing that staffing is a concern, care must be taken toensure separation of duties is adhered to when appointing these roles. One individualmay perform multiple roles as long as an insider threat vulnerability is not created. Aninsider threat may be presented by a malicious user who has approved access to EMinformation and information systems and who can use that access to cause damage orsteal sensitive information and system components. The key participants and theirresponsibilities are described below.
Authorizing Official
1. Must be a federal employee appointed in writing by the Assistant Secretary forEM.
2. Ensures that the requirements of the RMAIP are implemented.3. Accepts risk for the operation of an IT system.4. Directly appoints, in writing, a federal employee as the AO Designated
Representative (AODR).5. Furnishes a copy of the appointment letter for the AODR to the Cyber Security
Program Manager at EM Headquarters as well as the site Information SystemSecurity Manager (ISSM) within 60 days of appointment.
6. Appoints a new or Acting AODR in the event of personnel turnover or extendedabsence of the AODR. An appointment letter for a new or Acting AODR must bedisseminated within twenty one (21) business days of the departure of theprevious AODR.
7. Ensures direct access to the AODR for all cyber security matters.8. Receives, at least quarterly, a formal cyber security status briefing directly from
the AODR.9. Ensures that personnel are appointed, in writing, to the roles of System Owner,
ISSM, Information System Security Officer (ISSO), and Information TechnologyContingency Planning Director.
Authorizing Official Designated Representative
1. Must be a federal employee appointed in writing by the AO.2. Acts on behalf of the AO (e.g., hold meetings, review SSPs, determine major vs.
minor changes) as specified in the appointment letter.3. Acts for the AO, but cannot formally accept risk to operate any system.4. Maintains continual awareness of the cyber security posture of the AO’s area of
responsibility, in coordination with the ISSM and other individuals as necessary.5. Coordinates the formal written appointments of the System Owner, ISSM, ISSO,
and IT Contingency Planning Director with the AO and other appropriate site-level management personnel.
6. Develops and presents a formal cyber security status briefing to the AO on aquarterly basis, or more frequently at the AO’s request.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
12 of 243
EM Cyber Security Program Manager
1. Must be a federal employee located at EM HQ with cyber security responsibilitiesfor the EM IT enterprise.
2. Maintains the RMAIP so that it remains consistent with the DOE RMA and withcurrent federal cyber security policies.
3. Conducts cyber security oversight for the enterprise.4. Justifies the need for and coordinates the implementation of standard solutions for
cyber security concerns across the enterprise.5. Delivers quarterly and annual FISMA reports and responds to all OMB and Chief
Information Officer (CIO) data calls.
Risk Executive (RE)
The RE is a function performed by an individual or group within an organization thathelps to ensure that: (1) risk-related considerations for individual informationsystems, to include authorization decisions, are viewed from an organization-wideperspective with regard to the overall strategic goals and objectives of theorganization in carrying out its core missions and business functions; and (2)management of information system-related security risk is consistent across anorganization, reflects organizational risk tolerance, and is considered along with othertypes of risks in order to ensure mission/business success. A group may becomprised of federal staff and contractors but must be led by a federal employee. TheRE coordinates with the senior leadership of an organization to:
1. Provide a comprehensive, organization-wide, holistic approach for addressingrisk—an approach that provides a greater understanding of the integratedoperations of the organization.
2. Develop a risk management strategy for the organization providing a strategicview of information security-related risks with regard to the organization as awhole.
3. Facilitate the sharing of risk-related information among authorizing officials andother senior leaders within the organization.
4. Provide oversight for all risk management-related activities across theorganization (e.g., security categorizations) to help ensure consistent and effectiverisk acceptance decisions.
5. Ensure that authorization decisions consider all factors necessary for mission andbusiness success.
6. Provide an organization-wide forum to consider all sources of risk (includingaggregated risk) to organizational operations and assets, individuals, otherorganizations and the Nation.
7. Promote cooperation and collaboration among authorizing officials to includeauthorization actions requiring shared responsibility.
8. Ensure that the shared responsibility for supporting organizationalmission/business functions using external providers of information and servicesreceives the needed visibility and is elevated to the appropriate decision-makingauthorities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
13 of 243
9. Identify the organizational risk posture based on the aggregated risk toinformation from the operation and use of the information systems for which theorganization is responsible.
The RE does not require a specific organizational structure and can be assigned to anyone individual or group within the organization. The head of the agency/organizationmay choose to retain the RE function or to delegate the function to another official orgroup (e.g., an executive leadership council). The AO must appoint a RE for eachsystem.
System Owner
The System Owner may be a federal or contractor employee that directly supportscontingency planning activities described in the RMAIP Contingency Planningsection. The System Owner:
1. Identifies appropriate personnel to serve on teams to perform the recovery andreconstitution activities described in each site’s IT Contingency Plan.
2. Ensures that recovery and reconstitution team members receive appropriateannual training.
3. Meets with the IT Contingency Planning Director on a quarterly basis to reviewteam assignments and readiness.
4. Participates in the BIA process.5. Prepares a business continuity of operation plan for use in the event that a long
network outage is observed.
Information System Security Manager
1. The ISSM can be a contractor or federal employee appointed, in writing, by sitemanagement. The ISSM for each EM field site can be a federal employeecharged with the management responsibility for system security or the contractoremployee that reports to the federal employee charged with the managementresponsibility for system security.
2. The ISSM’s area of responsibility and authority is site-wide in scope and includesboth EM federally-owned systems as well as contractor systems which store orprocess EM-owned data.
3. The ISSM maintains appointment letters for personnel in the ISSM’s area ofresponsibility.
4. The ISSM is responsible for disseminating the RMAIP to all personnel (includingcontractors) in the ISSM’s area of responsibility.
5. The ISSM cannot perform the role of Certification Agent (CA) for accreditationboundaries where the ISSM has management authority over the ISSO or otherpersonnel (such as contractors) developing C&A documentation. The CA’s rolemust be performed by an independent party.
6. The ISSM ensures that at least one database administrator (DBA), applicationadministrator (AA) or network device administrator (NDA) attends an annual
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
14 of 243
security training class, conference, or workshop. An example may include theInformation Management Conference (IMC) or a SANS training event. Thatindividual is responsible for bringing the information back to the site fordissemination to all appropriate personnel.
Certification Agent (CA)
1. The CA may consist of federal employees or contractors.2. The CA is an individual or group that has complete management independence
from the personnel that developed the C&A documentation being certified.3. The CA conducts a comprehensive evaluation of the security controls employed
within or inherited by an information system to determine the overalleffectiveness.
4. The CA recommends corrective actions to address identified vulnerabilities.5. The CA writes the Security Assessment Report (SAR) and presents it to the AO.
The AO has discretion to accept or mitigate any vulnerability found in the SAR.
Information System Security Officer (ISSO)
1. The ISSO is the primary individual responsible for the day-to-day operation,coordination and execution of security functions, C&A, and all CM activities. Aproperly cleared and qualified contractor may hold this role. The ISSOcoordinates the identification and appointment of Project Security Officers (PSO)with the ISSM and other management officials.
2. The ISSO directly participates in configuration management oversight proceduresrelevant to the accreditation boundaries that the ISSO oversees.
3. The ISSO meets with the ISSM and PSOs, at minimum, twice per month.4. The ISSO disseminates the RMAIP to all PSOs within their accreditation
boundaries.
Information Technology Contingency Planning Director
1. The IT Contingency Planning Director is appointed at EM field sites by theAODR. A qualified contractor or federal employee with the proper securityclearance may hold this role.
2. The IT Contingency Planning Director analyzes and notifies the system owner,ISSM, and other appropriate management personnel of any staffing needsnecessary to perform the recovery and reconstitution activities described in eachsite’s Contingency Plan and Project Managers Contingency Plans.
3. The IT Contingency Planning Director meets with system owners on a quarterlybasis to review staffing assignments, contingency plan update status, integrationwith business continuity of operation or contingency plans, contingency plantesting status, contingency planning POA&Ms remediation status, and any othermatters related to contingency planning.
4. The IT Contingency Planning Director documents a test of the Contingency Planat least annually. Actual documented use of the Contingency Plan (e.g., inresponding to an actual event) may substitute for such a test.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
15 of 243
Database Administrator (DBA)
1. A DBA may be a federal or contractor employee.2. The DBA is responsible for performing administratively-privileged functions on a
relational database software product. Privileged functions include but are notlimited to configuring database startup parameters, adding and deleting database-level user IDs, granting and revoking rights for users, and creating or modifyingtable space definitions. A contractor may hold this role with the proper securityclearances and background.
3. At least one DBA must attend annual security training such as a SANS trainingevent or the DOE IMC; that individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.
4. The DBA implements patching requirements on database software products.5. The DBA implements password management requirements on database software
products.6. The DBA implements the audit logging requirements on database software
products.
Application Administrator (AA)
1. A AA may be a federal or contractor employee.2. The AA is responsible for performing privileged functions in a web-based
software application, client-server application, electronic mail server, or othertype of application server. Privileged functions include but are not limited toconfiguring application startup parameters, adding and deleting application userIDs, and granting and revoking folder/workspace permissions for users. Acontractor may hold this role with the proper security clearances and background.
3. At least one AA must attend annual security training such as the DOE IMC or aSANS training event. That individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.
4. The AA implements patching requirements on applicable software applications.5. The AA implements password management requirements on applicable software
applications.
Network Device Administrator (NDA)
1. A NDA may be a federal or contractor employee.2. The NDA is responsible for performing privileged functions on network
infrastructure equipment such as switches, routers, firewalls, remote accessequipment, virtual private networking (VPN) equipment and wide areanetworking (WAN) equipment hereafter referred to as “network devices.” Acontractor may hold this role with the proper security clearances and background.
3. At least one NDA must attend annual security training such as the DOE IMC or aSANS training event. That individual is responsible for bringing the informationback to the site for dissemination to all appropriate personnel.
4. The NDA implements patching requirements on network devices.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
16 of 243
5. The NDA implements password management requirements on network devices.6. The NDA implements audit logging requirements on network devices.
Contracting Officer (CO)
The CO is a federal employee. The CO ensures the RMAIP is incorporated in EM contracts. The CO ensures that fee awards consider Cyber Security Performance; see
Appendix D for guidance. Cyber Security performance must be considered when calculating fee in all fee
based contracts. Fee should not be affected due to an intrusion into a network or system by an
outside entity, but should be negatively affected if sites do not report thoseincidents in a timely fashion and in accordance with the DOE Joint Cyber securityCoordination Center (JC3) guidance. All intrusions are not preventable; thereforeearly detection should be rewarded.
The CO works with local IT staff to determine metrics and measure performance. The CO ensures that the EM HQ CSPM has input to fee decisions; based on
contractor cooperation in the deployment of HQ EM-provided tools during siteassessments.
The CO incentivizes contractors to work together, partner, and share IT solutionsand infrastructure to save energy and funding through efficiencies andconsolidation where it makes sense.
General Instructions for Continuous Monitoring
Unless otherwise superseded by statute or other Federal policy, directive or guidance, allEM sites must use the instructions in DOE O 205.1B, Chg 2, and this RMAIP (or latestauthorized version) to comply with security requirements in defining the riskmanagement processes and mission-adjusted minimum security control baselinerequirements necessary for ensuring the protection of unclassified and classifiedinformation systems, commensurate with risk and mission needs.
The objective of the RMAIP is to improve EM’s organizational protection of informationsystems and data. All EM systems/accreditation boundaries have some level ofsensitivity and require protection as part of a good risk management framework practice.The protection of a system must be documented in a site’s accreditation boundary SystemSecurity Plan (SSP). The SSP must contain the systems categorization, systemdescription, a high level diagram, subsystems, review of security requirements,monitoring strategy, security controls provided by any hosted software (majorapplication), implemented controls with an implementation description, controls tailoredout and justification, and accepted risk due to the tailoring process. Security plans arerequired to be reviewed and updated within eGov Risk Portfolio Manager™ (eGov RPM)at least annually. The role of eGov RPM is discussed below.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
17 of 243
The AO for each EM accreditation boundary or site working in conjunction with the EMCSPM is responsible for adequately ensuring the confidentiality, integrity, andavailability of EM information systems/data and that the systems are operated inaccordance with CNSS NIST/DOE policies and directives.
Senior DOE management, the Federal Site Manager, the contractor’s senior IT manager,and the Site IT Director must annually conduct or review an Organization ImpactAssessment/BIA and perform a system risk assessment to determine the acceptable levelof risk for an accreditation boundary. These assessments will also be used to determine a“mission-adjusted minimum security controls baseline” for a sites’ system(s). Theseassessments must be performed for unclassified and classified systems. Performing theassessments will provide the necessary information for the AO to determine the correcttailoring of mission minimum security baseline controls for ATO decisions and CMplanning and execution.
The RE, AO, ISSM, ISSO, and site program offices must participate and agree on theorganization risk assessments, system categorization level, and the correct selection ofmission baseline security controls to be implemented on the accreditation boundary orsystem. The EM CSPM is available during these processes as required.
A senior-level federal employee must hold the AO function and responsibility. This isessential to ensure that the individual has an overall understanding of budgetary, missionoperation, and the organizational requirements of the accreditation boundary, as well asthe authority to make decisions concerning such systems.
The site AO is responsible for acceptance of the tailoring of security controls and thedecision to not implement a security control. Tailoring decisions must be documented inthe SSP with a justification and documentation of any resulting vulnerability or elevatedsecurity risk incurred. The site AO can also elect to implement a compensating(equivalent) security control provided it affords the same protection as the replacedcontrol and provides an acceptable level of risk. The use of compensating controlsshould be documented in the SSP.
The mission-adjusted baseline security controls must be implemented, tested, anddocumented in an SSP. Sites must perform CM on mission-adjusted minimum securitycontrol baselines. eGov RPM must be used to build SSPs and POA&Ms. All CMartifacts such as ATOs, audit reports, scan results, incident reports, contingency plans,and other security documents must be uploaded to eGov RPM.
Core Controls
Core controls must be implemented and must not be tailored out unless a waiver isrequested from and granted by the EM CSPM for any core control that is notimplemented. Core controls are listed in the table below.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
18 of 243
Table 1.
Cntl. #E
nh
ance
men
t#
# - Control Name NIST SP 800-53 Control Requirements
1. AC-5 0 a Separation of DutiesThe organization: Separates [Assignment:organization-defined duties of individuals];
2. AC-6 0 Least Privilege
The organization employs the concept of leastprivilege, allowing only authorized accesses forusers (and processes acting on behalf of users)which are necessary to accomplish assigned tasks inaccordance with organizational missions andbusiness functions.
3. AC-8 0 a 1 System Use Notification
The information system: Displays to users[Assignment: organization-defined system usenotification message or banner] before grantingaccess to the system that provides privacy andsecurity notices consistent with applicable federallaws, Executive Orders, directives, policies,regulations, standards, and guidance and states that:Users are accessing a U.S. Government informationsystem;
4. AU-6 0 aAudit Review, Analysis,and Reporting
The organization: Reviews and analyzesinformation system audit records [Assignment:organization-defined frequency] for indications of[Assignment: organization-defined inappropriate orunusual activity]; and
5. CA-5 0 aPlan of Action andMilestones
The organization: Develops a plan of action andmilestones for the information system to documentthe organization’s planned remedial actions tocorrect weaknesses or deficiencies noted during theassessment of the security controls and to reduce oreliminate known vulnerabilities in the system; and
6. CM-2 0 Baseline ConfigurationThe organization develops, documents, andmaintains under configuration control, a currentbaseline configuration of the information system.
7. CM-3 b -Configuration ChangeControl
The organization: Reviews proposed configuration-controlled changes to the information system andapproves or disapproves such changes with explicitconsideration for security impact analyses;
8. CM-7 1 a Least Functionality
The organization: Reviews the information system[Assignment: organization-defined frequency] toidentify unnecessary and/or nonsecure functions,ports, protocols, and services; and
9. CP-4 0 aContingency Plan Testingand Exercises
The Organization Tests the contingency plan for theinformation system [Assignment: organization-defined frequency] using [Assignment:organization-defined tests] to determine theeffectiveness of the plan and the organizationalreadiness to execute the plan;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
19 of 243
Cntl. #
En
han
cem
ent
#
# - Control Name NIST SP 800-53 Control Requirements
10. IA-2 1Identification andAuthentication(Organizational Users)
The information system uses multifactorauthentication for network access to privilegedaccounts.
11.IA-2 2
Identification andAuthentication(Organizational Users)
The information system uses multifactorauthentication for network access to non-privilegedaccounts.
12. IR-3 0Incident Response Testingand Exercises
The organization tests and/or exercises the incidentresponse capability for the information system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine the incident responseeffectiveness and documents the results.
13. IR-4 0 a Incident Handling
The organization: Implements an incident handlingcapability for security incidents that includespreparation, detection and analysis, containment,eradication, and recovery;
14. IR-6 0 b Incident ReportingThe organization: Reports security incidentinformation to [Assignment: organization-definedauthorities].
15. MA-2 0 d Controlled Maintenance
The organization sanitizes equipment to remove allinformation from associated media prior to removalfrom organizational facilities for off-sitemaintenance or repairs; and
16. MP-5 4 Media Transport
The information system implements cryptographicmechanisms to protect the confidentiality andintegrity of information stored on digital mediaduring transport outside of controlled areas.
17. PL-4 0 b Rules of Behavior
The organization: Receives a signedacknowledgment from such individuals, indicatingthat they have read, understand, and agree to abideby the rules of behavior, before authorizing accessto information and the information system;
18. SA-8 0Security EngineeringPrinciples
The organization applies information systemsecurity engineering principles in the specification,design, development, implementation, andmodification of the information system.
19. SC-28Protection of Information atRest
The information system protects the [Selection (oneor more): confidentiality; integrity] of [Assignment:organization-defined information at rest].
Program Management Controls
The information security program management (PM) controls described in this sectioncomplement the security controls in Appendix A and focus on the organization-wide
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
20 of 243
information security requirements that are independent of any particular informationsystem and are essential for managing information security programs.
Cntl. #
En
han
cem
ent
#
#ControlName
NIST SP 800-53 PM Control Requirements EM Implementation
PM-1 0 aInformation
SecurityProgram Plan
The organization develops and disseminates anorganization-wide information security program
plan that:- Provides an overview of the requirements for thesecurity program and a description of the security
program management controls and commoncontrols in place or planned for meeting thoserequirements; - Provides sufficient informationabout the program management controls andcommon controls (including specification ofparameters for any assignment and selection
operations either explicitly or by reference) toenable an implementation that is unambiguously
compliant with the intent of the plan and adetermination of the risk to be incurred if the plan
is implemented as intended;- Includes roles,responsibilities, management commitment,
coordination among organizational entities, andcompliance;
- Is approved by a senior official withresponsibility and accountability for the risk being
incurred to organizational operations (includingmission, functions, image, and reputation),
individuals, other organizations, and the Nation;
The RMAIP serves as theInformation Security
Program Plan for EM. TheRMAIP provides an overview
of the requirements for theEM enterprise, addresses the
required programmanagement controls and
roles and responsibilities thatenable the program, and isapproved by the EM Senior
Advisor for the Office ofEnvironmental Management.
PM-1 0 bInformation
SecurityProgram Plan
The organization reviews the organization-wideinformation security program plan annually
The RMAIP is reviewedannually by the EM HQ staff.
PM-1 0 cInformation
SecurityProgram Plan
The organization revises the plan to addressorganizational changes and problems identifiedduring plan implementation or security control
assessments.
EM HQ ensures that theRMAIP is updated per any
organizational changes.
PM-2 0
SeniorInformation
SecurityOfficer
The organization appoints a senior informationsecurity officer with the mission and resources tocoordinate, develop, implement, and maintain anorganization-wide information security program.
EM HQ has a Cyber SecurityProgram Manager (CSPM)for the enterprise. Each sitehas an appointed AODR for
local cyber securityresponsibilities.
PM-3 0 aInformation
SecurityResources
The organization ensures that all capital planningand investment requests include the resourcesneeded to implement the information securityprogram and documents all exceptions to this
requirement.
Capital Planning andInvestment Control (CPIC)activities are coordinated at
EM HQ among the respectivegroups responsible forresource identification.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
21 of 243
Cntl. #
En
han
cem
ent
#
#ControlName
NIST SP 800-53 PM Control Requirements EM Implementation
PM-3 0 bInformation
SecurityResources
The organization employs a business case/Exhibit300/Exhibit 53 to record the resources required.
The EM HQ CPIC/EA teamhas the responsibility of
developing and maintainingcyber security Exhibit
53/300s.
PM-3 0 cInformation
SecurityResources
The organization ensures that information securityresources are available for expenditure as planned.
The EM HQ MIPP Team isestablished to provide
additional security resourcesto EM sites. An annualbudget is approved and
available for expenditure asplanned.
PM-4 0
Plan of Actionand
MilestonesProcess
The organization implements a process forensuring that plans of action and milestones for
the security program and the associatedorganizational information systems are maintained
and document the remedial information securityactions to mitigate risk to organizationaloperations and assets, individuals, other
organizations, and the Nation.
EM has implemented RPMfor enterprise consolidation
of POA&Ms.
PM-5 0Information
SystemInventory
The organization develops and maintains aninventory of its information systems.
System inventories aremaintained locally at eachsite. In addition, Tenable
Security System contains acentral database for this
information.
PM-6 0
InformationSecurity
Measures ofPerformance
The organization develops, monitors, and reportson the results of information security measures of
performance.
Cyber security performancemetrics are addressed for theenterprise in the RMAIP. An
EM cyber dashboard hasbeen developed for tracking
security measures ofperformance. Sites have local
performance metricsimplemented.
PM-7 0Enterprise
Architecture
The organization develops an enterprisearchitecture with consideration for informationsecurity and the resulting risk to organizationaloperations, organizational assets, individuals,
other organizations, and the Nation.
The Enterprise Architectureis addressed through the EM
HQ CPIC/EA team.Coordinate occurs betweenthe EM HQ cyber security
team and the CPIC/EA team.
PM-8 0Critical
InfrastructurePlan
The organization addresses information securityissues in the development, documentation, and
updating of a critical infrastructure and keyresources protection plan.
It has been determined thatEM has no critical
infrastructure.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
22 of 243
Cntl. #
En
han
cem
ent
#
#ControlName
NIST SP 800-53 PM Control Requirements EM Implementation
PM-9 0 aRisk
ManagementStrategy
The organization develops a comprehensivestrategy to manage risk to organizationaloperations and assets, individuals, other
organizations, and the Nation associated with theoperation and use of information systems
The RMAIP serves as the riskmanagement strategy for the
EM enterprise.
PM-9 0 bRisk
ManagementStrategy
The organization implements that strategyconsistently across the organization.
The RMAIP serves as the riskmanagement strategy for the
EM enterprise.
PM-10 0 aSecurity
AuthorizationProcess
The organization manages (i.e., documents,tracks, and reports) the security state of
organizational information systems throughsecurity authorization processes.
The EM ContinuousMonitoring Program servesas the primary component of
the security authorizationprocess.
PM-10 0 bSecurity
AuthorizationProcess
The organization designates individuals to fulfillspecific roles and responsibilities within the
organizational risk management process.
EM HQ and each site havedesignated cyber securityroles responsibilities tofacilitate the securityauthorization process.
PM-10 0 cSecurity
AuthorizationProcess
The organization fully integrates the securityauthorization processes into an organization-wide
risk management program.
EM HQ has developed theRMAIP to integrate securityauthorization of systems into
an enterprise riskmanagement program.
PM-11 0 a
Mission/BusinessProcess
Definition
The organization defines mission/businessprocesses with consideration for information
security and the resulting risk to organizationaloperations, organizational assets, individuals,
other organizations, and the Nation
Mission/business processdefinition addressed through
the RMAIP and each siteconsiders risk from a
mission/business processperspective locally throughrisk assessments. Each site
must conduct a BusinessImpact Assessment for their
IT systems.
PM-11 0 b
Mission/BusinessProcess
Definition
The organization determines informationprotection needs arising from the defined
mission/business processes and revises theprocesses as necessary, until an achievable set of
protection needs is obtained.
EM HQ has acquired anumber of enterprise security
solutions that areimplemented at EM sites.
This program procuressolutions based upon threatsto the EM mission and data
security.
EM Central Repository, eGov Risk Portfolio Manager (eGovRPM)
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
23 of 243
EM sites are to use the EM central repository and eGov RPM for IT and cyber securitydocumentation. The eGov RPM repository will serve as the “institutional memory” forEM sites, computer operational personnel, and will allow the CM team to assist the sites,make operational recommendations, and gather report data for DOE and OMB. EM sitesmust evaluate their documentation for needed changes as a result to a major change to thesystem or guidance and update these changes to eGov RPM at least annually.
The ISSM or ISSO are responsible for ensuring that eGov RPM documents are loadedand updated in a timely manner for each accreditation boundary. eGov RPM trainingwill be provided by the CM team personnel at the request of each site or as required.
eGov RPM must be used by the CM team to provide preliminary security statusinformation prior to an on-site assessment. It is important that this documentation beup-to-date to shorten the on-site assessment time, the impact to IT personnel, and foraccurate reporting.
All sites must use eGov RPM to create their SSPs and upload the appropriateaccreditation boundary certification and Contingency Plan (CP), Incident Response (IRP)Plan, Configuration Management Plan (CMP), other audit artifacts, and trainingdocumentation into the EM eGov RPM central repository. This must be accomplished atleast annually, after review and upon updating or modification of the boundary or systemdocumentation.
EM CM Team Responsibilities for Working with EM Sites
The EM CM effort is viewed as a partnership among the EM CSPM, EM federal sites,and EM contractors. Each of these groups has specific tasks that must be accomplishedunder an effective CM process.
As part of the CM process, site assessment and assistance visits must be conductedannually by an independent party for each approved boundary. In the past, ITsystems/boundaries underwent certification testing, security assessment review and, ifapproved, accreditation. Under NIST SP 800-37 guidance, C&A is no longer used forexisting systems; the current requirement is for an ATO to be issued by the AO as a resultof CM requirements. Unless a new system is developed or major changes/modificationsoccur, as determined by the AO, an ST&E will no longer be performed every three years.Based on this change in philosophy and the emphasis on CM, the EM process willmigrate to a dependence on site assessment visits. Based on the assessment outcome,which will consist of several CM activities, the AO may be advised to renew or re-authorize the system/boundary. For these reasons the HQ EM CSPM will have input tofee determination.
The EM CM team will assist with the CM effort from an enterprise perspective. The CMteam will support the sites by a constant review and update of documentation throughoutthe life-cycle of the system and then concentrate efforts in identifying weaknesses andcorrective actions. The CM team members will continue to assist in fixing
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
24 of 243
documentation as required and offering solutions that are acceptable for the mitigation ofdiscovered weaknesses. The EM CM team will ensure that one-third of the NISTmission-adjusted minimum security controls are tested for acceptable levels of residualrisk each year in such a manner that, at a minimum, all security controls arereviewed/tested every three years. The EM CM team will provide an independent,annual continuous monitoring assessment at each site. These on-site assessments willevaluate the site’s NIST mission-adjusted minimum security controls for acceptablelevels of residual risk in such a manner that, at a minimum, all security controls arereviewed/tested every three years. After the CM assessment, the CM team will produce aCM Security Assessment Report for the AO with a recommendation for reauthorizationstatus.
The CM team will lead and facilitate the testing of plans (e.g., contingency, incidentresponse) and assist in the validation of POA&M actions in order to verify and close thePOA&M item. Leveraging the vulnerability management tool deployment for risk-basedauditing against the functional baseline configurations of the sites will allow EM to reportnear real-time risk management conformance in a timely fashion to requests forinformation from, for example, the DOE Office of the Chief Information Officer orOMB. The CM team has developed the policy controls statements for all the NISTfamilies (e.g., AC-1, AT-1). The sites may use these policy statements to answer thefamily policy controls. Based on the cooperation of the contractor during theseassessments, the EM CSPM will have the ability to give input to fee determination andnegatively (or positively) impact fee, if warranted.
EM Sites Continuous Monitoring Responsibilities
EM sites are responsible for moving from a three-year based C&A posture to a CMprocess within 60 days of incorporation within a contract. Sites are to continually updatetheir cyber security programs based on NIST 800-37. Moving to a more robust CMprocess will reduce the cost of ATO, produce better cyber security, increase productivity,and render IT services more effective.
All EM government-owned and government-owned contractor-operated systemsexperience frequent changes whether to the hardware, software, organizationalenvironments, operational procedures/requirements, or changes in threat levels/riskassessment levels. Government- and contractor-operated systems must be able torespond to these daily near real-time emerging threats and continuous changes to theirinformation systems by using CM.
Site infrastructures are susceptible to both accidental and malicious changes that cancause a system to become vulnerable. CM can thwart many attacks, prevent the rapidand deep penetration into a network that sophisticated attacks are capable of, and detectvulnerabilities introduced into the infrastructure via changes or due to technologicalevolution, prior to being actively exploited.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
25 of 243
In todays near real-time attack environment of sophisticated hackers, not all attacks canbe successfully prevented. Emphasis is now being placed on protection through theimplementation of more robust security controls and continuously monitoring theoperation of security controls to provide early detection, containment, and successfuleradication of any intrusion or successful attack.
All EM sites must use the latest version of NIST Security Controls (see Appendix A –NIST SP 800-53 Rev 4, Security Controls and Guidance for the current version).Appendix B – NSS Security Controls are to be used in performing CM evaluations onNSS. Appendices A and B provide EM supplemental guidance for each control withexamples of what controls a site may choose to adopt. eGov RPM contains the newcontrols and will automatically select the baseline control suite for tailoring based on thecategorization process in eGov RPM.
EM sites are responsible for the following tasks included within CM:
1. Instituting a CM plan that will permit an annual reauthorization to operate by theAO of the site’s accreditation boundaries based on the CM of the mission-adjusted minimum baseline security controls and the controls’ effectiveness toaddress evolving threats and attacks.
2. Coordinating with the EM CSPM to determine the appropriate mission-adjustedminimum security controls baseline and the accreditation boundary’s acceptablelevel of risk.
3. Assisting the CM assessment team in its annual assessment of the system’smission-adjusted minimum security controls.
4. Coordinating and fully participating in annual EM CM team site assistance visitsand all activities that are associated with the CM visit.
5. Performing an Organization Impact Analysis/BIA review and updating itannually.
6. Maintaining an up-to-date mission-adjusted minimum controls security baselineconfiguration for all major components within the accreditation boundary (e.g.,personal computers, servers, firewalls, intrusion detection systems). All thesebaselines must meet the NIST guidelines for such equipment. The EMVulnerability Management tool must be used to test the equipment forconformance.
7. Performing CM on the remaining mission-adjusted minimum security controlsbaseline not tested by the EM CM Team or other independent assessors.
8. Proactively adjusting, modifying, or implementing additional security controls toallow the system to remain at the same level of risk as when it was last authorizedand updating the SSP accordingly.
9. Recording CM assessment-discovered weaknesses that require further correctiveactions, as determined by the AO. These must be recorded as site, system, orprogram POA&Ms with corrective measures/timeline identified. Correctiveactions, if accomplished in 90 days or less, can be tracked by the site; actions thattake more than 90 days to complete must establish a POA&M.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
26 of 243
10. Updating all CM assessments, POA&M information, SSP, CP, IR, and othersecurity documents as changes to the CM process are performed and entered intoeGov RPM by the ISSO (or his/her designee).
11. Preparing a quarterly report (by the ISSM or ISSO) for the AO or AODR on thesecurity controls status effectiveness. This report must include any new proposedPOA&M items or major changes/modifications within the accreditation boundary.This should be a high-level report and should not be more than three pages.
12. Forwarding (by the AODR) a copy of the ATO to the EM CSPM after theauthorization decision is reached.
13. Reviewing, analyzing, testing, and approving all configuration changes through aconfiguration control board; these configuration management program activitiesmust be performed by the sites. All these changes must be analyzed and tested forsecurity impact. These approved changes must be made to mission-adjustedminimum security controls and the baseline configuration documentation must beupdated.
14. Mitigating phishing attacks, which continue to be the most effective means for anintruder to gain a foothold into an IT system. EM sites must take actions tomitigate phishing attacks and to strengthen the weak link—the user—throughcontinuous training. Conducting annual training is no longer sufficient toeffectively combat phishing attacks. The EM Phishing server is available andmust be used on a regular basis to conduct phishing exercises on a site’s userbase. Measurement of effectiveness will then be available via the statisticscaptured by the server and made available to the site.
15. Providing incident response training and testing annually for both users andsystem security personnel.
16. Identifying, mitigating, categorizing, and reporting all cyber security incidentsinvolving federal information or federal information systems, including privacybreaches, under DOE or DOE contractor control, to the DOE JC3, in accordancewith JC3 procedures and guidance.
17. Reporting cyber security incidents involving national security informationsystems to JC3, in accordance with the requirements in DOE M 470.4B, chg.2Safeguards and Security Program.
18. Testing all accreditation boundaries with a contingency plan annually, at aminimum.
19. Developing the contractual fee determination metrics (by the site’s CO) set forthin Appendix D, and ensuring these metrics are used as a guide to develop sitespecific metrics to affect fee in all EM site management and operating M&O,service, and subcontractor contracts.
20. Addressing program management (PM) -6, 8, and 11 controls in the SSP.21. Ensuring and monitoring contractor implementation of cyber security
requirements as directed in the Contractors’ Requirements Document (CRD) ofDOE Cyber Security Management Order, DOE O 205.1B, Chg.2. This must beaccomplished by the Program/Site Offices in conjunction with the COs.
22. Signing the ATO by the AO. At the end of the CM year the accumulation of scanresults, verified data documents, updated RA, and POA&Ms will allow the AO to
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
27 of 243
make a risk-based decision on the system’s annual authorization to operate. TheCM year begins the day the ATO is signed.
Inherited Control Guidance
EM sites may elect to employ a set of security controls that can be inherited by othersystems. The approved and tested inherited controls will be documented in the SSP ofthe system inheriting the controls. The AO and AODR must approve the inheritablecontrols selection. The inherited controls may be inherited from any accreditationboundary within the site. If a common controls implementation strategy is utilized, thecommon controls must undergo an independent assessment and be authorized by the AO.Inheritable controls are subject to independent assessment, authorization, and CM asoutlined in NIST SP 800-37. Inheritable controls are also subject to the “OngoingAuthorization” and “Continuous Monitoring Principles and Procedures” discussed above.
AO’s Annual Reauthorization Responsibilities
OMB Circular A-130, Appendix III, Federal Information Systems must (1) obtain anATO in writing and (2) be reauthorized on a CM basis of security controls, and based onthe effectiveness of CM efforts.
The AO for a system/accreditation boundary reviews a system’s CM package to make arisk-based decision on the reauthorization of the system. This CM package includes, at aminimum:
A BIA, An RA, A SSP, The CM team’s Security Status Assessment Report, The Site’s CM scan results, Incident response logs, intrusions, successful attacks or evolving threats, as
appropriate; and Quarterly AO security briefings by ISSM/ISSO.
National Security Systems
EM NSS will be guided by these key CNSS documents/instructions:
CNSS 42 CNSS 26 CNSSI-1253 CNSSI -1199
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
28 of 243
EM’s NSS tend to be either networked or stand-alone configurations. The stand-alonesystems are eligible for “type” certifications. The type authorization is used whensystems have the same configurations in hardware, software, and applications. In thisinstance, a few systems may be tested at random to determine the reauthorization of allsystems of that type. If sites have networked systems and these have the same hardware,software, and application configurations, then these systems may also use typecertification.
NSS boundaries must use the template in Appendix B – NSS Security Controls toperform CM. These controls conform to the CNSS 1253 requirements. Appendix Bidentifies the baseline security controls for NSS systems based on characterization. Thecontrols are designated as either stand-alone or networked. This baseline can be tailoredbased on the site’s risk profile. Values assigned to controls within CNSS 1253 may alsobe tailored based on the site’s risk profile. Any tailoring must be approved by the AOthrough the signing of the security plan and by issuing an ATO. Sites should make everyattempt to adopt the CNSS 1253 values, if at all possible, and especially if they intend tointerconnect to other NSS.
All NSS EM CM team assessments will result in a General Status Assessment Report thatwill be put into eGov RPM, but without any POA&M results. All POA&M results mustbe stored on the NSS and available only to cleared and qualified personnel. All site-levelCM scans must also be stored on the NSS and available only to cleared and qualifiedpersonnel.
All NSS systems must use diskless technology, or lock the central processing unit (CPU)and storage media in a manner that prevents users from having physical access to either,and to prevent physical access to universal serial bus (USB) ports. The exception may bea stand-alone workstation where these requirements may not be cost effective. In thiscase a waiver must be requested from and be approved by the EM HQ CSPM. Allsystems must use port locking software to manage access to USB ports to only authorizedconnections and the BIOS must be set to only boot from the C drive; any exceptions mustbe documented in the SSP.
Federal Information Systems Management Act of 2002
FISMA reports must be submitted to the OCIO on a quarterly basis. In this regard, EMHQ will issue data calls issued to sites for information for quarterly reports as well as toobtain information for other reports. Sites need to ensure that information is provided ona timely basis so that all due dates can be met. EM intends to use enterprise-deployedtools to respond to FISMA reporting requirements. When possible, data contained in theEM central repository will be used to respond to the Department of Homeland Security(DHS). If data is lacking, then a data call will be conducted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
29 of 243
Incident Response
The near-real-time CM requirements will provide rapid unauthorized actions detection,analysis, and lead to more effective incident response practices and procedures. NIST SP800-61, Computer Security Incident Response Guide, requires EM sites to provide astructured and documented approach to the following minimum incident types:
Denial of Service Malicious code Root Compromise User Compromise Unauthorized access Inappropriate usage Multiple components Release of personally identifiable information (PII) in the public domain Observed activity that may result in future intrusions and appears to be of a
reconnaissance nature, out of the ordinary
EM HQ Mission Information Protection Program (MIPP)Support and Participation
The EM HQ MIPP team is dedicated to the continuous improvement of informationassurance and cyber security throughout the DOE EM organization. The team uses thelatest methodologies in analytics and monitoring; deploys state-of-the-art cyber securitytechnology to analyze and defend against attacks; provides oversight and assessments ofEM sites’ cyber security programs; and further enhances the MIPP security through siteassistance, education, and training. The EM HQ MIPP team also assists EM sites inmaturing their cyber security programs by providing guidance, expertise, enterprisesolutions, and leadership in safeguarding MIPP information and assets.
From an EM enterprise perspective, a critical metric to monitor is the time taken to patcha critical vulnerability. Critical vulnerabilities exist in operating systems and inapplications, which are often overlooked. Benchmarking this process would bebeneficial in determining risk throughout the enterprise. Deploying necessary patches isstill one of the most effective means of protection for a system. While patching does notmake systems impervious to attack, it raises the bar, making attacks more difficult andeasier to detect as a result. The MIPP team will monitor the progress each site makes inpatching critical vulnerabilities and assist when necessary.
As part of the CM strategy for the EM enterprise, the MIPP team will facilitate thesharing of information among EM sites and provide a means of central analysis for thedetection of malicious activity in a near-real-time mode utilizing the enterprise full-packet capture capability to perform analysis for known perpetrators and undiscoveredperpetrators. In addition, using benchmarking and monitoring metrics created based on
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
30 of 243
the use of the Headquarters Security System (HQSS) tool suite, MIPP team members willbe able to assist sites in mitigating vulnerabilities that are discovered. The CM team willensure that a consistent level of security is maintained throughout EM.
EM has deployed a full-packet analysis capability at most of its sites. This capability isan invaluable asset to the CM process and provides an ability to determine malicious vs.suspicious activity in near real-time. Based on evolving known threats, EM has thecapability to determine if the known threats are active within the enterprise. EM siteshave the capability to identify co-opted systems and complete an accurate damageassessment. This capability will continue to be enhanced as new technology enables EMto detect and identify malicious activity. Daily analysis will be conducted, based onindicators from various sources, in an effort to detect and determine malicious activity.The MIPP team will look for ways to use this capability to enhance the CM process. Inaddition to known threats, analysis will be performed using heuristic tools to detectmalicious activity that is yet unknown to the cyber security community, providing EMwith a more proactive approach to provide new intelligence to the enterprise. Sitepersonnel have the ability to use this tool in conducting local investigations, which areeither specific to the site or due to malicious outsider activity.
CM requires the collaboration among program, Departmental, and outside entities (e.g.,SANS, Carnegie Mellon CIRT, etc.) concerning security incidents. The sharing ofincident data is a valuable tool for the prevention of successful attacks to a system. Onlythrough the real-time sharing of attack information can one expect to find an attack inprogress or to prevent a similar attack from happening. As the threat evolves, havingactionable information concerning the threat allows the threat to be mitigated and ifsuccessful, contained and eradicated. If users don’t know how the malware operates, it isimpossible to protect, contain, or eradicate. The real time sharing of information is theearly warning of a serious threat. With this information, it is possible to plot thepropagation of many attacks on a worldwide scale. One can see the rate of propagation,success rate, and therefore understand the critical window available for mitigation inorder to prevent a successful attack. The MIPP team will monitor intrusion sets based oninformation streams made available from this collaborative effort and will shareinformation gained within EM.
Sites are responsible to confirm and report all intrusions, intrusion attempts, suspiciousactivity, and incidents to JC3. The MIPP team can assist in detection, but only sites canvalidate, contain, and eradicate an intrusion. Intrusions are going to occur, 100%prevention is not possible, so reporting of incident information in a timely manner isinvaluable.
Contingency Planning
Each EM site is responsible for planning, documenting procedures, and then conductingan annual IT contingency exercise. These exercises should include realistic scenariosfound in past or anticipated system malfunctions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
31 of 243
Individual sites must conduct a BIA to determine the maximum tolerable downtime(MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Thisexercise must include the sites senior managers—contractor and federal, functioning areaPM, business leads, and other stakeholders to ensure that realistic MTD, RTO, RPO andsystem restoration priority meet the mission’s MTD requirements. The BIA must bereviewed and updated annually to ensure it meets mission, security and/or regulatoryrequirements. The BIA is an exercise performed by the business line to determine theimpact of a network failure to the business and site mission. IT staff cannot make theseassessments, although they can play a support role to determine restoration priorities andsolutions to meet these priorities.
The RE, AODR, and site program managers must jointly agree on changes and levels inthe BIA.
Contractor Requirements, System Acquisition and Services
Site Managers must ensure that Contracting Officers are instructed to incorporate thisRMAIP into site/facility management contracts and service contracts, as appropriate.
A site Contracting Officer must implement, verify and monitor the EM RMAIP cybersecurity clauses within their contract vehicles/documents (see Appendix D – EMContractor Requirements).
All hardware and software procured to support the EM cyber security requirements mustcomply with all federal statutes, policy, presidential directives and other guidance.
Application software purchased for significant deployment must be HSPD-12compliant and must be able to operate in conformance with NIST 800-53 (asmodified) that govern the secure operation of applications, (e.g., the applicationmust time out after a designated time of inactivity).
All hardware purchased must be capable of IPv6, including diagnostic toolspurchased for current and future use.
ENERGY STAR® equipment must be procured and green IT solutions must beconsidered for future deployments, (e.g., thin client, VMware, cloud technology,hot and cold lane configurations in server rooms)
Supply Chain Risk Management
When purchasing software and hardware for deployment in government-owned systemsand systems that will be processing government data, supply chain should be managedbased on risk. Sites must consider supply chain risks when purchasing components usedin NSS and any unclassified systems categorized as High Impact, in accordance withFIPS 199. Supply chain risk management must be considered when procuring IT. Whensoftware and hardware is purchased for deployment in NSS, consideration should be
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
32 of 243
given as to whether the supplier should be made aware of the intended implementation.Sites should update their awareness training to cover supply chain concerns.
All IT parts and components are not manufactured within the United States and the originis difficult to determine. For this reason, sites must perform a criticality analysis, used inconjunction with the sites BIA, to determine a priority for supply chain concerns. Athreat and risk assessment must be conducted and the country of origin must beconsidered when purchases are made. Products should be evaluated for supply chainconcerns and operations security (OPSEC) mitigation methodologies should be usedbased on the evaluation and determined need.
Large sites have the ability to discuss supply chain issues with their sitecounterintelligence (CI) contact and should check with their CI contact prior to any majorpurchase. Smaller sites that do not have a CI contact may use the EM MIPP team foradvice on purchases and supply chain concerns. The MIPP team has access to CIinformation and can supply information that can be used in the threat and riskassessment.
DOE’s Enhanced Cyber Security Services (DEX)
All EM sites are to participate in the DEX program. The EM CSPM will determine ifparticipation is not justified and in the best interest of the government on a case-by-casebasis.
Mobile Device Guidelines for Foreign Travel
All EM-owned data stored on laptops must be encrypted while at rest and in transit withFIPS 140-2 certified encryption modules. Mobile devices and removable media must beprotected in accordance with site procedures.
Use of all mobile devices is subject to the Department’s Safe Passage Program, or similarprogram.
All mobile devices must be sanitized of data and restored to the mission-adjustedminimum security baselines upon return from foreign travel. This must be accomplishedprior to connecting the device to or accessing DOE networks.
Foreign Nationals
The ISSM must implement site-level procedures to comply with DOE Order 142.3AUnclassified Foreign Visits and Assignments Program, October 14, 2010.
Foreign nationals must not be assigned or granted system administrator privileges on EMsystems. Foreign nationals will be granted access to systems only on a need to know orjob function basis. The EM CSPM can be requested to grant an exception to this
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
33 of 243
requirement in situations of operational necessity. DOE Order 142.3Arequires a securityplan for the visit/assignment and IT security must be a component addressed in the plan.
HSPD-12 Requirements and Projected Milestones
All EM sites must comply with HSPD-12 requirements and OMB memorandum (M11-11) by instituting the following:
All new systems under development must be enabled to use personal identityverification (PIV) credentials in accordance with DOE O 206.2 Identity,Credential, and Access Management, and NIST SP 800-76, Biometric DataSpecifications for Personal Identity Verification guidance, prior to theirauthorization to operate by the AO.
All existing physical and unclassified logical access control systems must use PIVcredentials for authorization. This must be accomplished prior to the sites usingdevelopment or technology refresh funds to complete other activities.
All procurement of services and products for facility or system access controlsmust be consistent with HSPD-12 and the Federal Acquisition Regulation.
OMB memorandum 06-18 (Acquisition of Products or Services forImplementation of HSPD-12) requires that organizations acquire products andservices that are compliant with federal policy and standards, and supporttechnical specifications.
Organizations must accept electronically-verified PIV credentials issued by otheragencies or organizations.
All authentications to EM IT systems must be accomplished using two factors byMay 31, 2014. Authentication by user ID and password is no longer allowed afterthis date.
EM sites and HQ must develop a plan for PIV that meets the content found in theFederal CIO Council’s, “Federal Identity, Credential and Access Roadmap andImplementation Guidance” (www.idmanagement.gov).
IPv6 Requirements and Projected Milestones
EM sites and HQ were instructed to commence the development of a plan to upgradepublic and external facing servers/services (this includes web, email, domain namesystem (DNS), Internet service provider (ISP) services and other external-facing services)to operationally meet IPv6 by the end of fiscal year (FY) 2012. In addition, sites and HQneed to upgrade client applications that communicate with public Internet servers andsupporting networks to operationally use native IPv6 by the end of FY 2014. All EMsites need to ensure that procurement of networked IT equipment meets the requirementsset forth in the USGv6 Profile and Test Program for completeness and quality of IPv6capabilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
34 of 243
It is also recommended that sites appoint an IPv6 Transition Manager to serve as theperson responsible for planning and leading the implementation and testing of IPv6criteria to meet the stated milestones.
Domain Name System Security Extensions (DNSSEC)
The original design of the DNS did not include security or protection mechanisms;instead it was designed to be a scalable distributed system. DNSSEC attempts to addsecurity features while maintaining backwards compatibility.
It is strongly recommended that sites implement the DNSSEC, NIST SP 800-71 forsecuring certain kinds of information provided by the DNS as used on IP networks.DNSSEC is a set of extensions to DNS that provide to DNS clients (resolvers) originauthentication of DNS data, authenticated denial of existence and data integrity, but notavailability or confidentiality.
Industrial Control Systems
All EM sites that utilize Industrial Control Systems (ICS) must use NIST 800-37, NIST800-53, and NIST 800-82 as guidelines for evaluating ICS systems. The EM CM team,in accordance with the principles outlined in NIST 800-82, must evaluate sites thatpossess ICS. ICS are considered IT systems and require ATO and are held to the samerules as information processing systems. ICS systems control processes and thereforerequire scheduling around those processes to be able to accomplish many of theprocedures required by security controls. As a result, ICS controls must be tailoredaccordingly; for example, group authenticators, less frequent patch cycles, and notrequiring screen timeouts are acceptable implementations.
Wireless Information Systems
Wireless devices, services, and technologies that are integrated or connected to EMnetworks are considered part of those networks and must comply with all DOErequirements (e.g., password management, auditing, and cryptography). Wirelessdevices must use the “safe harbor” principles, U.S. Department of Commerce, July 21,2000, for protection. Wireless networks and devices must obtain an initial authorizationand then undergo CM procedures. A wireless intrusion detection system (WIDS) must bedeployed to monitor the wireless environment. The WIDS must monitor the entirebandwidth used by 802.11 technologies. To consistently and confidently monitor signals,the system must monitor the complete industrial, scientific, and medical (ISM) bandsused for the Institute of Electrical and Electronics Engineers (IEEE) 802.11, including 2.4GHz and 5 GHz. Security firmware updates and patches to wireless hardware andsoftware components must be tested and deployed in accordance with configurationmanagement procedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
35 of 243
Controlled Unclassified Information (CUI) Protection
CUI consists of information that may be exempt from public release (Official Use Only,(including PII), Unclassified Controlled Nuclear Information (UCNI)). CUI should beprotected while stored at rest and during transmission. FIPS 140-2 approved encryptionmust be used for the transmission of this type of information. Entrust is available fortransmission within the DOE complex. Information at rest must also be protected.Encryption is cost prohibitive and products are not currently available to enable data atrest to be easily encrypted and managed. Currently most systems use physicalprotections and network segmentation and restricted access to protect this type ofinformation. Backups of CUI must be encrypted unless solutions such as a mirrored diskare used. As technology advances, encryption at rest will eventually become feasible andaffordable and should be considered. Until then, EM sites are to take special steps toprotect SUI and to encrypt at rest with available solutions wherever possible. EM sitesare also required to develop a protection plan for CUI and update that plan annually astechnology advances and move to encryption at rest as soon as feasible. Sites mustdocument a business justification for the collection and use of PII for each applicationthat requires that PII be processed on a system. PII must be collected and processed inaccordance with applicable laws, regulations and DOE policy. Sites should reduce theuse of PII as much as practical.
________________________________________________________________________
DOE EM RMAIP36 of 243
Appendix A – NIST SP 800-53 Rev 4 Security Controls andGuidance
This table is a guide for tailoring and implementing the 800-53 Security Controls. Thetable has values/lists that the EM CSPM recommends be implemented by EM sites whereNIST has identified Control Requirements [Organizationally defined values/lists].Supplemental guidance is provided only for controls that historically have been difficultto define and for which it is difficult to determine appropriate mitigation action. The tableis to be used as a baseline and guide when determining site values/lists in accordancewith mission needs where NIST notes {organization-defined}and is not meant to betotally implemented as written. Contracting Officers are not to require that a contractorimplement each and every control listed in this table.
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-1 0 a 1Access Control Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: An accesscontrol policy that addresses
purpose, scope, roles,responsibilities, management
commitment, coordination amongorganizational entities, and
compliance; and
Security Staff andAdministrative Staff
AC-1 0 a 2Access Control Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of theaccess control policy and
associated access controls; and
Security Staff andAdministrative Staff
AC-1 0 b 1Access Control Policy
and Procedures
The organization: Reviews andupdates the current: Access controlpolicy [Assignment: organization-
defined frequency]; and
Annually or any timethere is a major change
AC-1 0 b 2Access Control Policy
and Procedures
The organization: Reviews andupdates the current: Access control
procedures [Assignment:organization-defined frequency].
Annually or any timethere is a major change
AC-2 0 a Account Management
The organization Identifies andselects the following types of
information system accounts tosupport organizational
missions/business functions:[Assignment: organization-definedinformation system account types];
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
37 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-2 0 b Account ManagementThe organization Assigns accountmanagers for information system
accounts;
AC-2 0 c Account ManagementThe organization Establishesconditions for group and role
membership;
AC-2 0 d Account Management
The organization Specifiesauthorized users of the information
system, group and rolemembership, and access
authorizations (i.e., privileges) andother attributes (as required) for
each account;
AC-2 0 e Account Management
The organization Requiresapprovals by [Assignment:
organization-defined personnel orroles] for requests to create
information system accounts;
AC-2 0 f Account Management
The organization Creates, enables,modifies, disables, and removesinformation system accounts inaccordance with [Assignment:
organization-defined procedures orconditions];
AC-2 0 g Account ManagementThe organization Monitors the useof, information system accounts;
AC-2 0 h 1 Account ManagementThe organization Notifies accountmanagers when accounts are no
longer required;
AC-2 0 h 2 Account ManagementThe organization Notifies account
managers When users areterminated or transferred; and
AC-2 0 h 3 Account Management
The organization Notifies accountmanagers When individual
information system usage or need-to-know changes;
AC-2 0 i 1 Account ManagementThe organization authorizes accessto the information system based on
a valid access authorization;
AC-2 0 i 2 Account ManagementThe organization authorizes accessto the information system based on
Intended system usage; and
AC-2 0 i 3 Account Management
The organization authorizes accessto the information system based onOther attributes as required by the
organization or associatedmissions/business functions;
AC-2 0 j Account Management
Reviews accounts for compliancewith account managementrequirements [Assignment:
organization-defined frequency];and
Every 90 days
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
38 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-2 0 k Account Management
Establishes a process for reissuingshared/group account credentials
(if deployed) when individuals areremoved from the group.
AC-2 1Account Management -
Automated SystemAccount Management
The organization employsautomated mechanisms to support
the management of informationsystem accounts.
AC-2 2
Account Management -Removal of
Temporary/EmergencyAccounts
The information systemautomatically [Selection: removes;
disables] temporary andemergency accounts after
[Assignment: organization-definedtime period for each type of
account].
Disabled immediately atthe conclusion of the
activity that required theaccount but not longer
than after 30 days
AC-2 3Account Management -
Disable InactiveAccounts
The information systemautomatically disables inactive
accounts after [Assignment:organization defined time period].
Immediately at theconclusion of the activitythat required the accountand not longer than after
30 days
AC-2 4Account Management -
Automated AuditActions
The information systemautomatically audits account
creation, modification, enabling,disabling, and removal actions,
and notifies [Assignment:organization-defined personnel or
roles].
AC-3 0 Access Enforcement
The information system enforcesapproved authorizations for logicalaccess to information and system
resources in accordance withapplicable access control policies.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
39 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-4 0Information Flow
Enforcement
The information system enforcesapproved authorizations for
controlling the flow of informationwithin the system and between
interconnected systems based on[Assignment: organization-definedinformation flow control policies].
Information flow controlregulates where information is
allowed to travel within aninformation system and betweeninformation systems (as opposedto who is allowed to access the
information) and without explicitregard to subsequent accesses to
that information. A fewexamples of flow control
restrictions include: keepingexport controlled informationfrom being transmitted in theclear to the Internet, blocking
outside traffic that claims to befrom within the organization andnot passing any web requests tothe Internet that are not from theinternal web proxy. Information
flow control policies andenforcement mechanisms are
commonly employed byorganizations to control the flow
of information betweendesignated sources and
destinations (e.g., networks,individuals, devices) within
information systems andbetween interconnected systems.
AC-5 0 a Separation of DutiesThe organization: Separates
[Assignment: organization-definedduties of individuals];
Examples of separation of dutiesinclude: (i) mission functions
and distinct information systemsupport functions are divided
among differentindividuals/roles; (ii) different
individuals perform informationsystem support functions (e.g.,system management, systemsprogramming, configuration
management, quality assuranceand testing, network security);
(iii) security personnel whoadminister access control
functions do not administer auditfunctions; and (iv) differentadministrator accounts for
different roles.
AC-5 0 b Separation of DutiesThe organization: Documents
separation of duties of individuals;and
AC-5 0 c Separation of Duties
The organization: Definesinformation system accessauthorizations to support
separation of duties.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
40 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-6 0 Least Privilege
The organization employs theprinciple of least privilege,
allowing only authorized accessesfor users (or processes acting on
behalf of users) which arenecessary to accomplish assigned
tasks in accordance withorganizational missions and
business functions.
System admin (root)System admin (limited)
Network admin (firewalls,routers, etc.) Security
admin (monitoring tools)Physical access admin
(NSS) Removable mediaadmin (NSS)
One or two individuals shouldnot be able to have logical orphysical access to key system
components so that their actionswould be undetectable by others.
AC-6 1 Least Privilege
The organization explicitlyauthorizes access to [Assignment:
organization-defined securityfunctions (deployed in hardware,
software, and firmware) andsecurity-relevant information].
Security functions: (a)access to any security
related deviceconfiguration options; or
(b) configuration items setand controlled by networkor system defined criteria
AC-6 2 Least Privilege
The organization requires thatusers of information system
accounts, or roles, with access to[Assignment: organization-defined
security functions or security-relevant information], use non-
privileged accounts or roles, whenaccessing non-security functions.
Security functions: (a)access to any security
related deviceconfiguration options; or(b) Configuration items
set and controlled bynetwork or system
defined criteria
AC-6 5 Least Privilege
The organization restrictsprivileged accounts on the
information system to[Assignment: organization-defined
personnel or roles].
AC-6 9 Least PrivilegeThe information system audits theexecution of privileged functions.
AC-6 10 Least Privilege
The information system preventsnon-privileged users from
executing privileged functionsinclude disabling, circumventing,or altering implemented security
safeguards/countermeasures.
AC-7 0 aUnsuccessful Login
Attempts
The information system: Enforcesa limit of [Assignment:
organization-defined number]consecutive invalid logon attempts
by a user during a [Assignment:organization-defined time period];
and
3 attempts & 1 hour
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
41 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-7 0 bUnsuccessful Login
Attempts
The information system:Automatically [Selection: locks
the account/node for an[Assignment: organization-defined
time period]; locks theaccount/node until released by anadministrator; delays next logon
prompt according to [Assignment:organization-defined delay
algorithm]] when the maximumnumber of unsuccessful attempts is
exceeded.
Until released by anadministrator
AC-8 0 a 1 System Use Notification
The information system: Displaysto users [Assignment:
organization-defined system usenotification message or banner]
before granting access to thesystem that provides privacy andsecurity notices consistent with
applicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, and
guidance and states that: Users areaccessing a U.S. Government
information system;
AC-8 0 a 2 System Use Notification
The information system: Displaysto users [Assignment:
organization-defined system usenotification message or banner]
before granting access to thesystem that provides privacy andsecurity notices consistent with
applicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance and states that:
Information system usage may bemonitored, recorded, and subject
to audit;
DOE approved banner
AC-8 0 a 3 System Use Notification
The information system: Displaysto users [Assignment:
organization-defined system usenotification message or banner]
before granting access to thesystem that provides privacy andsecurity notices consistent with
applicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance and states that:Unauthorized use of the
information system is prohibitedand subject to criminal and civil
penalties; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
42 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-8 0 a 4 System Use Notification
The information system: Displaysto users [Assignment:
organization-defined system usenotification message or banner]
before granting access to thesystem that provides privacy andsecurity notices consistent with
applicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, and
guidance and states that: Use ofthe information system indicates
consent to monitoring andrecording;
AC-8 0 b System Use Notification
The information system: Retainsthe notification message or banner
on the screen until usersacknowledge the usage conditionsand take explicit actions to log on
to or further access the informationsystem; and
AC-8 0 c 1 System Use Notification
The information system: Forpublicly accessible systems:
Displays system use information[Assignment: organization-definedconditions], before granting further
access;
AC-8 0 c 2 System Use Notification
The information system: Forpublicly accessible systems:
Displays references, if any, tomonitoring, recording, or auditing
that are consistent with privacyaccommodations for such systems
that generally prohibit thoseactivities; and
AC-8 0 c 3 System Use Notification
The information system: Forpublicly accessible systems:Includes a description of the
authorized uses of the system.
AC-11 0 a Session Lock
The information system preventsfurther access to the system byinitiating a session lock after
[Assignment: organization-definedtime period] of inactivity or uponreceiving a request from a user;
and
15 minutes
AC-11 0 b Session Lock
The information system Retainsthe session lock until the user
reestablishes access usingestablished identification and
authentication procedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
43 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-11 1 Session Lock
The information system conceals,via the session lock, informationpreviously visible on the displaywith a publicly viewable image.
AC-12 0 Session Termination
The information systemautomatically terminates a user
session after [Assignment:organization-defined conditions or
trigger events requiring sessiondisconnect].
AC-14 0 aPermitted Actions
without Identification orAuthentication
The organization Identifies[Assignment: organization-defineduser actions] that can be performedon the information system without
identification or authenticationconsistent with organizational
missions/business functions; and
AC-14 0 bPermitted Actions
without Identification orAuthentication
The organization documents andprovides supporting rationale in
the security plan for theinformation system, user actionsnot requiring identification and
authentication.
AC-17 0 a Remote Access
The organization establishes anddocuments usage restrictions,
configuration/connectionrequirements, and implementationguidance for each type of remote
access allowed; and
AC-17 0 b Remote Access
The organization authorizesremote access to the information
system prior to allowing suchconnections.
AC-17 1 Remote AccessThe information system monitors
and controls remote accessmethods.
AC-17 2 Remote Access
The information systemimplements cryptographicmechanisms to protect the
confidentiality and integrity ofremote access sessions.
AC-17 3 Remote Access
The information system routes allremote accesses through
[Assignment: organization-definednumber] managed network access
control points.
AC-17 4 a Remote Access
The organization Authorizes theexecution of privileged commands
and access to security-relevantinformation via remote access only
for [Assignment: organization-defined needs]; and
Authorized privilegedusers performing timesensitive or emergency
activities
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
44 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-17 4 b Remote Access
The organization Documents therationale for such access in the
security plan for the informationsystem.
AC-18 0 a Wireless Access
The organization Establishes usagerestrictions,
configuration/connectionrequirements, and implementationguidance for wireless access; and
Wireless technologies include,but are not limited to,
microwave, satellite, packetradio (UHF/VHF), 802.11x, and
Bluetooth.
AC-18 0 b Wireless Access
The organization Authorizeswireless access to the information
system prior to allowing suchconnections.
AC-18 1 Wireless Access
The information system protectswireless access to the system usingauthentication of [Selection (one
or more): users; devices] andencryption.
AC-19 0 aAccess Control for
Mobile Devices
The organization Establishes usagerestrictions, configurationrequirements, connection
requirements, and implementationguidance for organization-
controlled mobile devices; and
Mobile devices include portablestorage media (e.g., USB
memory sticks, external harddisk drives) and portable
computing and communicationsdevices with information storagecapability (e.g., notebook/laptop
computers, personal digitalassistants, cellular telephones,
digital cameras, and audiorecording devices).
AC-19 0 bAccess Control for
Mobile Devices
The organization Authorizes theconnection of mobile devices to
organizational informationsystems.
AC-19 5Access Control for
Mobile Devices
The organization employs[Selection: full-device encryption;container encryption] to protect the
confidentiality and integrity ofinformation on [Assignment:organization-defined mobile
devices].
Full disk encryption onlaptops and external or
removable hard drives notphysically secured
AC-20 0 aUse of External
Information Systems
The organization establishes termsand conditions, consistent with anytrust relationships established with
other organizations owning,operating, and/or maintainingexternal information systems,
allowing authorized individuals to:Access the information systemfrom the external information
systems; and
External information systems areinformation systems or
components of informationsystems that are outside of the
authorization boundaryestablished by the organizationand for which the organization
typically has no directsupervision and authority over
the application of requiredsecurity controls or the
assessment of security controleffectiveness.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
45 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-20 0 bUse of External
Information Systems
The organization establishes termsand conditions, consistent with anytrust relationships established with
other organizations owning,operating, and/or maintainingexternal information systems,
allowing authorized individuals to:Process, store, and/or transmit
organization-controlledinformation using the external
information systems.
AC-20 1 aUse of External
Information Systems
The organization permitsauthorized individuals to use anexternal information system to
access the information system orto process, store, or transmit
organization-controlledinformation only when theorganization: Verifies the
implementation of requiredsecurity controls on the external
system as specified in theorganization’s information security
policy and security plan; or
AC-20 1 bUse of External
Information Systems
The organization permitsauthorized individuals to use anexternal information system to
access the information system orto process, store, or transmit
organization-controlledinformation only when the
organization: Retains approvedinformation system connection orprocessing agreements with theorganizational entity hosting the
external information system.
AC-20 2Use of External
Information Systems
The organization [Selection:restricts; prohibits] the use of
organization-controlled portablestorage devices by authorized
individuals on externalinformation systems.
AC-22 0 aPublicly Accessible
Content
The organization designatesindividuals authorized to postinformation onto a publicly
accessible information system;
AC-22 0 bPublicly Accessible
Content
The organization Trains authorizedindividuals to ensure that publiclyaccessible information does notcontain nonpublic information;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
46 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AC-22 0 cPublicly Accessible
Content
The organization Reviews theproposed content of informationprior to posting onto the publiclyaccessible information system toensure that nonpublic information
is not included; and
AC-22 0 dPublicly Accessible
Content
The organization Reviews thecontent on the publicly accessibleinformation system for nonpublic
information [Assignment:organization-defined frequency]and removes such information, if
discovered.
Monthly
AT-1 0 a 1Security Awareness and
Training Policy andProcedures
The organization Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A security
awareness and training policy thataddresses purpose, scope, roles,
responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
AT-1 0 a 2Security Awareness and
Training Policy andProcedures
The organization Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thesecurity awareness and trainingpolicy and associated security
awareness and training controls;and
Security Staff andAdministrative Staff
AT-1 0 b 1Security Awareness and
Training Policy andProcedures
Reviews and updates the currentSecurity awareness and training
policy [Assignment: organization-defined frequency]; and
Annually or any timethere is a major change
AT-1 0 b 2Security Awareness and
Training Policy andProcedures
Reviews the current securityawareness and training procedures[Assignment: organization-defined
frequency].
Annually or any timethere is a major change
AT-2 0 aSecurity Awareness
Training
The organization provides basicsecurity awareness training to
information system users(including managers, senior
executives, and contractors): Aspart of initial training for new
users;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
47 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AT-2 0 bSecurity Awareness
Training
The organization provides basicsecurity awareness training to
information system users(including managers, senior
executives, and contractors): Whenrequired by information system
changes; and
AT-2 0 cSecurity Awareness
Training
The organization provides basicsecurity awareness training to
information system users(including managers, seniorexecutives, and contractors):
[Assignment: organization-definedfrequency] thereafter.
Annually
AT-2 2 Security Awareness
The organization includes securityawareness training on recognizingand reporting potential indicators
of insider threat.
AT-3 0 aRole-Based Security
Training
The organization provides role-based security training to
personnel with assigned securityroles and responsibilities: Before
authorizing access to theinformation system or performing
assigned duties;
AT-3 0 bRole-Based Security
Training
The organization provides role-based security training to
personnel with assigned securityroles and responsibilities: Whenrequired by information system
changes; and
AT-3 0 cRole-Based Security
Training
The organization provides role-based security training to
personnel with assigned securityroles and responsibilities:
[Assignment: organization-definedfrequency] thereafter.
Annually
AT-4 0 aSecurity Training
Records
The organization Documents andmonitors individual information
system security training activitiesincluding basic security awarenesstraining and specific information
system security training; and
AT-4 0 bSecurity Training
Records
The organization Retainsindividual training records for
[Assignment: organization-definedtime period].
Retains individualtraining records for at
least five years or whensuperseded or obsolete,
whichever is sooner
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
48 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AU-1 0 a 1Audit and AccountabilityPolicies and Procedures
Develops, documents, anddisseminates to [Assignment:
organization-defined personnel orroles]: An audit and accountability
policy that addresses purpose,scope, roles, responsibilities,management commitment,
coordination among organizationalentities, and compliance; and
Security Staff andAdministrative Staff
AU-1 0 a 2Audit and AccountabilityPolicies and Procedures
Develops, documents, anddisseminates to [Assignment:
organization-defined personnel orroles]: Procedures to facilitate theimplementation of the audit and
accountability policy andassociated audit and accountability
controls; and
Security Staff andAdministrative Staff
AU-1 0 b 1Audit and AccountabilityPolicies and Procedures
Reviews and updates the current:Audit and accountability policy
[Assignment: organization-definedfrequency]; and
Annually or any timethere is a major change
AU-1 0 b 2Audit and AccountabilityPolicies and Procedures
Reviews and updates the current:Audit and accountabilityprocedures [Assignment:
organization-defined frequency].
Annually or any timethere is a major change
AU-2 0 a Audit Events
The organization: Determines thatthe information system is capableof auditing the following events:
[Assignment: organization-definedauditable events];
Successful andunsuccessful logon events
to the network or anydevice; Logoff events;Change of password;
Startup, reboot, and anysystem command event;
All actions by systemadministrator accounts;Startup and shutdown ofaudit function; Clearing
of any log file; Successfuland unsuccessful changes
to user/group accountsand permissions;Successful and
unsuccessful changes tothe configuration of the
auditing subsystem;Successful and
unsuccessful changes tothe configuration orpolicy of any device
The purpose of this control is forthe organization to identify
events which need to beauditable as significant and
relevant to the security of theinformation system; giving anoverall system requirement in
order to meet ongoing andspecific audit needs. To balanceauditing requirements with otherinformation system needs, this
control also requires identifyingthat subset of auditable eventsthat are to be audited at a given
point in time.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
49 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AU-2 0 b Audit Events
Coordinates the security auditfunction with other organizational
entities requiring audit-relatedinformation to enhance mutualsupport and to help guide theselection of auditable events;
AU-2 0 c Audit Events
Provides a rationale for why theauditable events are deemed to beadequate to support after-the-fact
investigations of securityincidents; and
AU-2 0 d Audit Events
Determines that the followingevents are to be audited within theinformation system: [Assignment:
organization-defined auditedevents (the subset of the auditableevents defined in AU-2 a.) along
with the frequency of (or situationrequiring) auditing for each
identified event].
Successful andunsuccessful logon events
to the network or anydevice; Logoff events;Change of password;
Startup, reboot, and anysystem command event;
All actions by systemadministrator accounts;Startup and shutdown ofaudit function; Clearing
of any log file; Successfuland unsuccessful changes
to user/group accountsand permissions;Successful and
unsuccessful changes tothe configuration of the
auditing subsystem;Successful and
unsuccessful changes tothe configuration orpolicy of any device
AU-2 3 Audit Events
The organization reviews andupdates the audited events
[Assignment: organization-definedfrequency].
Annually
AU-3 0Content of Audit
Records
The information system generatesaudit records containing
information that establishes whattype of event occurred, when theevent occurred, where the event
occurred, the source of the event,the outcome of the event, and the
identity of any individuals orsubjects associated with the event.
Audit record content that may benecessary to satisfy the
requirement of this control,includes, for example, time
stamps, source and destinationaddresses, user/process
identifiers, event descriptions,success/fail indications,
filenames involved, and accesscontrol or flow control rules
invoked.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
50 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AU-3 1Content of Audit
Records
The information system generatesaudit records containing the
following additional information:[Assignment: organization-defined
additional, more detailedinformation].
Any technically feasiblerisk based audit
information
AU-4 0 Audit Storage Capacity
The organization allocates auditrecord storage capacity in
accordance with [Assignment:organization-defined audit record
storage requirements].
AU-5 0 aResponse to AuditProcessing Failures
The information system: Alerts[Assignment: organization-definedpersonnel or roles] in the event ofan audit processing failure; and
Audit processing failuresinclude, for example,
software/hardware errors,failures in the audit capturingmechanisms, and audit storage
capacity being reached orexceeded.
AU-5 0 bResponse to AuditProcessing Failures
The information system: Takes thefollowing additional actions:
[Assignment: organization-definedactions to be taken (e.g., shut
down information system,overwrite oldest audit records,stop generating audit records)].
As defined in the incidentresponse plan based upon
assessed risks to theinformation stored,
processed and transferredby the information systemtechnology/components
Audit logs should beautomatically stored in a logcorrelation solution or SIEM
solution to prevent intentionaldestruction of audit logs and to
allow options such asoverwriting the oldest audit
records.
AU-6 0 aAudit Review, Analysis,
and Reporting
The organization: Reviews andanalyzes information system audit
records [Assignment:organization-defined frequency]for indications of [Assignment:
organization-defined inappropriateor unusual activity]; and
Weekly
AU-6 0 bAudit Review, Analysis,
and Reporting
The organization: Reports findingsto [Assignment: organization-defined personnel or roles].
AU-6 1Audit Review, Analysis
and Reporting
The organization employsautomated mechanisms to
integrate audit review, analysis,and reporting processes to support
organizational processes forinvestigation and response to
suspicious activities.
AU-6 3Audit Review, Analysis
and Reporting
The organization analyzes andcorrelates audit records acrossdifferent repositories to gainorganization-wide situational
awareness.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
51 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AU-7 0 aAudit Reduction andReport Generation
The information system providesan audit reduction and report
generation capability that:Supports on-demand audit review,
analysis, and reportingrequirements and after-the-fact
investigations of securityincidents; and
An audit reduction and reportgeneration capability providessupport for near real-time auditreview, analysis, and reporting
requirements described in AU-6and after-the fact investigations
of security incidents. Auditreduction and reporting tools donot alter original audit records.It is also a safeguard for least
privilege to help protect againstinsider threat.
AU-7 0 bAudit Reduction andReport Generation
The information system providesan audit reduction and report
generation capability that: Doesnot alter the original content ortime ordering of audit records.
AU-7 1Audit Reduction andReport Generation
The information system providesthe capability to process audit
records for events of interest basedon [Assignment: organization-
defined audit fields within auditrecords].
AU-8 0 a Time StampsThe information system: Uses
internal system clocks to generatetime stamps for audit records; and
AU-8 0 b Time Stamps
The information system: Recordstime stamps for audit records that
can be mapped to CoordinatedUniversal Time (UTC) or
Greenwich Mean Time (GMT) andmeets [Assignment: organization-
defined granularity of timemeasurement].
AU-8 1 a Time Stamps
The information system:Compares the internal information
system clocks [Assignment:organization-defined frequency]with [Assignment: organization-
defined authoritative time source];and
Daily & time.doe.gov
AU-8 b Time Stamps
The information system:Synchronizes the internal systemclocks to the authoritative time
source when the time difference isgreater than [Assignment:
organization-defined time period].
Two minutesA time frequency such as weeklyor monthly may be used in lieu
of a defined time period.
AU-9 0Protection of Audit
Information
The information system protectsaudit information and audit tools
from unauthorized access,modification, and deletion.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
52 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
AU-9 4Protection of Audit
Information
The organization authorizes accessto management of audit
functionality to only [Assignment:organization-defined subset of
privileged users].
AU-11 0 Audit Record Retention
The organization retains auditrecords for [Assignment:
organization-defined time periodconsistent with records retention
policy] to provide support forafter-the-fact investigations ofsecurity incidents and to meetregulatory and organizational
information retentionrequirements.
At least one year or untilno longer needed for
legal, investigative, orevidence purposes
The organization retains auditrecords until it is determined that
they are no longer needed foradministrative, legal, audit, or
other operational purposes. Thisincludes, for example, retentionand availability of audit records
relative to Freedom ofInformation Act (FOIA)
requests, subpoena, and lawenforcement actions. Standardcategorizations of audit recordsrelative to such types of actionsand standard response processes
for each type of action aredeveloped and disseminated.The National Archives and
Records Administration(NARA) General Records
Schedules (GRS) provide federalpolicy on record retention.
AU-12 0 a Audit Generation
The information system: Providesaudit record generation capabilityfor the auditable events defined in
AU-2 a. at [Assignment:organization-defined information
system components];
System components thataccess any security-
related devices includingdevices with network
defined and controlled bynetwork or system
defined criteria
AU-12 0 b Audit Generation
The information system: Allows[Assignment: organization-definedpersonnel or roles] to select whichauditable events are to be audited
by specific components of theinformation system; and
AU-12 0 c Audit Generation
The information system:Generates audit records for the
events defined in AU-2 d. with thecontent defined in AU-3.
CA-1 0 a 1Security Assessment and
Authorization Policiesand Procedures
The organization Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A securityassessment and authorizationpolicy that addresses purpose,scope, roles, responsibilities,management commitment,
coordination among organizationalentities, and compliance; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
53 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CA-1 0 a 2Security Assessment and
Authorization Policiesand Procedures
The organization Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thesecurity assessment and
authorization policy and associatedsecurity assessment and
authorization controls; and
Security Staff andAdministrative Staff
CA-1 0 b 1Security Assessment and
Authorization Policiesand Procedures
Reviews and updates the current:Security assessment and
authorization policy [Assignment:organization-defined frequency];
and
Annually or any timethere is a major change
CA-1 0 b 2Security Assessment and
Authorization Policiesand Procedures
Reviews and updates the current:Security assessment andauthorization procedures
[Assignment: organization-definedfrequency].
Annually or any timethere is a major change
CA-2 0 a 1 Security Assessments
The organization develops asecurity assessment plan that
describes the scope of theassessment including: - Security
controls and control enhancementsunder assessment;
CA-2 0 a 2 Security AssessmentsAssessment procedures to be used
to determine security controleffectiveness; and
CA-2 0 a 3 Security AssessmentsAssessment environment,
assessment team, and assessmentroles and responsibilities;
CA-2 0 b Security Assessments
Assesses the security controls inthe information system
[Assignment: organization-definedfrequency] to determine the extent
to which the controls areimplemented correctly, operating
as intended, and producing thedesired outcome with respect to
meeting the security requirementsfor the system;
The site performs aninitial ST&E to authorizenew boundaries, performs
annual continuousmonitoring assessments
and re-issuesauthorization annually orat least every three years
(maximum) if appropriate
Continuous monitoring is acombination of efforts, the
testing of 1/3 of the controls byEM HQ, site assessments of site
determined controls, site andenterprise security monitoringtools, phishing exercises andpenetration testing efforts.
CA-2 0 c Security AssessmentsProduces a security assessment
report that documents the resultsof the assessment; and
CA-2 0 d Security Assessments
Provides the results of the securitycontrol assessment, in writing, to
[Assignment: organization-definedindividuals or roles].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
54 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CA-2 1 Security Assessments
The organization employs anindependent assessor orassessment team with
[Assignment: organization-definedlevel of independence] to conduct
security control assessments.
EM HQ provides this service toEM sites.
CA-3 0 aInformation System
Connections
The organization: Authorizesconnections from the information
system to other informationsystems through the use ofInterconnection Security
Agreements;
This control applies to dedicatedconnections between
information systems and doesnot apply to transitory, user-
controlled connections such asemail and website browsing.
CA-3 0 bInformation System
Connections
The organization: Documents, foreach connection, the interface
characteristics, securityrequirements, and the nature of the
information communicated; and
CA-3 0 cInformation System
Connections
The organization: Reviews andupdates Interconnection Security
Agreements [Assignment:organization-defined frequency].
At least annually or whenchanges are made to any
interface controlsdocumented in the
agreement.
CA-3 5Information System
Connections
The organization employs[Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing
[Assignment: organization-definedinformation systems] to connect to
external information systems.
CA-5 0 aPlan of Action and
Milestones
The organization: Develops a planof action and milestones for theinformation system to document
the organization’s plannedremedial actions to correct
weaknesses or deficiencies notedduring the assessment of the
security controls and to reduce oreliminate known vulnerabilities in
the system; and
Actions that will take significantresources and will take 90 daysor more will be documented in a
POA&M within eGovRPM.
CA-5 0 bPlan of Action and
Milestones
The organization: Updatesexisting plan of action andmilestones [Assignment:
organization-defined frequency]based on the findings from
security controls assessments,security impact analyses, and
continuous monitoring activities.
Quarterly
CA-6 0 a Security Authorization
The organization: Assigns asenior-level executive or managerto the role of authorizing official
for the information system;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
55 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CA-6 0 b Security Authorization
The organization: Ensures that theauthorizing official authorizes theinformation system for processing
before commencing operations;and
CA-6 0 c Security Authorization
The organization: Updates thesecurity authorization
[Assignment: organization-definedfrequency].
The site may either update theauthorization on a yearly basis
(based on ContinuousMonitoring assessments) or
every three years
CA-7 0 a Continuous Monitoring
The organization establishes acontinuous monitoring strategyand implements a continuous
monitoring program that includes:Establishment of [Assignment:
organization-defined metrics] to bemonitored;
.
A continuous monitoringprogram allows an organization
to maintain the securityauthorization of an information
system over time in a highlydynamic environment of
operation with changing threats,vulnerabilities, technologies, and
missions/business processes.EM HQ assists with this as a
service to all EM Sites. Programlevel metrics have been
developed and are available viathe EM Portal.
CA-7 0 b Continuous Monitoring
Establishment of [Assignment:organization-defined frequencies]for monitoring and [Assignment:organization-defined frequencies]for assessments supporting such
monitoring;
CA-7 0 c Continuous Monitoring
Ongoing security controlassessments in accordance with the
organizational continuousmonitoring strategy; and
CA-7 0 d Continuous Monitoring
Ongoing security statusmonitoring of organization-defined
metrics in accordance with theorganizational continuous
monitoring strategy;
CA-7 0 e Continuous Monitoring
Correlation and analysis ofsecurity-related information
generated by assessments andmonitoring;
CA-7 0 f Continuous MonitoringResponse actions to address resultsof the analysis of security-related
information; and
CA-7 0 g Continuous Monitoring
Reporting the security status oforganization and the information
system to [Assignment:organization-defined personnel orroles] [Assignment: organization-
defined frequency].
AODR & AO annually aspart of CM process
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
56 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CA-7 1 Continuous Monitoring
The organization employsassessors or assessment teams with[Assignment: organization-definedlevel of independence] to monitor
the security controls in theinformation system on an ongoing
basis.
This is performed as a service byEM HQ.
CA-9 0 aInternal System
Connections
The organization Authorizesinternal connections of
[Assignment: organization-definedinformation system components or
classes of components] to theinformation system; and
CA-9 0 bInternal System
Connections
The organization documents, foreach internal connection, the
interface characteristics, securityrequirements, and the nature of the
information communicated.
CM-1 0 a 1Configuration
Management Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A
configuration management policythat addresses purpose, scope,
roles, responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
CM-1 0 a 2Configuration
Management Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of theconfiguration management policy
and associated configurationmanagement controls; and
Security Staff andAdministrative Staff
CM-1 0 b 1Configuration
Management Policy andProcedures
Reviews and updates the current:Configuration management policy[Assignment: organization-defined
frequency]; and
Annually or any timethere is a major change
CM-1 0 b 2Configuration
Management Policy andProcedures
Reviews and updates the current:Configuration managementprocedures [Assignment:
organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
57 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-2 Configuration Baseline
The organization develops,documents, and maintains underconfiguration control, a current
baseline configuration of theinformation system.
This control establishes abaseline configuration for the
information system and itsconstituent components
including communications andconnectivity-related aspects of
the system. The baselineconfiguration providesinformation about the
components of an informationsystem (e.g., the standard
software load for a workstation,server, network component, or
mobile device includingoperating system/installed
applications with current versionnumbers and patch information),
network topology, and thelogical placement of the
component within the systemarchitecture.
CM-2 1 a - Configuration Baseline
The organization reviews andupdates the baseline configuration
of the information system:[Assignment: organization-defined
frequency];
As needed or at leastannually
CM-2 1 b - Configuration Baseline
The organization reviews andupdates the baseline configurationof the information system: When
required due to [Assignmentorganization-definedcircumstances]; and
Annually or any timethere is a major change
CM-2 1 c - Configuration Baseline
The organization reviews andupdates the baseline configurationof the information system: As an
integral part of information systemcomponent installations and
upgrades.
CM-2 3 Configuration Baseline
The organization retains[Assignment: organization-defined
previous versions of baselineconfigurations of the information
system] to support rollback.
Two versions
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
58 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-2 7 a Configuration Baseline
The organization: Issues[Assignment: organization-defined
information systems, systemcomponents, or devices] with
[Assignment: organization-definedconfigurations] to individualstraveling to locations that theorganization deems to be of
significant risk; and
The suggestion here is to have acache of mobile devices that
would be used on foreign travel.The devices would be cleanedprior to and after travel so thatno malware would remain if
placed on the device while ontravel. Also, digital imaging
should be used in order todetermine if the device was
physically altered. The DOESafe Passage Program is
available to EM sites.
CM-2 7 b Configuration Baseline
The organization: Applies[Assignment: organization-definedsecurity safeguards] to the devices
when the individuals return.
CM-3 0 a -Configuration Change
Control
The organization: Determines thetypes of changes to the
information system that areconfiguration-controlled;
The site determines the types ofchanges to the information
system that are configurationcontrolled. Configuration change
control for the informationsystem involves the systematic
proposal, justification,implementation, test/evaluation,
review, and disposition ofchanges to the system, including
upgrades and modifications.
CM-3 b -Configuration Change
Control
The organization: Reviewsproposed configuration-controlledchanges to the information systemand approves or disapproves such
changes with explicitconsideration for security impact
analyses;
CM-3 c -Configuration Change
Control
The organization: Documentsconfiguration change decisionsassociated with the information
system;
CM-3 d -Configuration Change
Control
The organization: Implementsapproved configuration-controlledchanges to the information system;
CM-3 e -Configuration Change
Control
The organization: Retains recordsof configuration-controlled
changes to the information systemfor [Assignment: organization-
defined time period];
CM-3 f -Configuration Change
Control
The organization: Audits andreviews activities associated withconfiguration-controlled changes
to the information system; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
59 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-3 g -Configuration Change
Control
The organization: Coordinates andprovides oversight for
configuration change controlactivities through [Assignment:
organization-defined configurationchange control element (e.g.,
committee, board] that convenes[Selection (one or more):
[Assignment: organization-definedfrequency]; [Assignment:
organization-defined configurationchange conditions]].
A change control boardthat convenes at least
monthly or morefrequently if needed to
review andapprove/disapprove
changes
CM-3 2 -Configuration Change
Control
The organization tests, validates,and documents changes to the
information system beforeimplementing the changes on the
operational system.
CM-4 - Security Impact Analyses
The organization analyzes changesto the information system todetermine potential security
impacts prior to changeimplementation.
Security impact analysis mayinclude, for example, reviewing
information systemdocumentation such as the
security plan to understand howspecific security controls are
implemented within the systemand how the changes mightaffect the controls. Security
impact analysis may also includean assessment of risk to
understand the impact of thechanges and to determine if
additional security controls arerequired. Security impact
analysis is scaled in accordancewith the security categorization
of the information system.
CM-5 -Access Restrictions for
Change
The organization defines,documents, approves, and enforces
physical and logical accessrestrictions associated with
changes to the information system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
60 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-6 a - Configuration Settings
The organization Establishes anddocuments configuration settings
for information technologyproducts employed within the
information system using[Assignment: organization-definedsecurity configuration checklists]
that reflect the most restrictivemode consistent with operational
requirements;
Baseline checklist such asUSGCB, SCAP, or CISfor its different kinds of
systems
Configuration settings are theconfigurable security-related
parameters of informationtechnology products that are part
of the information system.Security-related parameters arethose parameters impacting the
security state of the systemincluding parameters related tomeeting other security controlrequirements. Security-related
parameters include, for example,registry settings; account, file,
and directory settings (i.e.,permissions); and settings forservices, ports, protocols, and
remote connections.
CM-6 b - Configuration SettingsThe organization: Implements the
configuration settings;
CM-6 c - Configuration Settings
The organization Identifies,documents, and approves anydeviations from establishedconfiguration settings for
[Assignment: organization-definedinformation system components]
based on [Assignment:organization-defined operational
requirements]; and
CM-6 d - Configuration Settings
The organization: Monitors andcontrols changes to the
configuration settings inaccordance with organizational
policies and procedures.
CM-7 0 a - Least FunctionalityThe organization: Configures the
information system to provide onlyessential capabilities; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
61 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-7 0 b - Least Functionality
The organization: Prohibits orrestricts the use of the following
functions, ports, protocols, and/orservices: [Assignment:
organization-defined prohibited orrestricted functions, ports,
protocols, and/orservices].
Any function, port,protocol or service not
specifically required forthe operation of the
information system andthose specifically
prohibited by the AO
The functions and servicesprovided by organizational
information systems, orindividual components ofinformation systems, are
carefully reviewed to determinewhich functions and services arecandidates for elimination (e.g.,Voice Over Internet Protocol,
Instant Messaging, auto-execute,file sharing). Organizationsconsider disabling unused or
unnecessary physical and logicalports and protocols (e.g.,
Universal Serial Bus [USB], FileTransfer Protocol [FTP], Internet
Protocol Version 6 [IPv6],Hyper Text Transfer Protocol
[HTTP]) on information systemcomponents to prevent
unauthorized connection ofdevices, unauthorized transfer of
information, or unauthorizedtunneling. Organizations can
utilize network scanning tools,intrusion detection and
prevention systems, and end-point protections such asfirewalls and host-based
intrusion detection systems toidentify identify and prevent the
use of prohibited functions,ports, protocols, and services.
CM-7 1 a - Least Functionality
The organization: Reviews theinformation system [Assignment:
organization-defined frequency] toidentify unnecessary and/or non-secure functions, ports, protocols,
and services; and
Annually
CM-7 1 b - Least Functionality
The organization: Disables[Assignment: organization-defined
functions, ports, protocols, andservices within the information
system deemed to be unnecessaryand/or non-secure].
Disable all that are notnecessary.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
62 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-7 2 - Least Functionality
The information system preventsprogram execution in accordance
with [Selection (one or more):[Assignment: organization-defined
policies regarding softwareprogram usage and restrictions];rules authorizing the terms andconditions of software program
usage].
CM-7 4 a - Least Functionality
The organization: Identifies[Assignment: organization-definedsoftware programs not authorized
to execute on the informationsystem];
CM-7 4 b - Least Functionality
The organization: Employs anallow-all, deny-by-exception
policy to prohibit the execution ofunauthorized software programson the information system; and
CM-7 4 c - Least Functionality
The organization: Reviews andupdates the list of unauthorized
software programs [Assignment:organization defined frequency].
Annually
CM-8 0 a 1Information System
Component Inventory
The organization: Develops anddocuments an inventory of
information system componentsthat: Accurately reflects thecurrent information system;
CM-8 0 a 2Information System
Component Inventory
The organization: Develops anddocuments an inventory of
information system componentsthat: Includes all components
within the authorization boundaryof the information system;
This function should beautomated and the SSP controlstatement should point to the
system (e.g., Tenable SecurityCenter)
CM-8 0 a 3Information System
Component Inventory
The organization: Develops anddocuments an inventory of
information system componentsthat: Is at the level of granularity
deemed necessary for tracking andreporting; and
This function should beautomated and the SSP controlstatement should point to the
system (e.g., Tenable SecurityCenter)
CM-8 0 a 4Information System
Component Inventory
The organization: Develops anddocuments an inventory of
information system componentsthat: Includes [Assignment:
organization-defined informationdeemed necessary to achieveeffective information system
component accountability]; and
Device type, model, serialnumber or tracking number,
location, and owner name andphone number
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
63 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-8 0 b -Information System
Component Inventory
The organization: Reviews andupdates the information system
component inventory[Assignment: organization-defined
frequency].
CM-8 1Information System
Component Inventory
The organization updates theinventory of information systemcomponents as an integral part of
component installations, removals,and information system updates.
CM-8 3 aInformation System
Component Inventory
The organization Employsautomated mechanisms
[Assignment: organization-definedfrequency] to detect the presence
of unauthorized hardware,software, and firmware
components within the informationsystem; and
CM-8 3 bInformation System
Component Inventory
The organization: Takes thefollowing actions when
unauthorized components aredetected: [Selection (one or more):
disables network access by suchcomponents; isolates the
components; notifies [Assignment:organization-defined personnel or
roles]].
CM-8 5Information System
Component Inventory
The organization verifies that allcomponents within the
authorization boundary of theinformation system are not
duplicated in other informationsystem inventories.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
64 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-9 a -Configuration
Management Plan
The organization develops,documents, and implements a
configuration management planfor the information system that:Addresses roles, responsibilities,and configuration management
processes and procedures;
The configuration managementplan satisfies the requirements inthe organization’s configurationmanagement policy while being
tailored to the individualinformation system. The
configuration management plandefines detailed processes and
procedures for howconfiguration management is
used to support systemdevelopment life cycle activitiesat the information system level.The plan describes how to move
a change through the changemanagement process, howconfiguration settings andconfiguration baselines are
updated, how the informationsystem component inventory ismaintained, how development,
test, and operationalenvironments are controlled, and
finally, how documents aredeveloped, released, and
updated.
CM-9 b -Configuration
Management Plan
The organization develops,documents, and implements a
configuration management planfor the information system that:
Establishes a process foridentifying configuration items
throughout the systemdevelopment life cycle and for
managing the configuration of theconfiguration items;
CM-9 c -Configuration
Management Plan
The organization develops,documents, and implements a
configuration management planfor the information system that:
Defines the configuration items forthe information system and places
the configuration items underconfiguration management; and
CM-9 d -Configuration
Management Plan
The organization develops,documents, and implements a
configuration management planfor the information system that:
Protects the configurationmanagement plan from
unauthorized disclosure andmodification.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
65 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CM-10 0 aSoftware Usage
Restrictions
The organization: Uses softwareand associated documentation in
accordance with contractagreements and copyright laws;
CM-10 0 bSoftware Usage
Restrictions
The organization: Tracks the useof software and associated
documentation protected byquantity licenses to control
copying and distribution; and
CM-10 0 cSoftware Usage
Restrictions
The organization: Controls anddocuments the use of peer-to-peerfile sharing technology to ensurethat this capability is not used for
the unauthorized distribution,display, performance, or
reproduction of copyrighted work.
CM-11 0 a User-Installed Software
The organization: Establishes[Assignment: organization-definedpolicies] governing the installation
of software by users;
CM-11 0 b User-Installed Software
The organization: Enforcessoftware installation policies
through [Assignment:organization-defined methods];
and
CM-11 0 c User-Installed SoftwareThe organization: Monitors policy
compliance at [Assignment:organization-defined frequency].
CP-1 0 a 1Contingency PlanningPolicy and Procedures
The organization develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A contingency
planning policy that addressespurpose, scope, roles,
responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
CP-1 0 a 2Contingency PlanningPolicy and Procedures
The organization develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thecontingency planning policy andassociated contingency planning
controls; and
Security Staff andAdministrative Staff
CP-1 0 b 1Contingency PlanningPolicy and Procedures
The organization Reviews andupdates the current Contingency
planning policy [Assignment:organization-defined frequency];
and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
66 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CP-1 1 b 2Contingency PlanningPolicy and Procedures
The organization Reviews andupdates the current Contingency
planning procedures [Assignment:organization-defined frequency].
Annually or any timethere is a major change
CP-2 0 a 1 Contingency Plan
The Organization develops acontingency plan for the
information system that Identifiesessential missions and business
functions and associatedcontingency requirements;
CP-2 0 a 2 Contingency Plan
The Organization develops acontingency plan for the
information system that Providesrecovery objectives, restoration
priorities, and metrics;
CP-2 0 a 3 Contingency Plan
Addresses contingency roles,responsibilities, assignedindividuals with contact
information;
CP-2 0 a 4 Contingency Plan
The Organization develops acontingency plan for the
information system that Addressesmaintaining essential missions and
business functions despite aninformation system disruption,
compromise, or failure;
CP-2 0 a 5 Contingency Plan
The Organization develops acontingency plan for the
information system that Addresseseventual, full information system
restoration without deterioration ofthe security measures originallyplanned and implemented; and
CP-2 0 a 6 Contingency Plan
The Organization develops acontingency plan for the
information system that Isreviewed and approved by
designated officials within theorganization;
CP-2 0 b Contingency Plan
The organization distributes copiesof the contingency plan to
[Assignment: organization-definedlist of key contingency personnel
(identified by name and/or by role)and organizational elements];
System owner, businessfunction, AODR, ISSM,
ISSO, system admins andphysical security.
CP-2 0 c Contingency PlanThe Organization coordinates
contingency planning activitieswith incident handling activities;
CP-2 0 d Contingency Plan
The organization reviews thecontingency plan for the
information system [Assignment:organization-defined frequency];
Annually
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
67 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CP-2 0 e Contingency Plan
The organization updates thecontingency plan to addresschanges to the organization,
information system, orenvironment of operation andproblems encountered during
contingency plan implementation,execution, or testing;
CP-2 0 f Contingency Plan
The organization communicatescontingency plan changes to
[Assignment: organization-definedkey contingency personnel
(identified by name and/or by role)and organizational elements]; and
System owner, businessfunction, AODR, ISSM,
ISSO, system admins andphysical security.
CP-2 0 g Contingency Plan
The organization protects thecontingency plan from
unauthorized disclosure andmodification.
CP-2 1 Contingency Plan
The organization coordinatescontingency plan developmentwith organizational elementsresponsible for related plans.
CP-2 3 Contingency Plan
The organization plans for theresumption of essential missions
and business functions within[Assignment: organization-definedtime period] of contingency plan
activation.
CP-2 8 Contingency Plan
The organization identifies criticalinformation system assets
supporting essential missions andbusiness functions.
CP-3 0 a Contingency Training
The organization providescontingency training to
information system usersconsistent with assigned roles and
responsibilities: Within[Assignment: organization-defined
time period] of assuming acontingency role or responsibility;
CP-3 0 b Contingency Training
The organization providescontingency training to
information system usersconsistent with assigned roles andresponsibilities: When required byinformation system changes; and
CP-3 0 c Contingency Training
The organization providescontingency training to
information system usersconsistent with assigned roles and
responsibilities: [Assignment:organization-defined frequency]
thereafter.
Annually
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
68 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CP-4 0 aContingency Plan
Testing
The Organization Tests thecontingency plan for the
information system [Assignment:organization-defined frequency]using [Assignment: organization-
defined tests] to determine theeffectiveness of the plan and the
organizational readiness to executethe plan;
The CP is tested annuallyby table top exercises oneyear and simulated/live
exercise every other yearfor effectiveness and
ability to meetcontingencies
There are several methods fortesting and/or exercising
contingency plans to identifypotential weaknesses (e.g.,
checklist, walk-through/tabletop,simulation: parallel, full
interrupt). Contingency plantesting and/or exercises include adetermination of the effects onsite operations and assets (e.g.,reduction in mission capability)and individuals arising due to
contingency operations inaccordance with the plan.
CP-4 0 bContingency Plan
TestingThe organization Reviews the
contingency plan test results; and
CP-4 1 cContingency Plan
TestingThe organization Initiates
corrective actions, if needed.
CP-4 1Contingency Plan
Testing
The organization coordinatescontingency plan testing with
organizational elementsresponsible for related plans.
CP-6 0 a Alternate Storage Site
The organization establishes analternate storage site including
necessary agreements to permit thestorage and retrieval of
information system backupinformation; and
CP-6 0 b Alternate Storage Site
The organization ensures that thealternate storage site provides
information security safeguardsequivalent to that of the primary
site.
CP-6 1 Alternate Storage Site
The organization identifies analternate storage site that is
separated from the primary storagesite to reduce susceptibility to the
same threats.
CP-6 3 Alternate Storage Site
The organization identifiespotential accessibility problems to
the alternate storage site in theevent of an area-wide disruption or
disaster and outlines explicitmitigation actions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
69 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CP-7 0 a Alternate Processing Site
The organization establishes analternate processing site includingnecessary agreements to permit the
transfer and resumption of[Assignment: organization-definedinformation system operations] for
essential missions/businessfunctions within [Assignment:
organization-defined time periodconsistent with recovery time andrecovery point objectives] when
the primary processing capabilitiesare unavailable;
The site has developed analternate processing site that isapproved (through agreements)and that allows the site to meetthe mission requirements (one
day recommended)
CP-7 0 b Alternate Processing Site
The organization ensures thatequipment and supplies required totransfer and resume operations are
available at the alternateprocessing site or contracts are in
place to support delivery to the sitewithin the organization-defined
time period fortransfer/resumption; and
CP-7 0 c Alternate Processing Site
The organization ensures that thealternate processing site providesinformation security safeguardsequivalent to that of the primary
site.
CP-7 1 Alternate Processing Site
The organization identifies analternate processing site that is
separated from the primaryprocessing site to reduce
susceptibility to the same threats.
CP-7 2 Alternate Processing Site
The organization identifiespotential accessibility problems tothe alternate processing site in theevent of an area-wide disruption or
disaster and outlines explicitmitigation actions.
CP-7 3 Alternate Processing Site
The organization developsalternate processing site
agreements that contain priority-of-service provisions in
accordance with organizationalavailability requirements(including recovery time
objectives).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
70 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CP-8 0Telecommunications
Services
The organization establishesalternate telecommunicationsservices including necessary
agreements to permit theresumption of [Assignment:
organization-defined informationsystem operations] for essentialmissions and business functions
within [Assignment: organization-defined time period] when theprimary telecommunicationscapabilities are unavailable ateither the primary or alternate
processing or storage sites.
The site establishes alternatetelecommunications services
agreements to meet the missionrestoration requirements (in
accordance with BIA)(Recommend one business day
maximum)
CP-8 1 aTelecommunications
Services
The organization develops primaryand alternate telecommunicationsservice agreements that containpriority-of-service provisions inaccordance with organizational
availability requirements(including recovery time
objectives); and
CP-8 1 bTelecommunications
Services
The organization requestsTelecommunications Service
Priority for all telecommunicationsservices used for national security
emergency preparedness in theevent that the primary and/oralternate telecommunications
services are provided by acommon carrier.
CP-8 2Telecommunications
Services
The organization obtains alternatetelecommunications services to
reduce the likelihood of sharing asingle point of failure with primary
telecommunications services.
CP-9 0 aInformation System
Backup
The organization conductsbackups of user-level information
contained in the informationsystem [Assignment: organization-defined frequency consistent withrecovery time and recovery point
objectives];
Daily
CP-9 0 bInformation System
Backup
The organization conductsbackups of system-level
information contained in theinformation system [Assignment:organization-defined frequency
consistent with recovery time andrecovery point objectives];
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
71 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
CP-9 0 cInformation System
Backup
The organization conductsbackups of information system
documentation including security-related documentation
[Assignment: organization-definedfrequency consistent with recovery
time and recovery pointobjectives]; and
CP-9 0 dInformation System
Backup
The organization protects theconfidentiality and integrity of
backup information at the storagelocation.
CP-9 1Information System
Backup
The organization tests backupinformation [Assignment:
organization-defined frequency] toverify media reliability and
information integrity.
At least annually
CP-10 0Information System
Recovery andReconstitution
The organization provides for therecovery and reconstitution of the
information system to a knownstate after a disruption,compromise, or failure.
CP-10 2Information System
Recovery andReconstitution
The information systemimplements transaction recoveryfor systems that are transaction-
based.
IA-1 0 a 1Identification and
Authentication Policyand Procedures
The organization: develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: An
identification and authenticationpolicy that addresses purpose,scope, roles, responsibilities,management commitment,
coordination among organizationalentities, and compliance; and
Security Staff andAdministrative Staff
IA-1 0 a 2Identification and
Authentication Policyand Procedures
The organization: develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of theidentification and authentication
policy and associatedidentification and authentication
controls; and
Security Staff andAdministrative Staff
IA-1 0 b 1Identification and
Authentication Policyand Procedures
The organization reviews andupdates the current: Identification
and authentication policy[Assignment: organization-defined
frequency]; and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
72 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IA-1 0 b 2Identification and
Authentication Policyand Procedures
The organization reviews andupdates the current: Identification
and authentication procedures[Assignment: organization-defined
frequency].
Annually or any timethere is a major change
IA-2 0Identification and
Authentication(Organizational Users)
The information system uniquelyidentifies and authenticates
organizational users (or processesacting on behalf of organizational
users).
IA-2 1Identification and
Authentication(Organizational Users)
The information systemimplements multifactor
authentication for network accessto privileged accounts.
IA-2 2Identification and
Authentication(Organizational Users)
The information systemimplements multifactor
authentication for network accessto non-privileged accounts.
IA-2 3Identification and
Authentication(Organizational Users)
The information systemimplements multifactor
authentication for local access toprivileged accounts.
IA-2 8Identification and
Authentication(Organizational Users)
The information systemimplements replay-resistant
authentication mechanisms fornetwork access to privileged
accounts.
IA-2 11Identification and
Authentication(Organizational Users)
The information systemimplements multifactor
authentication for remote access toprivileged and non-privilegedaccounts such that one of the
factors is provided by a deviceseparate from the system gaining
access and the device meets[Assignment: organization-defined
strength of mechanismrequirements].
IA-2 12Identification and
Authentication(Organizational Users)
The information system acceptsand electronically verifies Personal
Identity Verification (PIV)credentials.
IA-3 0Device Identification and
Authentication
The information system uniquelyidentifies and authenticates
[Assignment: organization definedspecific and/or types of devices]before establishing a [Selection
(one or more): local; remote;network] connection.
Single use authenticatorsbefore establishing aremote connection
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
73 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IA-4 0 a Identifier Management
The organization managesinformation system identifiers by:
Receiving authorization from[Assignment: organization-defined
personnel or roles] to assign anindividual, group, role, or device
identifier;
All personnel
IA-4 0 b Identifier Management
The organization managesinformation system identifiers by:
Selecting an identifier thatidentifies an individual, group,
role, or device;
IA-4 0 c Identifier Management
The organization managesinformation system identifiers by:
Assigning the identifier to theintended individual, group, role, or
device;
IA-4 0 d Identifier Management
The organization managesinformation system identifiers by:Preventing reuse of identifiers for[Assignment: organization-defined
time period]; and
IA-4 0 e Identifier Management
The organization managesinformation system identifiers by:
Disabling the identifier after[Assignment: organization-defined
time period of inactivity].
90 days
IA-5 0 aAuthenticatorManagement
The organization managesinformation system authenticatorsby: Verifying, as part of the initial
authenticator distribution, theidentity of the individual, group,
role, or device receiving theauthenticator;
IA-5 0 bAuthenticatorManagement
The organization managesinformation system authenticators
by: Establishing initialauthenticator content for
authenticators defined by theorganization;
IA-5 0 cAuthenticatorManagement
The organization managesinformation system authenticatorsby: Ensuring that authenticators
have sufficient strength ofmechanism for their intended use;
IA-5 0 dAuthenticatorManagement
The organization managesinformation system authenticatorsby: Establishing and implementing
administrative procedures forinitial authenticator distribution,
for lost/compromised or damagedauthenticators, and for revoking
authenticators;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
74 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IA-5 0 eAuthenticatorManagement
The organization managesinformation system authenticatorsby: Changing default content of
authenticators prior to informationsystem installation
IA-5 0 fAuthenticatorManagement
The organization managesinformation system authenticators
by: Establishing minimum andmaximum lifetime restrictions andreuse conditions for authenticators;
IA-5 0 gAuthenticatorManagement
The organization managesinformation system authenticators
by: Changing/refreshingauthenticators [Assignment:
organization-defined time periodby authenticator type];
If passwords are still used therecommended time to force achange is 90 days or less. If
multifactor is used the pin can bechanged every 6 months.
IA-5 0 hAuthenticatorManagement
The organization managesinformation system authenticators
by: Protecting authenticatorcontent from unauthorized
disclosure and modification;
IA-5 0 iAuthenticatorManagement
The organization managesinformation system authenticatorsby: Requiring individuals to take,and having devices implement,specific security safeguards to
protect authenticators; and
IA-5 0 jAuthenticatorManagement
The organization managesinformation system authenticatorsby: Changing authenticators for
group/role accounts whenmembership to those accounts
changes
IA-5 1 aAuthenticatorManagement
The information system, forpassword-based authentication:Enforces minimum passwordcomplexity of [Assignment:
organization-defined requirementsfor case sensitivity, number ofcharacters, mix of upper-case
letters, lower-case letters,numbers, and special characters,including minimum requirements
for each type];
At least sixteencharacters, at least sixteen
nonblank characters,combination of letters,
numbers, and at least onespecial character in thefirst seven positions, donot contain user ID, no
simple pattern of letters ornumbers
IA-5 1 bAuthenticatorManagement
The information system, forpassword-based authentication:Enforces at least the followingnumber of changed characters
when new passwords are created:[Assignment: organization-defined
number];
At least 4 characters
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
75 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IA-5 1 cAuthenticatorManagement
The information system, forpassword-based authentication:
Stores and transmits onlyencrypted representations of
passwords;
IA-5 1 dAuthenticatorManagement
The information system, forpassword-based authentication:
Enforces password minimum andmaximum lifetime restrictions of
[Assignment: organization definednumbers for lifetime minimum,
lifetime maximum];
Minimum of one day,maximum of 90 days
IA-5 1 eAuthenticatorManagement
The information system, forpassword-based authentication:
Prohibits password reuse for[Assignment: organization-defined
number] generations; and
24
IA-5 1 fAuthenticatorManagement
The information system, forpassword-based authentication:Allows the use of a temporary
password for system logons withan immediate change to a
permanent password.
IA-5 2 aAuthenticatorManagement
The information system, for PKI-based authentication: Validates
certifications by constructing andverifying a certification path to an
accepted trust anchor includingchecking certificate status
information;
IA-5 2 bAuthenticatorManagement
The information system, for PKI-based authentication: Enforces
authorized access to thecorresponding private key;
IA-5 2 cAuthenticatorManagement
The information system, for PKI-based authentication: Maps the
authenticated identity to theaccount of the individual or group;
and
IA-5 2 dAuthenticatorManagement
The information system, for PKI-based authentication: Implementsa local cache of revocation data to
support path discovery andvalidation in case of inability to
access revocation information viathe network.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
76 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IA-5 3AuthenticatorManagement
The organization requires that theregistration process to receive
[Assignment: organization definedtypes of and/or specific
authenticators] be conducted[Selection: in person; by a trustedthird party] before [Assignment:organization-defined registrationauthority] with authorization by
[Assignment: organization-definedpersonnel or roles].
Two-factor authenticatorsand/or encryption keys
IA-5 11
The information system, forhardware token-based
authentication, employsmechanisms that satisfy
[Assignment: organization-definedtoken quality requirements].
IA-6 Authenticator Feedback
The information system obscuresfeedback of authentication
information during theauthentication process to protect
the information from possibleexploitation/use by unauthorized
individuals.
IA-7Cryptographic Module
Authentication
The information systemimplements mechanisms for
authentication to a cryptographicmodule that meet the requirements
of applicable federal laws,Executive Orders, directives,
policies, regulations, standards,and guidance for such
authentication.
IA-8Identification and
Authentication (Non-Organizational Users)
The information system uniquelyidentifies and authenticates non-
organizational users (or processesacting on behalf of non-
organizational users).
Non-organizational users includeall information system users
other than organizational usersexplicitly covered by IA-2.
IA-8 1Identification and
Authentication (Non-Organizational Users)
The information system acceptsand electronically verifies Personal
Identity Verification (PIV)credentials from other federal
agencies.
IA-8 2Identification and
Authentication (Non-Organizational Users)
The information system acceptsonly FICAM-approved third-party
credentials
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
77 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IA-8 3Identification and
Authentication (Non-Organizational Users)
The organization employs onlyFICAM-approved information
system components in[Assignment: organization-defined
information systems] to acceptthird-party credentials.
IA-8 4Identification and
Authentication (Non-Organizational Users)
The information system conformsto FICAM-issued profiles.
IR-1 0 a 1Incident Response Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: An incidentresponse policy that addresses
purpose, scope, roles,responsibilities, management
commitment, coordination amongorganizational entities, and
compliance;
Security Staff andAdministrative Staff
IR-1 0 a 2Incident Response Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of theincident response policy andassociated incident response
controls; and
Security Staff andAdministrative Staff
IR-1 0 b 1Incident Response Policy
and Procedures
The organization: Reviews andupdates the current: Incidentresponse policy [Assignment:
organization-defined frequency];and
Annually or any timethere is a major change
IR-1 0 b 2Incident Response Policy
and Procedures
The organization: Reviews andupdates the current: Incident
response procedures [Assignment:organization-defined frequency].
Annually or any timethere is a major change
IR-2 0 aIncident Response
Training
The organization provides incidentresponse training to information
system users consistent withassigned roles and responsibilities:Within [Assignment: organization-defined time period] of assuming
an incident response role orresponsibility;
Six weeks
Incident response trainingincludes user training in the
identification and reporting ofsuspicious activities, both fromexternal and internal sources.
IR-2 0 bIncident Response
Training
The organization provides incidentresponse training to information
system users consistent withassigned roles and responsibilities:
When required by informationsystem changes; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
78 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IR-2 0 cIncident Response
Training
The organization provides incidentresponse training to information
system users consistent withassigned roles and responsibilities:[Assignment: organization-defined
frequency] thereafter.
Annually
IR-3 0Incident Response
Testing and Exercises
The organization tests the incidentresponse capability for the
information system [Assignment:organization-defined frequency]using [Assignment: organization-
defined tests] to determine theincident response effectiveness
and documents the results.
The site test exercisesincident responsescenarios at least
annually; this will includedetection, analysis,
containment, eradicationand recovery
IR-3 2Incident Response
Testing and Exercises
The organization coordinatesincident response testing with
organizational elementsresponsible for related plans.
IR-4 0 a Incident Handling
The organization: Implements anincident handling capability forsecurity incidents that includes
preparation, detection andanalysis, containment, eradication,
and recovery;
IR-4 0 b Incident Handling
The organization: Coordinatesincident handling activities withcontingency planning activities;
and
IR-4 0 c Incident Handling
The organization: Incorporateslessons learned from ongoing
incident handling activities intoincident response procedures,
training, and testing/exercises, andimplements the resulting changes
accordingly.
IR-4 1 Incident HandlingThe organization employs
automated mechanisms to supportthe incident handling process.
IR-5 0 Incident MonitoringThe organization tracks and
documents information systemsecurity incidents
IR-6 0 a Incident Reporting
The organization: Requirespersonnel to report suspected
security incidents to theorganizational incident responsecapability within [Assignment:
organization-defined time period];and
Immediately upondetection if the incident isthought to involve PII ortwo hours for moderatecategorized systems for
all other types of incidents
EM requires that the EM CSPMand the EM -1 be notified whenPII of 100 or more is affected or
in the case of a release ofclassified information into the
public domain.
IR-6 0 b Incident Reporting
The organization: Reports securityincident information to
[Assignment: organization-definedauthorities].
JC3
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
79 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IR-6 1 Incident ReportingThe organization employs
automated mechanisms to assist inthe reporting of security incidents.
IR-7 0Incident Response
Assistance
The organization provides anincident response support resource,
integral to the organizationalincident response capability thatoffers advice and assistance to
users of the information system forthe handling and reporting of
security incidents.
IR-7 1Incident Response
Assistance
The organization employsautomated mechanisms to increase
the availability of incidentresponse related information and
support.
IR-8 0 a 1 Incident Response Plan
The organization: Develops anincident response plan that:
Provides the organization with aroadmap for implementing itsincident response capability;
It is important that organizationshave a formal, focused, and
coordinated approach toresponding to incidents. The
organization’s mission,strategies, and goals for incident
response help determine thestructure of its incident response
capability.
IR-8 0 a 2 Incident Response Plan
The organization: Develops anincident response plan that:Describes the structure andorganization of the incident
response capability;
IR-8 0 a 3 Incident Response Plan
The organization: Develops anincident response plan that:
Provides a high-level approach forhow the incident response
capability fits into the overallorganization;
IR-8 0 a 4 Incident Response Plan
The organization: Develops anincident response plan that: Meets
the unique requirements of theorganization, which relate tomission, size, structure, and
functions;
IR-8 0 a 5 Incident Response PlanThe organization: Develops an
incident response plan that:Defines reportable incidents;
IR-8 0 a 6 Incident Response Plan
The organization: Develops anincident response plan that:
Provides metrics for measuring theincident response capability within
the organization;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
80 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
IR-8 0 a 7 Incident Response Plan
The organization: Develops anincident response plan that:Defines the resources and
management support needed toeffectively maintain and mature anincident response capability; and
IR-8 0 a 8 Incident Response Plan
The organization: Develops anincident response plan that: Is
reviewed and approved by[Assignment: organization-defined
personnel or roles];
Incident response team
IR-8 0 b Incident Response Plan
The organization: Distributescopies of the incident response
plan to [Assignment: organization-defined incident response
personnel (identified by nameand/or by role) and organizational
elements];
IR-8 0 c Incident Response Plan
The organization: Reviews theincident response plan
[Assignment: organization-definedfrequency];
Annually
IR-8 0 d Incident Response Plan
The organization: Updates theincident response plan to addresssystem/organizational changes orproblems encountered during plan
implementation, execution, ortesting;
IR-8 0 e Incident Response Plan
The organization: Communicatesincident response plan changes to
[Assignment: organization-definedincident response personnel
(identified by name and/or by role)and organizational elements]; and
IR-8 0 f Incident Response Plan
The organization: Protects theincident response plan fromunauthorized disclosure and
modification.
MA-1 a -Maintenance Policy and
Procedures
The organization: a. Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A system
maintenance policy that addressespurpose, scope, roles,
responsibilities,management commitment,
coordination among organizationalentities, and compliance; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
81 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
MA-1 a -Maintenance Policy and
Procedures
The organization: a. Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thesystem maintenance policy andassociated system maintenance
controls; and
Security Staff andAdministrative Staff
MA-1 b -Maintenance Policy and
Procedures
The organization: Reviews andupdates the current: System
maintenance policy [Assignment:organization-defined frequency];
and
Annually or any timethere is a major change
MA-1 b -Maintenance Policy and
Procedures
The organization: Reviews andupdates the current: System
maintenance procedures[Assignment: organization-defined
frequency].
Annually or any timethere is a major change
MA-2 a - Controlled Maintenance
The organization schedules,performs, documents, and reviewsrecords of maintenance and repairson information system componentsin accordance with manufactureror vendor specifications and/ororganizational requirements;
MA-2 b - Controlled Maintenance
The organization approves andmonitors all maintenance
activities, whether performed onsite or remotely and whether theequipment is serviced on site or
removed to another location;
MA-2 c - Controlled Maintenance
The organization requires that[Assignment: organization-defined
personnel or roles] explicitlyapprove the removal of the
information system or systemcomponents from organizationalfacilities for off-site maintenance
or repairs;
MA-2 d - Controlled Maintenance
The organization sanitizesequipment to remove all
information from associated mediaprior to removal from
organizational facilities for off-sitemaintenance or repairs; and
MA-2 e - Controlled Maintenance
The organization checks allpotentially impacted security
controls to verify that the controlsare still functioning properly
following maintenance or repairactions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
82 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
MA-2 f - Controlled Maintenance
The organization includes[Assignment: organization-definedmaintenance-related information]
in organizational maintenancerecords.
MA-3 - Maintenance ToolsThe organization approves,
controls, and monitors informationsystem maintenance tools.
The intent of this control is toaddress the security-related
issues arising from the hardwareand software brought into the
information system specificallyfor diagnostic and repair actions
(e.g., a hardware or softwarepacket sniffer that is introducedfor the purpose of a particular
maintenance activity).
MA-3 1 - Maintenance Tools
The organization inspects themaintenance tools carried into a
facility by maintenance personnelfor improper or unauthorized
modifications.
MA-3 2 - Maintenance Tools
The organization checks mediacontaining diagnostic and testprograms for malicious code
before the media are used in theinformation system.
MA-4 a - Non-Local MaintenanceThe organization approves andmonitors non-local maintenance
and diagnostic activities;
Non-local maintenance anddiagnostic activities are those
activities conducted byindividuals communicatingthrough a network; either anexternal network (e.g., the
Internet) or an internal network.
MA-4 b - Non-Local Maintenance
The organization allows the use ofnon-local maintenance and
diagnostic tools only as consistentwith organizational policy and
documented in the security planfor the information system;
MA-4 c - Non-Local Maintenance
The organization employs strongauthenticators in the establishment
of nonlocal maintenance anddiagnostic sessions;
MA-4 d - Non-Local MaintenanceThe organization maintains
records for non-local maintenanceand diagnostic activities; and
MA-4 e - Non-Local Maintenance
The organization terminatessession and network connectionswhen non-local maintenance is
completed.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
83 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
MA-4 2 - Non-Local Maintenance
The organization documents in thesecurity plan for the information
system, the policies andprocedures for the establishmentand use of nonlocal maintenance
and diagnostic connections.
MA-5 a - Maintenance Personnel
The organization establishes aprocess for maintenance personnelauthorization and maintains a list
ofauthorized maintenance
organizations or personnel;
MA-5 b - Maintenance Personnel
The organization ensures that non-escorted personnel performing
maintenance on the informationsystem have required access
authorizations; and
MA-5 c - Maintenance Personnel
The organization designatesorganizational personnel with
required access authorizations andtechnical competence to supervise
the maintenance activities ofpersonnel who do not possess the
required access authorizations.
MA-6 - Timely Maintenance
The organization obtainsmaintenance support and/or spare
parts for [Assignment:organization-defined information
system components] within[Assignment: organization-defined
time period] of failure.
The organization specifies thoseinformation system componentsthat, when not operational, result
in increased risk toorganizations, individuals, or the
Nation because the securityfunctionality intended by that
component is not beingprovided. Security-criticalcomponents include, for
example, firewalls, guards,gateways, intrusion detectionsystems, audit repositories,authentication servers, and
intrusion prevention systems.
MP-1 a 1Media Protection Policy
and Procedures
The organization develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: a media
protection policy that addressespurpose, scope, roles,
responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
84 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
MP-1 a 2Media Protection Policy
and Procedures
The organization develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of themedia protection policy andassociated media protection
controls; and
Security Staff andAdministrative Staff
MP-1 b 1Media Protection Policy
and Procedures
The organization reviews andupdates the current: Media
protection policy [Assignment:organization-defined frequency];
and
Annually or any timethere is a major change
MP-1 b 2Media Protection Policy
and Procedures
The organization reviews andupdates the current: Media
protection procedures[Assignment: organization-defined
frequency].
Annually or any timethere is a major change
MP-2 - Media Access
The organization restricts access to[Assignment: organization-definedtypes of digital and/or non-digital
media] to [Assignment:organization-defined personnel or
roles].
Information system mediaincludes both digital media (e.g.,
diskettes, magnetic tapes,external/removable hard drives,
flash/thumb drives, compactdisks, digital video disks) andnon-digital media (e.g., paper,microfilm). This control also
applies to mobile computing andcommunications devices withinformation storage capability
(e.g., notebook/laptopcomputers, personal digital
assistants, cellular telephones,digital cameras, and audio
recording devices). Controlledunclassified information (e.g.,Official Use Only, Personally
Identifiable Information,Unclassified Controlled NuclearInformation (UCNI), SensitiveSecurity Information). Those
individuals with definedbusiness requirement. Group orother assigned access restrictionswhich are clearly documented.
MP-3 a - Media Marking
The organization marksinformation system mediaindicating the distribution
limitations, handling caveats, andapplicable security markings (if
any) of the information; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
85 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
MP-3 b - Media Marking
The organization exempts[Assignment: organization-defined
types of information systemmedia] from marking as long as
the media remain within[Assignment: organization-defined
controlled areas]
This applies to media that wouldremain in an operational
component that is installed in alimited access area where the
physical control of the assigneddevice is assigned and tracked to
an individual in the DOEphysically controlled space.
MP-4 a - Media Storage
The organization physicallycontrols and securely stores
[Assignment: organization-definedtypes of digital and/or non-digital
media] within [Assignment:organization-defined controlled
areas]; and
All digital and non-digital controlled
unclassified information(e.g., backup tapes,
external/removable harddrives, flash/thumb
drives, compact discs,DVDs)
MP-4 b - Media Storage
The organization protectsinformation system media until the
media are destroyed or sanitizedusing approved equipment,techniques, and procedures.
MP-5 a - Media Transport
The organization: Protects andcontrols [Assignment:
organization-defined types ofinformation system media] during
transport outside of controlledareas using [Assignment:
organization-definedsecuritysafeguards];
All digital and non-digital controlled
unclassified information(e.g., backup tapes,
external/removable harddrives, flash/thumb
drives, compact discs,DVDs) - using FIPS 140-
2
This control also applies tomobile computing and
communications devices withinformation storage capability
(e.g., notebook/laptopcomputers, personal digital
assistants, cellular telephones,digital cameras, and audiorecording devices) that are
transported outside of controlledareas.
MP-5 b - Media Transport
The organization: Maintainsaccountability for informationsystem media during transport
outside of controlled areas;
MP-5 c - Media Transport
The organization: Documentsactivities associated with the
transport of information systemmedia; and
MP-5 d - Media Transport
The organization: Restricts theactivities associated with the
transport of information systemmedia to authorized personnel.
MP-5 4 - Media Transport
The information systemimplements cryptographicmechanisms to protect the
confidentiality and integrity ofinformation stored on digital
media during transport outside ofcontrolled areas.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
86 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
MP-6 a - Media Sanitization
The organization: Sanitizes[Assignment: organization-definedinformation system media] prior to
disposal, release out oforganizational control, or release
for reuse using [Assignment:organization defined sanitization
techniques and procedures] inaccordance with applicable federaland organizational standards and
policies; and
This control applies to all mediasubject to disposal or reuse,whether or not considered
removable.
MP-6 b - Media Sanitization
The organization: Employssanitization mechanisms with the
strength and integritycommensurate with the securitycategory or classification of the
information.
As an example, all media used inNSS would be destroyed via ashredder and/ or degaussing.
MP-7 Media Use
The organization [Selection:restricts; prohibits] the use of
[Assignment: organization definedtypes of information system
media] on [Assignment:organization-defined informationsystems or system components]
using [Assignment: organization-defined security safeguards].
MP-7 1 Media Use
The organization prohibits the useof portable storage devices in
organizational information systemswhen such devices have no
identifiable owner.
PE-1 0 a 1
Physical andEnvironmental
Protection Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A physicaland environmental protectionpolicy that addresses purpose,scope, roles, responsibilities,management commitment,
coordination among organizationalentities, and compliance; and
Security Staff andAdministrative Staff
PE-1 0 a 2
Physical andEnvironmental
Protection Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures tofacilitate the implementation of the
physical and environmentalprotection policy and associated
physical and environmentalprotection controls; and
Security Staff andAdministrative Staff
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
87 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PE-1 0 b 1
Physical andEnvironmental
Protection Policy andProcedures
The organization reviews andupdates the current: Physical andenvironmental protection policy
[Assignment: organization-definedfrequency]; and
Annually or any timethere is a major change
PE-1 0 b 2
Physical andEnvironmental
Protection Policy andProcedures
The organization reviews andupdates the current: Physical and
environmental protectionprocedures [Assignment:
organization-defined frequency].
Annually or any timethere is a major change
PE-2 0 aPhysical AccessAuthorizations
The organization: Develops,approves, and maintains a list of
individuals with authorized accessto the facility where the
information system resides;
PE-2 0 bPhysical AccessAuthorizations
The organization: Issuesauthorization credentials for
facility access;
PE-2 0 cPhysical AccessAuthorizations
The organization: Reviews theaccess list detailing authorizedfacility access by individuals
[Assignment: organization-definedfrequency]; and
Every 6 months
PE-2 0 dPhysical AccessAuthorizations
The organization: Removesindividuals from the facility access
list when access is no longerrequired.
PE-3 0 a 1 Physical Access Control
The organization: Enforcesphysical access authorizations at
[Assignment: organization-definedentry/exit points to the facilitywhere the information system
resides] by; Verifying individualaccess authorizations before
granting access to the facility; and
PE-3 0 a 2 Physical Access Control
The organization: Enforcesphysical access authorizations at
[Assignment: organization-definedentry/exit points to the facilitywhere the information system
resides] by; Controllingingress/egress to the facility using
[Selection (one or more):[Assignment: organization-defined
physical access controlsystems/devices]; guards];
PE-3 0 b Physical Access Control
The organization: Maintainsphysical access audit logs for
[Assignment: organization-definedentry/exit points];
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
88 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PE-3 0 c Physical Access Control
The organization: Provides[Assignment: organization-defined
security safeguards] to controlaccess to areas within the facilityofficially designated as publicly
accessible;
PE-3 0 d Physical Access Control
The organization: Escorts visitorsand monitors visitor activity
[Assignment: organization-definedcircumstances requiring visitor
escorts and monitoring];
PE-3 0 e Physical Access ControlThe organization: Secures keys,combinations, and other physical
access devices;
PE-3 0 f Physical Access Control
The organization: Inventories[Assignment: organization-defined
physical access devices] every[Assignment: organization-defined
frequency]; and
Every 6 months
PE-3 0 g Physical Access Control
The organization: Changescombinations and keys
[Assignment: organization-definedfrequency] and/or when keys are
lost, combinations arecompromised, or individuals are
transferred or terminated.
Every 6 months forcombinations. Key locksshould be changes when
an individual leaves.
PE-4 0Access Control for
Transmission Medium
The organization controls physicalaccess to [Assignment:
organization-defined informationsystem distribution and
transmission lines] withinorganizational facilities using
[Assignment: organization-definedsecurity safeguards].
PE-5 0Access Control for
Output Devices
The organization controls physicalaccess to information system
output devices to preventunauthorized individuals from
obtaining the output.
PE-6 0 aMonitoring Physical
Access
The organization: Monitorsphysical access to the facilitywhere the information system
resides to detect and respond tophysical security incidents;
PE-6 0 bMonitoring Physical
Access
The organization: Reviewsphysical access logs [Assignment:organization-defined frequency]
and upon occurrence of[Assignment: organization-definedevents or potential indications of
events]; and
Every 6 months
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
89 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PE-6 0 cMonitoring Physical
Access
The organization: Coordinatesresults of reviews andinvestigations with the
organizational incident responsecapability.
PE-6 1Monitoring Physical
Access
The organization monitorsphysical intrusion alarms and
surveillance equipment.
PE-8 0 a Visitor Access Records
The organization maintains visitoraccess records to the facility wherethe information system resides for[Assignment: organization-defined
time period]; and
PE-8 0 b Visitor Access RecordsThe organization reviews visitor
access records [Assignment:organization-defined frequency].
Every 6 months
PE-9 0Power Equipment and
Power Cabling
The organization protects powerequipment and power cabling for
the information system fromdamage and destruction.
PE-10 0 a Emergency Shutoff
The organization provides thecapability of shutting off power to
the information system orindividual system components in
emergency situations;
PE-10 0 b Emergency Shutoff
The organization placesemergency shutoff switches or
devices in [Assignment:organization-defined location by
information system or systemcomponent] to facilitate safe andeasy access for personnel; and
A single room orenvironment within
datacenters and otherareas with a significantamount of IT resources
PE-10 0 c Emergency Shutoff
The organization protectsemergency power shutoff
capability from unauthorizedactivation.
PE-11 0 Emergency Power
The organization provides a short-term uninterruptible power supply
to facilitate [Selection (one ormore): an orderly shutdown of theinformation system; transition ofthe information system to long-
term alternate power] in the eventof a primary power source loss.
PE-12 0 Emergency Lighting
The organization employs andmaintains automatic emergency
lighting for the information systemthat activates in the event of a
power outage or disruption andthat covers emergency exits and
evacuation routes within thefacility.
For small equipment roomsseveral home style emergency
lights available at most hardwarestores is sufficient for
emergency lighting. In largedata centers, these would not be
suitable.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
90 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PE-13 0 Fire Protection
The organization employs andmaintains fire suppression and
detection devices/systems for theinformation system that are
supported by an independentenergy source.
PE-13 3 Fire Protection
The organization employs anautomatic fire suppression
capability for the informationsystem when the facility is notstaffed on a continuous basis.
PE-14 0 aTemperature and
Humidity Controls
The organization maintainstemperature and humidity levels
within the facility where theinformation system resides at
[Assignment: organization-definedacceptable levels]; and
68-77 degrees Fahrenheit,45-55%
PE-14 0 bTemperature and
Humidity Controls
The organization monitorstemperature and humidity levels
[Assignment: organization-definedfrequency].
Daily
PE-15 0Water Damage
Protection
The organization protects theinformation system from damageresulting from water leakage by
providing master shutoff orisolation valves that are accessible,
working properly, and known tokey personnel.
PE-16 0 Delivery and Removal
The organization authorizes,monitors, and controls
[Assignment: organization-definedtypes of information system
components] entering and exitingthe facility and maintains records
of those items.
All telecommunicationsor IT related devices (can
be over certain $threshold)
PE-17 0 a Alternate Work Site
The organization employs[Assignment: organization-definedsecurity controls] at alternate work
sites;
All management,operational, and technical
information systemsecurity controls
PE-17 0 b Alternate Work Site
The organization assesses asfeasible, the effectiveness of
security controls at alternate worksites; and
PE-17 0 c Alternate Work Site
The organization provides a meansfor employees to communicate
with information securitypersonnel in case of security
incidents or problems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
91 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PL-1 0 a 1Security Planning Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A securityplanning policy that addresses
purpose, scope, roles,responsibilities, management
commitment, coordination amongorganizational entities, and
compliance; and
Security Staff andAdministrative Staff
PL-1 0 a 2Security Planning Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thesecurity planning policy andassociated security planning
controls; and
Security Staff andAdministrative Staff
PL-1 0 b 1Security Planning Policy
and Procedures
The organization: Reviews andupdates the current: Securityplanning policy [Assignment:
organization-defined frequency];and
Annually or any timethere is a major change
PL-1 0 b 2Security Planning Policy
and Procedures
The organization: Reviews andupdates the current: Security
planning procedures [Assignment:organization-defined frequency].
Annually or any timethere is a major change
PL-2 0 a 1 System Security Plan
The organization: Develops asecurity plan for the information
system that: Is consistent with theorganization’s enterprise
architecture;
The EM eGovRPM repositorymust be used to create and
maintain a security plan and tostore any security related
documentation.
PL-2 0 a 2 System Security Plan
The organization: Develops asecurity plan for the information
system that: Explicitly defines theauthorization boundary for the
system;
PL-2 0 a 3 System Security Plan
The organization: Develops asecurity plan for the information
system that: Describes theoperational context of the
information system in terms ofmissions and business processes;
PL-2 0 a 4 System Security Plan
The organization: Develops asecurity plan for the informationsystem that: Provides the securitycategorization of the information
system including supportingrationale;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
92 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PL-2 0 a 5 System Security Plan
The organization: Develops asecurity plan for the information
system that: Describes theoperational environment for the
information system andrelationships with or connections
to other information systems;
PL-2 0 a 6 System Security Plan
The organization: Develops asecurity plan for the information
system that: Provides an overviewof the security requirements for the
system;
PL-2 0 a 7 System Security Plan
The organization: Develops asecurity plan for the information
system that: Identifies any relevantoverlays, if applicable;
PL-2 0 a 8 System Security Plan
The organization: Develops asecurity plan for the information
system that: Describes the securitycontrols in place or planned for
meeting those requirementsincluding a rationale for the
tailoring and supplementationdecisions; and
PL-2 0 a 9 System Security Plan
The organization: Develops asecurity plan for the information
system that: Is reviewed andapproved by the authorizing
official or designatedrepresentative prior to plan
implementation;
PL-2 0 b System Security Plan
The organization distributes copiesof the security plan and
communicates subsequent changesto the plan to [Assignment:
organization-defined personnel orroles];
Security Staff,Administrative Staff, the
AODR & the AO
PL-2 0 c System Security Plan
The organization reviews thesecurity plan for the information
system [Assignment: organization-defined frequency];
Annually
PL-2 0 d System Security Plan
The organization updates the planto address changes to the
information system/environmentof operation or problems identified
during plan implementation orsecurity control assessments; and
PL-2 0 e System Security PlanThe organization protects the
security plan from unauthorizeddisclosure and modification.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
93 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PL-2 3 System Security Plan
The organization plans andcoordinates security-related
activities affecting the informationsystem with [Assignment:
organization-defined individuals orgroups] before conducting suchactivities in order to reduce theimpact on other organizational
entities.
PL-4 0 a Rules of Behavior
The organization: Establishes andmakes readily available to
individuals requiring access to theinformation system, the rules thatdescribe their responsibilities andexpected behavior with regard to
information and informationsystem usage;
PL-4 0 b Rules of Behavior
The organization: Receives asigned acknowledgment from such
individuals, indicating that theyhave read, understand, and agreeto abide by the rules of behavior,
before authorizing access toinformation and the information
system;
PL-4 0 c Rules of Behavior
The organization: Reviews andupdates the rules of behavior
[Assignment: organization-definedfrequency]; and
PL-4 0 d Rules of Behavior
The organization: Requiresindividuals who have signed aprevious version of the rules of
behavior to read and resign whenthe rules of behavior are
revised/updated.
PL-4 1 Rules of Behavior
The organization includes in therules of behavior, explicit
restrictions on the use of socialmedia/networking sites and
posting organizational informationon public websites.
PL-8 0 a 1Information Security
Architecture
The organization: Develops aninformation security architecturefor the information system that:
Describes the overall philosophy,requirements, and approach to betaken with regard to protecting the
confidentiality, integrity, andavailability of organizational
information;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
94 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PL-8 0 a 2Information Security
Architecture
The organization: Develops aninformation security architecturefor the information system thatDescribes how the information
security architecture is integratedinto and supports the enterprise
architecture; and
PL-8 0 a 3Information Security
Architecture
The organization: Develops aninformation security architecturefor the information system that
Describes any information securityassumptions about, and
dependencies on, external services;
PL-8 0 bInformation Security
Architecture
The organization: Reviews andupdates the information security
architecture [Assignment:organization-defined frequency] to
reflect updates in the enterprisearchitecture; and
PL-8 0 cInformation Security
Architecture
The organization: Ensures thatplanned information security
architecture changes are reflectedin the security plan, the security
Concept of Operations(CONOPS), and organizational
procurements/acquisitions.
PS-1 a 1Personnel Security
Policy and Procedures
The organization: a. Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A personnel
security policy that addressespurpose, scope, roles,
responsibilities,management commitment,
coordination among organizationalentities, and compliance;
and
Security Staff andAdministrative Staff
PS-1 a 2Personnel Security
Policy and Procedures
The organization: a. Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures tofacilitate the implementation of the
personnel security policyandassociated personnel security
controls; and
Security Staff andAdministrative Staff
PS-1 b 1Personnel Security
Policy and Procedures
The organization: Reviews andupdates the current: Personnelsecurity policy [Assignment:
organization-defined frequency];and
Annually or any timethere is a major change
PS-1 b 2Personnel Security
Policy and Procedures
The organization: Reviews andupdates the current: Personnel
security procedures [Assignment:organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
95 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PS-2 a - Position CategorizationThe organization: Assigns a risk
designation to all positions;
PS-2 b - Position CategorizationThe organization: Establishes
screening criteria for individualsfilling those positions; and
PS-2 c - Position Categorization
The organization: Reviews andrevises position risk designations
[Assignment: organization-definedfrequency].
Annually or when newpositions are developed
PS-3 a - Personnel Screening
The organization: Screensindividuals prior to authorizing
access to the information system;and
PS-3 b - Personnel Screening
The organization: Rescreensindividuals according to
[Assignment: organization-definedlist of conditions requiringrescreening and, where re-
screening is so indicated, thefrequency of such rescreening].
The risk categorizationbut no less than every 60months or any time the
manager feels theindividual’s risk factors
have changed inaccordance with HSPD 12
and HR
PS-4 a - Personnel Termination
The organization, upontermination of individualemployment: Disables
information system access ,within[Assignment: organization-defined
time period];
PS-4 b - Personnel Termination
The organization termination ofindividual employment:Terminates/revokes any
authenticators/credentialsassociated with the individual;
PS-4 c - Personnel Termination
The organization termination ofindividual employment: Conducts
exit interviews that include adiscussion of [Assignment:
organization-defined informationsecurity topics];
PS-4 d - Personnel Termination
The organization, upontermination of individual
employment: Retrieves allsecurity-related organizational
information system-relatedproperty;
PS-4 e - Personnel Termination
The organization, upontermination of individual
employment: Retains access toorganizational information andinformation systems formerly
controlled by terminatedindividual; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
96 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PS-4 f - Personnel Termination
The organization, upontermination of individual
employment: Notifies[Assignment: organization-defined
personnel or roles] within[Assignment: organization-defined
time period].
PS-5 a - Personnel Transfer
The organization: Reviews andconfirms ongoing operational need
for current logical and physicalaccess authorizations to
information systems/facilitieswhen individuals are reassigned or
transferredto other positions within the
organization;
PS-5 b - Personnel Transfer
The organization: Initiates[Assignment: organization-definedtransfer or reassignment actions]
within[Assignment: organization-definedtime period following the formal
transfer action];
A review to ensure allindividual access is
modified appropriate tothe new position within
30 days of a transferaction
PS-5 c - Personnel Transfer
The organization: Modifies accessauthorization as needed to
correspond with any changes inoperational need due to
reassignment or transfer; and
PS-5 d - Personnel Transfer
The organization: Notifies[Assignment: organization-defined
personnel or roles] within[Assignment:
organization-defined time period].
PS-6 a - Access Agreements
The organization develops anddocuments access agreements for
organizational informationsystems;
Access agreements include, forexample, nondisclosure
agreements, acceptable useagreements, rules of behavior,
and conflict-of-interestagreements.
PS-6 b - Access Agreements
The organization reviews/updatesthe access agreements
[Assignment: organization-definedfrequency].
Annually
PS-6 c 1 Access Agreements
The organization ensures thatindividuals requiring access toorganizational information and
information systems signappropriate access agreements
prior to being granted access: and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
97 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
PS-6 c 2 Access Agreements
The organization ensures thatindividuals requiring access toorganizational information andinformation systems Re-sign
access agreements to maintainaccess to organizational
information systemswhen access agreements have been
updated or [Assignment:organization-defined frequency].
PS-7 a -Third-Party Personnel
Security
The organization establishespersonnel security requirements
including security roles andresponsibilities for third-party
providers.
Third-party providers include,for example, service bureaus,
contractors, and otherorganizations providing
information systemdevelopment, information
technology services, outsourcedapplications, and network and
security management.
PS-7 b -Third-Party Personnel
Security
The organization requires third-party providers to comply withpersonnel security policies andprocedures established by the
organization.
PS-7 c -Third-Party Personnel
SecurityThe organization documents
personnel security requirements
PS-7 d -Third-Party Personnel
Security
The organization requires third-party providers to notify
[Assignment: organization-definedpersonnel or roles] of any
personnel transfers or terminationsof third-party personnel who
possess organizational credentialsand/or badges, or who have
information system privilegeswithin [Assignment: organization-
defined time period]; and
PS-7 e -Third-Party Personnel
SecurityThe organization monitors
provider compliance.
PS-8 a - Personnel Sanctions
The organization employs a formalsanctions process for personnel
failing to comply with establishedinformation security policies and
procedures and
PS-8 b - Personnel Sanctions
The organization notifies[Assignment: organization-defined
personnel or roles] within[Assignment: organization-defined
time period] when a formalemployee sanctions process is
initiated, identifying the individualsanctioned and the reason for the
sanction.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
98 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
RA-1 a -Risk Assessment Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A risk
assessment policy that addressespurpose, scope, roles,
responsibilities,management commitment,
coordination among organizationalentities, and compliance; and
Security Staff andAdministrative Staff
RA-1 a -Risk Assessment Policy
and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures tofacilitate the implementation of the
risk assessment policy andassociated risk assessment
controls; and
Security Staff andAdministrative Staff
RA-1 b -Risk Assessment Policy
and Procedures
The organization: Reviews andupdates the current: Risk
assessment policy [Assignment:organization-defined frequency];
and
Annually or any timethere is a major change
RA-1 b -Risk Assessment Policy
and Procedures
The organization: Reviews andupdates the current: Riskassessment procedures
[Assignment: organization-definedfrequency].
Annually or any timethere is a major change
RA-2 a Security Categorization
The organization: Categorizesinformation and the information
system in accordance withapplicable federal laws, Executive
Orders, directives, policies,regulations, standards, and
guidance;
RA-2 b Security Categorization
The organization: Documents thesecurity categorization results
(including supporting rationale) inthe security plan for theinformation system; and
RA-2 c Security Categorization
The organization: Ensures thesecurity categorization decision is
reviewed and approved by theauthorizing official or authorizingofficial designated representative.
RA-3 a Risk Assessment
The organization: Conducts anassessment of risk, including the
likelihood and magnitude of harm,from the unauthorized access, use,
disclosure, disruption,modification, or destruction of the
information system and theinformation it processes, stores, or
transmits;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
99 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
RA-3 b Risk Assessment
The organization: Documents riskassessment results in [Selection:security plan; risk assessment
report; [Assignment: organization-defined document]];
A risk assessment reportor security assessment
report
RA-3 c Risk Assessment
The organization: Reviews riskassessment results [Assignment:organization-defined frequency];
and
Annually or any timethere is a major change
RA-3 d Risk Assessment
The organization: Disseminatesrisk assessment results to
[Assignment: organization-definedpersonnel or roles]; and
RA-3 e Risk Assessment
The organization: Updates the riskassessment [Assignment:
organization-defined frequency] orwhenever there are significant
changes to the information systemor environment of operation
(including the identification ofnew threats and vulnerabilities), orother conditions that may impactthe security state of the system.
RA-5 a Vulnerability Scanning
The organization: Scans forvulnerabilities in the informationsystem and hosted applications
[Assignment: organization-definedfrequency and/or randomly inaccordance with organization-defined process] and when new
vulnerabilities potentially affectingthe system/applications are
identified and reported;
Quarterly
RA-5 b 1 Vulnerability Scanning
The organization: Employsvulnerability scanning tools and
techniques that promoteinteroperability among tools and
automate parts of the vulnerabilitymanagement process by usingstandards for: Enumerating
platforms, software flaws, andimproper configurations;
RA-5 b 2 Vulnerability Scanning
The organization: Employsvulnerability scanning tools and
techniques that promoteinteroperability among tools and
automate parts of the vulnerabilitymanagement process by usingstandards for: Formatting and
making transparent, checklists andtest procedures; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
100 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
RA-5 b 3 Vulnerability Scanning
The organization: Employsvulnerability scanning tools and
techniques that promoteinteroperability among tools and
automate parts of the vulnerabilitymanagement process by using
standards for: Measuringvulnerability impact;
RA-5 c Vulnerability Scanning
The organization: Analyzesvulnerability scan reports andresults from security control
assessments;
RA-5 d Vulnerability Scanning
The organization: Remediateslegitimate vulnerabilities
[Assignment: organization-definedresponse times] in accordance with
an organizational assessment ofrisk; and
Within 60 days for highand 30 days for critical
vulnerabilities
RA-5 e Vulnerability Scanning
The organization: Sharesinformation obtained from the
vulnerability scanning process andsecurity control assessments withdesignated personnel throughoutthe organization to help eliminate
similar vulnerabilities in otherinformation systems (i.e., systemic
weaknesses or deficiencies).
RA-5 1 Vulnerability Scanning
The organization employsvulnerability scanning tools thatinclude the capability to readilyupdate the list of information
system vulnerabilities scanned.
RA-5 2 Vulnerability Scanning
The organization updates theinformation system vulnerabilitiesscanned [Selection (one or more):[Assignment: organization-defined
frequency]; prior to a new scan;when new vulnerabilities are
identified and reported].
RA-5 5 Vulnerability Scanning
The information systemimplements privileged accessauthorization to [Assignment:
organization identified informationsystem components] for selected
[Assignment: organization-definedvulnerability scanning activities].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
101 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-1 0 a 1System Services
Acquisition Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A system and
services acquisition policy thataddresses purpose, scope, roles,
responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
SA-1 0 a 2System Services
Acquisition Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thesystem and services acquisition
policy and associated system andservices acquisition controls; and
Security Staff andAdministrative Staff
SA-1 0 b 1System Services
Acquisition Policy andProcedures
The organization Reviews andupdates the current: System and
services acquisition policy[Assignment: organization-defined
frequency]; and
Annually or any timethere is a major change
SA-1 0 b 2System Services
Acquisition Policy andProcedures
The organization Reviews andupdates the current: System andservices acquisition procedures
[Assignment: organization-definedfrequency].
Annually or any timethere is a major change
SA-2 0 a Allocation of Resources
The organization: Determinesinformation security requirements
for the information system orinformation system service in
mission/business process planning;
SA-2 0 b Allocation of Resources
The organization: Determines,documents, and allocates the
resources required to protect theinformation system or informationsystem service as part of its capital
planning and investment controlprocess; and
SA-2 0 c Allocation of Resources
The organization: Establishes adiscrete line item for information
security in organizationalprogramming and budgeting
documentation.
SA-3 0 aSystem Development
Life Cycle
The organization: Manages theinformation system using
[Assignment: organization-definedsystem development life cycle]that incorporates information
security considerations;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
102 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-3 0 bSystem Development
Life Cycle
The organization: Defines anddocuments information security
roles and responsibilitiesthroughout the system
development life cycle;
SA-3 0 cSystem Development
Life Cycle
The organization: Identifiesindividuals having information
security roles and responsibilities;and
SA-3 0 dSystem Development
Life Cycle
The organization: Integrates theorganizational information security
risk management process intosystem development life cycle
activities.
SA-4 0 a Acquisition Process
The organization includes thefollowing requirements,
descriptions, and criteria,explicitly or by reference, in the
acquisition contract for theinformation system, system
component, or information systemservice in accordance with
applicable federal laws, ExecutiveOrders, directives, policies,
regulations, standards, guidelines,and organizational
mission/business needs: Securityfunctional requirements; Security
functional requirements,
SA-4 0 b Acquisition Process Security strength requirements,
SA-4 0 c Acquisition Process Security assurance requirements,
SA-4 0 d Acquisition ProcessSecurity-related documentation
requirements,
SA-4 0 e Acquisition ProcessRequirements for protecting
security-related documentation,
SA-4 0 f Acquisition Process
Description of the informationsystem development environment
and environment in which thesystem is intended to operate, and
SA-4 0 g Acquisition Process Acceptance criteria
SA-4 1 Acquisition Process
The organization requires thedeveloper of the information
system, system component, orinformation system service toprovide a description of thefunctional properties of the
security controls to be employed.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
103 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-4 2 Acquisition Process
The organization requires thedeveloper of the information
system, system component, orinformation system service to
provide design andimplementation information for
the security controls to beemployed that includes: [Selection(one or more): security-relevantexternal system interfaces; high-level design; low-level design;
source code or hardwareschematics; [Assignment:
organization-defineddesign/implementation
information]] at [Assignment:organization-defined level of
detail].
SA-4 9 Acquisition Process
The organization requires thedeveloper of the information
system, system component, orinformation system service toidentify early in the systemdevelopment life cycle, the
functions, ports, protocols, andservices intended fororganizational use.
SA-4 10 Acquisition Process
The organization employs onlyinformation technology products
on the FIPS 201-approvedproducts list for Personal Identity
Verification (PIV) capabilityimplemented within organizational
information systems.
SA-5 0 a 1Information System
Documentation
The organization: Obtainsadministrator documentation forthe information system, system
component, or information systemservice that describes: Secureconfiguration, installation, and
operation of the system,component, or service;
SA-5 0 a 2Information System
Documentation
The organization: Obtainsadministrator documentation forthe information system, system
component, or information systemservice that describes: Effectiveuse and maintenance of security
functions/mechanisms; and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
104 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-5 0 a 3Information System
Documentation
The organization: Obtainsadministrator documentation forthe information system, system
component, or information systemservice that describes: Known
vulnerabilities regardingconfiguration and use of
administrative (i.e., privileged)functions;
SA-5 0 b 1Information System
Documentation
The organization: Obtains userdocumentation for the information
system, system component, orinformation system service that
describes: User-accessible securityfunctions/mechanisms and how to
effectively use those securityfunctions/mechanisms
SA-5 0 b 2Information System
Documentation
The organization: Obtains userdocumentation for the information
system, system component, orinformation system service that
describes: Methods for userinteraction, which enables
individuals to use the system,component, or service in a more
secure manner; and
SA-5 0 b 3Information System
Documentation
The organization: Obtains userdocumentation for the information
system, system component, orinformation system service that
describes: User responsibilities inmaintaining the security of thesystem, component, or service;
SA-5 0 cInformation System
Documentation
The organization: Documentsattempts to obtain informationsystem, system component, or
information system servicedocumentation when such
documentation is eitherunavailable or nonexistent and
[Assignment: organization-definedactions] in response;
SA-5 0 dInformation System
Documentation
The organization: Protectsdocumentation as required, in
accordance with the riskmanagement strategy; and
SA-5 0 eInformation System
Documentation
The organization: Distributesdocumentation to [Assignment:
organization-defined personnel orroles].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
105 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-8 0Security Engineering
Principles
The organization appliesinformation system securityengineering principles in the
specification, design,development, implementation, and
modification of the informationsystem.
SA-9 0 aExternal Information
System Services
The organization: Requires thatproviders of external information
system services comply withorganizational information security
requirements and employ[Assignment: organization-defined
security controls] in accordancewith applicable federal laws,Executive Orders, directives,
policies, regulations, standards,and guidance;
An external information systemservice is a service that is
implemented outside of theauthorization boundary of the
organizational informationsystem. The responsibility for
adequately mitigating risksarising from the use of external
information system servicesremains with the authorizing
official.
SA-9 0 bExternal Information
System Services
The organization: Defines anddocuments government oversightand user roles and responsibilitieswith regard to external information
system services; and
SA-9 0 cExternal Information
System Services
The organization: Employs[Assignment: organization-defined
processes, methods, andtechniques] to monitor securitycontrol compliance by externalservice providers on an ongoing
basis.
SA-9 2External Information
System Services
The organization requiresproviders of [Assignment:
organization-defined externalinformation system services] to
identify the functions, ports,protocols, and other servicesrequired for the use of such
services.
SA-10 0 aDeveloper Configuration
Management
The organization requires thedeveloper of the information
system, system component, orinformation system service to:
Perform configurationmanagement during system,
component, or service [Selection(one or more): design;
development; implementation;operation];
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
106 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-10 0 bDeveloper Configuration
Management
The organization requires thedeveloper of the information
system, system component, orinformation system service to:
Document, manage, and controlthe integrity of changes to
[Assignment: organization-definedconfiguration items under
configuration management];
SA-10 0 cDeveloper Configuration
Management
The organization requires thedeveloper of the information
system, system component, orinformation system service to:Implement only organization-
approved changes to the system,component, or service;
SA-10 0 dDeveloper Configuration
Management
The organization requires thedeveloper of the information
system, system component, orinformation system service to:
Document approved changes to thesystem, component, or service and
the potential security impacts ofsuch changes; and
SA-10 0 eDeveloper Configuration
Management
The organization requires thedeveloper of the information
system, system component, orinformation system service to:Track security flaws and flawresolution within the system,
component, or service and reportfindings to [Assignment:
organization-defined personnel].
SA-11 0 aDeveloper Security
Testing and Evaluation
The organization requires thedeveloper of the information
system, system component, orinformation system service to:
Create and implement a securityassessment plan;
SA-11 0 bDeveloper Security
Testing and Evaluation
The organization requires thedeveloper of the information
system, system component, orinformation system service to:
Perform [Selection (one or more):unit; integration; system;
regression] testing/evaluation at[Assignment: organization-defined
depth and coverage];
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
107 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SA-11 0 cDeveloper Security
Testing and Evaluation
The organization requires thedeveloper of the information
system, system component, orinformation system service to:
Produce evidence of the executionof the security assessment plan and
the results of the securitytesting/evaluation;
SA-11 0 dDeveloper Security
Testing and Evaluation
The organization requires thedeveloper of the information
system, system component, orinformation system service to:Implement a verifiable flaw
remediation process; and
SA-11 0 eDeveloper Security
Testing and Evaluation
The organization requires thedeveloper of the information
system, system component, orinformation system service to:Correct flaws identified during
security testing/evaluation.
SC-1 a 1System Communications
Policy and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A system andcommunications protection policy
that addresses purpose, scope,roles,
responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
SC-1 a 2System Communications
Policy and Procedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures tofacilitate the implementation of the
system and communicationsprotection
policy and associated system andcommunications protection
controls; and
Security Staff andAdministrative Staff
SC-1 b 1System Communications
Policy and Procedures
The organization: Reviews andupdates the current: System and
communications protection policy[Assignment: organization-defined
frequency]; and
Annually or any timethere is a major change
SC-1 b 2System Communications
Policy and Procedures
The organization: Reviews andupdates the current: System and
communications protectionprocedures [Assignment:
organization-defined frequency].
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
108 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SC-2 Application Partitioning
The information system separatesuser functionality (including user
interface services) frominformation system management
functionality.
The separation of userfunctionality from information
system managementfunctionality is either physical orlogical and is accomplished by
using different computers,different central processing
units, different instances of theoperating system, different
network addresses, combinationsof these methods, or othermethods as appropriate.
SC-4Information in Shared
Resources
The information system preventsunauthorized and unintended
information transfer via sharedsystem resources.
The purpose of this control is toprevent information, includingencrypted representations ofinformation, produced by theactions of a prior user/role (or
the actions of a process acting onbehalf of a prior user/role) frombeing available to any currentuser/role (or current process)that obtains access to a shared
system resource (e.g., registers,main memory, secondary
storage) after that resource hasbeen released back to the
information system.
SC-5Denial of Service
Protection
The information system protectsagainst or limits the effects of the
following types of denial ofservice attacks: [Assignment:organization-defined types of
denial of service attacks orreference to source for suchinformation] by employing
[Assignment: organization-definedsecurity safeguards].
ICMP flood, Teardropattack, Peer-to-peer
attacks, Permanent denial-of- service attacks,
Application level floods,Nuke, Distributed attack,
Reflected attack, andUnintentional attack
A variety of technologies exist tolimit, or in some cases, eliminate
the effects of denial of serviceattacks. For example, boundary
protection devices can filtercertain types of packets to
protect devices on anorganization’s internal networkfrom being directly affected by
denial of service attacks.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
109 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SC-7 a Boundary Protection
The information system: Monitorsand controls communications at
the external boundary of thesystem and at key internal
boundaries within the system; and
Restricting external web trafficonly to organizational web
servers within managedinterfaces and prohibiting
external traffic that appears to bespoofing an internal address as
the source are examples ofrestricting and prohibitingcommunications. Managed
interfaces employing boundaryprotection devices include, forexample, proxies, gateways,routers, firewalls, guards, or
encrypted tunnels arranged in aneffective security architecture
(e.g., routers protecting firewallsand application gatewaysresiding on a protected
subnetwork commonly referredto as a demilitarized zone or
DMZ). The EM enterprise fullpacket capture satisfies part of
this requirement.
SC-7 b Boundary Protection
The information system:Implements sub networks for
publicly accessible systemcomponents that are [Selection:physically; logically] separated
from internal organizationalnetworks; and
SC-7 c Boundary Protection
The information system: Connectsto external networks or
information systems only throughmanaged interfaces consisting of
boundary protection devicesarranged in accordance with an
organizational securityarchitecture.
SC-7 3 Boundary ProtectionThe organization limits the numberof external network connections to
the information system
SC-7 4 a Boundary Protection
The organization: Implements amanaged interface for eachexternal telecommunication
service;
SC-7 4 b Boundary ProtectionThe organization: Establishes a
traffic flow policy for eachmanaged interface;
SC-7 4 c Boundary Protection
The organization: Protects theconfidentiality and integrity of the
information being transmittedacross each interface;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
110 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SC-7 4 d Boundary Protection
The organization: Documentseach exception to the traffic flow
policy with a supportingmission/business need and
duration of that need;
SC-7 4 e Boundary Protection
The organization: Reviewsexceptions to the traffic flow
policy [Assignment: organization-defined frequency] and removes
exceptions that are no longersupported by an explicitmission/business need.
Annually
SC-7 5 Boundary Protection
The information system atmanaged interfaces, denies
network traffic by default andallows network traffic by
exception (i.e., deny all, permit byexception).
SC-7 7 Boundary Protection
The information system, inconjunction with a remote device,
prevents the device fromsimultaneously establishing non-
remote connections with thesystem and communicating via
some other connection to resourcesin external networks.
This control enhancement isimplemented within the remotedevice (e.g., notebook/laptopcomputer) via configuration
settings that are not configurableby the user of that device. An
example of a non-remotecommunications path from a
remote device is a virtual privatenetwork. When a non-remote
connection is established using avirtual private network, the
configuration settings preventsplit-tunneling.
SC-8Transmission Integrity
and Confidentiality
The information system protectsthe [Selection (one or more):confidentiality; integrity] of
transmitted information.
This control applies tocommunications across internal
and external networks.
SC-8 1Transmission Integrity
and Confidentiality
The information systemimplements cryptographic
mechanisms to [Selection (one ormore): prevent unauthorized
disclosure of information; detectchanges to information] duringtransmission unless otherwise
protected by [Assignment:organization-defined alternative
physical safeguards].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
111 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SC-10 Network Disconnect
The information system terminatesthe network connection associatedwith a communications session at
the end of the session or after[Assignment: organization-defined
time period] of inactivity.
30 minutes of inactivity
This control applies to bothinternal and external networks.
Terminating networkconnections associated with
communications sessionsinclude, for example, de-
allocating associated TCP/IPaddress/port pairs at the
operating-system level, or de-allocating networking
assignments at the applicationlevel if multiple applicationsessions are using a single,
operating system-level networkconnection.
SC-12Cryptographic KeyEstablishment and
Management
The organization establishes andmanages cryptographic keys forrequired cryptography employedwithin the information system inaccordance with [Assignment:
organization-defined requirementsfor key generation, distribution,storage, access, and destruction].
SC-13 Use of Cryptography
The information systemimplements [Assignment:
organization-definedcryptographic uses and type ofcryptography required for each
use] in accordance with applicablefederal laws, Executive Orders,directives, policies, regulations,
and standards.
SC-15 aCollaborative Computing
Devices
The information system: Prohibitsremote activation of collaborative
computing devices with thefollowing exceptions:
[Assignment: organization-definedexceptions where remote
activation is to be allowed]; and
None
Collaborative computing devicesinclude, for example, networkedVTCs, white boards, cameras,
and microphones. Explicitindication of use includes, forexample, signals to users when
collaborative computing devicesare activated.
SC-15 bCollaborative Computing
Devices
The information system: Providesan explicit indication of use tousers physically present at the
devices.
SC-17Public Key Infrastructure
Certificates
The organization issues public keycertificates under an [Assignment:
organization defined certificatepolicy] or obtains public keycertificates from an approved
service provider.
SC-18 a Mobile Code
The organization: Definesacceptable and unacceptablemobile code and mobile code
technologies;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
112 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SC-18 b Mobile Code
The organization: Establishesusage restrictions and
implementation guidance foracceptable mobile code and mobile
code technologies; and
SC-18 c Mobile Code
The organization: Authorizes,monitors, and controls the use of
mobile code within theinformation system.
SC-19 aVoice Over Internet
Protocol
The organization: Establishesusage restrictions and
implementation guidance forVoice over Internet Protocol
(VoIP) technologies based on thepotential to cause damage to the
information system if usedmaliciously; and
SC-19 bVoice Over Internet
Protocol
The organization: Authorizes,monitors, and controls the use of
VoIP within the informationsystem.
SC-20 aSecure Name/Address
Resolution Service(Authoritative Source)
The information system: Providesadditional data origin and integrity
artifacts along with theauthoritative name resolution datathe system returns in response toexternal name/address resolution
queries; and
This control enables remoteclients to obtain origin
authentication and integrityverification assurances for thehost/service name to networkaddress resolution informationobtained through the service. A
domain name system (DNS)server is an example of an
information system that providesname/address resolution service.
Digital signatures andcryptographic keys are examples
of additional artifacts.
SC-20 bSecure Name/Address
Resolution Service(Authoritative Source)
The information system: Providesthe means to indicate the securitystatus of child zones and (if thechild supports secure resolution
services) to enable verification of achain of trust among parent and
childdomains, when operating as part of
a distributed, hierarchicalnamespace.
SC-21
Secure Name/AddressResolution Service
(Recursive or CachingResolver)
The information system requestsand performs data origin
authentication and data integrityverification on the name/addressresolution responses the system
receives from authoritative sources
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
113 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SC-22
Architecture andProvisioning forName/Address
Resolution Service
The information systems thatcollectively provide name/address
resolution service for anorganization are fault-tolerant andimplement internal/external role
separation.
A domain name system (DNS)server is an example of an
information system that providesname/address resolution service.
To eliminate single points offailure and to enhance
redundancy, there are typicallyat least two authoritative domainname system (DNS) servers, one
configured as primary and theother as secondary.
SC-23 Session Authenticity
The information system providesmechanisms to protect the
authenticity of communicationssessions.
This control focuses oncommunications protection at
the session, versus packet, level.The intent of this control is to
establish grounds for confidenceat each end of a communicationssession in the ongoing identity of
the other party and in thevalidity of the information being
transmitted.
SC-28Protection of Information
at Rest
The information system protectsthe [Selection (one or more):confidentiality; integrity] of
[Assignment: organization-definedinformation at rest].
This control is intended toaddress the confidentiality and
integrity of information at rest innonmobile devices and coversuser information and system
information.
SC-39 Process IsolationThe information system maintainsa separate execution domain for
each executing process.
SI-1 0 a 1System and Information
Integrity Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: A system andinformation integrity policy thataddresses purpose, scope, roles,
responsibilities, managementcommitment, coordination among
organizational entities, andcompliance; and
Security Staff andAdministrative Staff
SI-1 0 a 2System and Information
Integrity Policy andProcedures
The organization: Develops,documents, and disseminates to
[Assignment: organization-definedpersonnel or roles]: Procedures to
facilitate the implementation of thesystem and information integritypolicy and associated system and
information integrity controls; and
Security Staff andAdministrative Staff
SI-1 0 b 1System and Information
Integrity Policy andProcedures
The organization: Reviews andupdates the current: System and
information integrity policy[Assignment: organization-defined
frequency]; and
Annually or any timethere is a major change
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
114 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SI-1 0 b 2System and Information
Integrity Policy andProcedures
The organization: Reviews andupdates the current: System andinformation integrity procedures
[Assignment: organization-definedfrequency].
Annually or any timethere is a major change
SI-2 0 a Flaw RemediationThe organization: Identifies,
reports, and corrects informationsystem flaws;
SI-2 0 b Flaw Remediation
The organization: Tests softwareand firmware updates related to
flaw remediation for effectivenessand potential side effects before
installation;
SI-2 0 c Flaw Remediation
The organization: Installs security-relevant software and firmware
updates within [Assignment:organization defined time period]of the release of the updates; and
5 days for critical updatesand 10 days for high and
moderate.
Vulnerability scans should berun shortly after patching to
ensure all patches wereimplemented successfully. All
exceptions should beinvestigated.
SI-2 0 d Flaw Remediation
The organization: Incorporatesflaw remediation into the
organizational configurationmanagement process.
SI-2 2 Flaw Remediation
The organization employsautomated mechanisms
[Assignment: organization-definedfrequency] to determine the state
of information system componentswith regard to flaw remediation.
Weekly
SI-3 0 aMalicious Code
Protection
The organization: Employsmalicious code protection
mechanisms at information systementry and exit points to detect and
eradicate malicious code;
The EM enterprise full packetcapture is part of the EM sites
malicious code protection.
SI-3 0 bMalicious Code
Protection
The organization: Updatesmalicious code protection
mechanisms whenever newreleases are available in
accordance with organizationalconfiguration management policy
and procedures;
SI-3 0 c 1Malicious Code
Protection
The organization: Configuresmalicious code protection
mechanisms to: Perform periodicscans of the information system
[Assignment: organization-definedfrequency] and real-time scans of
files from external sources at[Selection (one or more); endpoint;
network entry/exit points] as thefiles are downloaded, opened, or
executed in accordance withorganizational security policy; and
Daily
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
115 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SI-3 0 c 2Malicious Code
Protection
The organization: Configuresmalicious code protection
mechanisms to: [Selection (one ormore): block malicious code;
quarantine malicious code; sendalert to administrator;
[Assignment: organization-definedaction]] in response to malicious
code detection; and
Block/quarantinemalicious code then send
an alert to theadministrators
SI-3 0 dMalicious Code
Protection
The organization: Addresses thereceipt of false positives duringmalicious code detection anderadication and the resulting
potential impact on the availabilityof the information system.
SI-3 1Malicious Code
Protection
The organization centrallymanages malicious code protection
mechanisms.
SI-3 2Malicious Code
Protection
The information systemautomatically updates malicious
code protection mechanisms.
SI-4 0 a 1Information System
Monitoring
The organization: Monitors theinformation system to detect:
Attacks and indicators of potentialattacks in accordance with
[Assignment: organization definedmonitoring objectives]; and
Network monitoring andincident identificationsection of the incident
response plan
Information system monitoringincludes external and internal
monitoring. External monitoringincludes the observation of
events occurring at the systemboundary (i.e., part of perimeter
defense and boundaryprotection). Internal monitoring
includes the observation ofevents occurring within thesystem (e.g., within internalorganizational networks and
system components).
SI-4 0 a 2Information System
Monitoring
The organization: Monitors theinformation system to detect:
Unauthorized local, network, andremote connections;
SI-4 0 bInformation System
Monitoring
The organization: Identifiesunauthorized use of the
information system through[Assignment: organization defined
techniques and methods];
SI-4 0 cInformation System
Monitoring
The organization: Deploysmonitoring devices: (i)strategically within the
information system to collectorganization-determined essential
information; and (ii) at ad hoclocations within the system to
track specific types of transactionsof interest to the organization;
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
116 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SI-4 0 dInformation System
Monitoring
The organization: Protectsinformation obtained from
intrusion-monitoring tools fromunauthorized access, modification,
and deletion;
SI-4 0 eInformation System
Monitoring
The organization: Heightens thelevel of information system
monitoring activity whenever thereis an indication of increased risk to
organizational operations andassets, individuals, other
organizations, or the Nation basedon law enforcement information,intelligence information, or othercredible sources of information;
SI-4 0 fInformation System
Monitoring
The organization: Obtains legalopinion with regard to information
system monitoring activities inaccordance with applicable federallaws, Executive Orders, directives,
policies, or regulations; and
SI-4 0 gInformation System
Monitoring
The organization: Provides[Assignment: organization-defined
information system monitoringinformation] to [Assignment:
organization-defined personnel orroles] [Selection (one or more): as
needed; [Assignment:organization-defined frequency]].
SI-4 2Information System
Monitoring
The organization employsautomated tools to support near
real-time analysis of events.
SI-4 4Information System
Monitoring
The information system monitorsinbound and outboundcommunications traffic
[Assignment: organization-definedfrequency] for unusual orunauthorized activities or
conditions.
Unusual/unauthorized activitiesor conditions include, for
example, internal traffic thatindicates the presence ofmalicious code within an
information system orpropagating among system
components, the unauthorizedexport of information, orbeaconing to an external
information system. Evidence ofmalicious code is used to
identify potentiallycompromised information
systems or information systemcomponents.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
117 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SI-4 5Information System
Monitoring
The information system alerts[Assignment: organization-defined
personnel or roles] when thefollowing indications ofcompromise or potential
compromise occur: [Assignment:organization defined compromise
indicators].
SI-5 0 aSecurity Alerts,Advisories, and
Directives
The organization: Receivesinformation system security alerts,
advisories, and directives from[Assignment: organization-defined
external organizations] on anongoing basis;
JC3 and EM MIPP
SI-5 0 bSecurity Alerts,Advisories, and
Directives
The organization: Generatesinternal security alerts, advisories,
and directives as deemednecessary;
SI-5 0 cSecurity Alerts,Advisories, and
Directives
The organization: Disseminatessecurity alerts, advisories, and
directives to: [Selection (one ormore): [Assignment: organization-
defined personnel or roles];[Assignment: organization-definedelements within the organization];[Assignment: organization-defined
external organizations]]; and
SI-5 0 dSecurity Alerts,Advisories, and
Directives
The organization: Implementssecurity directives in accordancewith established time frames, or
notifies the issuing organization ofthe degree of noncompliance.
SI-7 0Software and
Information Integrity
The organization employs integrityverification tools to detectunauthorized changes to
[Assignment: organization-definedsoftware, firmware, and
information].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
118 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SI-7 1Software and
Information Integrity
The information system performsan integrity check of [Assignment:
organization-defined software,firmware, and information][Selection (one or more): at
startup; at [Assignment:organization-defined transitional
states or security-relevant events];[Assignment: organization defined
frequency]].
Quarterly
The site employs integrityverification applications on key
information systems (e.g.,servers that process and storeCUI) to look for evidence of
information tampering, errors,and omissions. The site employs
good software engineeringpractices with regard to
commercial off-the-shelfintegrity mechanisms (e.g.,
parity checks, cyclicalredundancy checks,
cryptographic hashes) and usestools to automatically monitorthe integrity of the informationsystem and the applications it
hosts.
SI-7 7Software and
Information Integrity
The organization incorporates thedetection of unauthorized
[Assignment: organization-definedsecurity-relevant changes to the
information system] into theorganizational incident response
capability.
SI-8 0 a Spam Protection
The organization: Employs spamprotection mechanisms at
information system entry and exitpoints to detect and take action on
unsolicited messages; and
SI-8 0 b Spam Protection
The organization: Updates spamprotection mechanisms when new
releases are available inaccordance with organizational
configuration management policyand procedures.
SI-8 1 Spam ProtectionThe organization centrallymanages spam protection
mechanisms.
SI-8 2 Spam ProtectionThe information system
automatically updates spamprotection mechanisms.
SI-10 0Information Input
Validation
The information system checks thevalidity of [Assignment:
organization-defined informationinputs].
Rules for checking the validsyntax and semantics of
information system inputs (e.g.,character set, length, numericalrange, acceptable values) are inplace to verify that inputs matchspecified definitions for formatand content. Inputs passed tointerpreters are prescreened toprevent the content from beingunintentionally interpreted as
commands.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP
119 of 243
Cntl. #
En
ha
nce
men
t#
# - Control Name NIST Control RequirementsRecommend
organizationally definedvalues
EM Supplemental Guidance
SI-11 0 a Error Handling
The information system: Generateserror messages that provideinformation necessary forcorrective actions without
revealing information that could beexploited by adversaries; and
The structure and content oferror messages are carefully
considered by the organization.The extent to which the
information system is able toidentify and handle errorconditions is guided by
organizational policy andoperational requirements. Error
messages should be madeavailable to system
administrators and not be sent tothe user or potential attacker.
SI-11 0 b Error Handling
The information system: Revealserror messages only to
[Assignment: organization-definedpersonnel or roles].
SI-12 0Information Handling
and Retention
The organization handles andretains information within the
information system andinformation output from thesystem in accordance with
applicable federal laws, ExecutiveOrders, directives, policies,regulations, standards, andoperational requirements.
The output handling andretention requirements cover thefull life cycle of the information,in some cases extending beyondthe disposal of the information
system.
SI-16 0 Memory Protection
The information systemimplements [Assignment:
organization-defined securitysafeguards] to protect its memoryfrom unauthorized code execution.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
121 of 243
Appendix B – NSS Security Controls
Based on early assessments on NSS Security Controls using CNSS 1253 and NIST SP800-53 Rev 3 controls, EM has determined that most systems will be categorized as a C= M, I = M, and A = M, or C = M, I = M, and A = L, or C = M, I = L and A = L. Beloware the controls that should be addressed for each categorization and configuration, (e.g.,networked or stand-alone). “No” in the column for either a stand-alone or networkconfiguration means that it does not apply and does not have to be implemented. “Yes”means that it should be addressed and a justification given if the control is tailored out. Asite may decide to deploy a control that does not apply depending on its risk managementstrategy. Contracting Officers are not to require that each and every control listed in thistable be implemented.
Cntl #: Lists the NIST control abbreviationControl Name: Lists the name of the controls requirementCIA (LMH) Lists each CNSSI control requirement by Confidentiality (C),
Integrity (I), and Availability (A) and Low (L), Moderate (M), andHigh (H)
NNN (LMH) Lists the NIST 800-53 Low (L), Moderate (M), and High (H)control selections associated with the CNSSI controls
NSS Stand Alone Lists if the control is applicable to a NSS Stand-Alone PCNSS Network Lists if the control is applicable to a NSS Networked PC(s)Priority Lists the NIST control priorityNIST Control Req Lists the NIST control requirement
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-1Access Control
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented accesscontrol policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of theaccess control policy andassociated access controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
122 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-2Account
ManagementX X X X X X X Yes Yes P1
The organization managesinformation systemaccounts, including: a)Identifying account types(i.e., individual, group,system, application,guest/anonymous, andtemporary); b) Establishingconditions for groupmembership; c) Identifyingauthorized users of theinformation system andspecifying accessprivileges; d) Requiringappropriate approvals forrequests to establishaccounts; e) Establishing,activating, modifying,disabling, and removingaccounts; f) Specificallyauthorizing and monitoringthe use of guest/anonymousand temporary accounts; g)Notifying accountmanagers when temporaryaccounts are no longerrequired and wheninformation system usersare terminated, transferred,or information systemusage or need-to-know/need-to-sharechanges; h) Deactivating:(i) temporary accounts thatare no longer required; and(ii) accounts of terminatedor transferred users; i)Granting access to thesystem based on: (i) a validaccess authorization; (ii)intended system usage; and(iii) other attributes asrequired by theorganization or associatedmissions/businessfunctions; and j) Reviewingaccounts [Assignment:organization-definedfrequency].
AC-2(1)Account
ManagementX X X X X X X X Yes Yes P1
The organization employsautomated mechanisms tosupport the management ofinformation systemaccounts.
AC-2(2)Account
ManagementX X X X X X X X Yes Yes P1
The information systemautomatically terminatestemporary and emergencyaccounts after [Assignment:organization-defined timeperiod for each type ofaccount].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
123 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-2(3)Account
ManagementX X X X X X X X Yes Yes P1
The information systemautomatically disablesinactive accounts after[Assignment: organization-defined time period].
AC-2(4)Account
ManagementX X X X X X X X Yes Yes P1
The information systemautomatically auditsaccount creation,modification, disabling, andtermination actions andnotifies, as required,appropriate individuals.
AC-2(5)Account
ManagementYes Yes PO
The organization: a)Requires that users log outwhen [Assignment:organization defined time-period of expectedinactivity and/ordescription of when to logout]; b) Determines normaltime-of-day and durationusage for informationsystem accounts; c)Monitors for atypical usageof information systemaccounts; and d) Reportsatypical usage to designatedorganizational officials.
AC-2(6)Account
Management
The information systemdynamically manages userprivileges and associatedaccess authorizations.
AC-2(7)Account
ManagementX X X X X X No Yes P1
The organization: a)Establishes and administersprivileged user accounts inaccordance with a role-based access scheme thatorganizes informationsystem and networkprivileges into roles; and b)Tracks and monitorsprivileged role assignments.
AC-3 Access Enforcement X X X X X X X X X Yes Yes P1
The information systemenforces approvedauthorizations for logicalaccess to the system inaccordance with applicablepolicy.
AC 3(1) Access Enforcement - - - - - - - - - withdrawn
AC-3(2) Access Enforcement
The information systemenforces dual authorization,based on organizationalpolicies and procedures for[Assignment: organization-defined privilegedcommands].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
124 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-3(3) Access Enforcement
The information systemenforces [Assignment:organization-definednondiscretionary accesscontrol policies] over[Assignment: organization-defined set of users andresources] where the policyrule set for each policyspecifies: a) Access controlinformation (i.e., attributes)employed by the policy ruleset (e.g., position,nationality, age, project,time of day); and b)Required relationshipsamong the access controlinformation to permitaccess.
AC-3(4) Access Enforcement X X X X X X Yes Yes PO
The information systemenforces a DiscretionaryAccess Control (DAC)policy that: a) Allows usersto specify and controlsharing by namedindividuals or groups ofindividuals, or by both; b)Limits propagation ofaccess rights; and c)Includes or excludes accessto the granularity of asingle user.
AC-3(5) Access Enforcement
The information systemprevents access to[Assignment: organization-defined security-relevantinformation] except duringsecure, nonoperable systemstates.
AC-3(6) Access Enforcement X Yes Yes P1
The organization encryptsor stores off-line in a securelocation [Assignment:organization-defined userand/or system information].
AC-4Information Flow
EnforcementX X X X X X X X No No P1
The information systemenforces approvedauthorizations forcontrolling the flow ofinformation within thesystem and betweeninterconnected systems inaccordance with applicablepolicy.
AC-4(1)Information Flow
Enforcement
The information systemenforces information flowcontrol using explicitsecurity attributes oninformation, source, anddestination objects as abasis for flow controldecisions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
125 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-4(2)Information Flow
Enforcement
The information systemenforces information flowcontrol using protectedprocessing domains (e.g.,domain type-enforcement)as a basis for flow controldecisions.
AC-4(3)Information Flow
Enforcement
The information systemenforces dynamicinformation flow controlbased on policy that allowsor disallows informationflows based on changingconditions or operationalconsiderations.
AC-4(4)Information Flow
Enforcement
The information systemprevents encrypted datafrom bypassing content-checking mechanisms.
AC-4(5)Information Flow
Enforcement
The information systemenforces [Assignment:organization-definedlimitations on theembedding of data typeswithin other data types].
AC-4(6)Information Flow
Enforcement
The information systemenforces information flowcontrol on metadata.
AC-4(7)Information Flow
Enforcement
The information systemenforces [Assignment:organization-defined one-way flows] using hardwaremechanisms.
AC-4(8)Information Flow
Enforcement
The information systemenforces information flowcontrol using [Assignment:organization-definedsecurity policy filters] as abasis for flow controldecisions.
AC-4(9)Information Flow
Enforcement
The information systemenforces the use of humanreview for [Assignment:organization-definedsecurity policy filters] whenthe system is not capable ofmaking an information flowcontrol decision.
AC-4(10)Information Flow
Enforcement
The information systemprovides the capability for aprivileged administrator toenable/disable [Assignment:organization-definedsecurity policy filters].
AC-4(11)Information Flow
Enforcement
The information systemprovides the capability for aprivileged administrator toconfigure [Assignment:organization-definedsecurity policy filters] tosupport different securitypolicies.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
126 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-4(12)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,identifies information flowsby data type specificationand usage.
AC-4(13)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,decomposes informationinto policy-relevantsubcomponents forsubmission to policyenforcement mechanisms.
AC-4(14)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,implements policy filtersthat constrain data structureand content to [Assignment:organization-definedinformation security policyrequirements].
AC-4(15)Information Flow
Enforcement
The information system,when transferringinformation betweendifferent security domains,detects unsanctionedinformation and prohibitsthe transfer of suchinformation in accordancewith the security policy.
AC-4(16)Information Flow
Enforcement
The information systemenforces security policiesregarding information oninterconnected systems.
AC-4(17)Information Flow
Enforcement
The information system: a)Uniquely identifies andauthenticates source anddestination domains forinformation transfer; b)Binds security attributes toinformation to facilitateinformation flow policyenforcement; and c) Tracksproblems associated withthe security attributebinding and informationtransfer.
AC-5Separation Of
DutiesX X X X X X X X Yes Yes P1
The organization: a)Separates duties ofindividuals as necessary, toprevent malevolent activitywithout collusion; b)Documents separation ofduties; and c) Implementsseparation of duties throughassigned informationsystem accessauthorizations.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
127 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-6 Least Privilege X X X X X X X X Yes Yes P1
The organization employsthe concept of leastprivilege, allowing onlyauthorized accesses forusers (and processes actingon behalf of users) whichare necessary to accomplishassigned tasks inaccordance withorganizational missions andbusiness functions.
AC-6(1) Least Privilege X X X X X X X X Yes Yes P1
The organization explicitlyauthorizes access to[Assignment: organization-defined list of securityfunctions (deployed inhardware, software, andfirmware) and security-relevant information].
AC-6(2) Least Privilege X X X X X X X X Yes Yes P1
The organization requiresthat users of informationsystem accounts, or roles,with access to [Assignment:organization-defined list ofsecurity functions orsecurity-relevantinformation], use non-privileged accounts, orroles, when accessing othersystem functions, and iffeasible, audits any use ofprivileged accounts, orroles, for such functions.
AC-6(3) Least Privilege
The organization authorizesnetwork access to[Assignment: organization-defined privilegedcommands] only forcompelling operationalneeds and documents therationale for such access inthe security plan for theinformation system.
AC-6(4) Least Privilege
The information systemprovides separateprocessing domains toenable finer-grainedallocation of userprivileges.
AC-6(5) Least Privilege X X X X X X Yes Yes PO
The organization limitsauthorization to super useraccounts on the informationsystem to designatedsystem administrationpersonnel.
AC-6(6) Least Privilege X X Yes Yes PO
The organization prohibitsprivileged access to theinformation system by non-organizational users.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
128 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-7Unsuccessful Login
AttemptsX X X X X X X X X X X X Yes Yes P2
The information system: a)Enforces a limit of[Assignment: organization-defined number]consecutive invalid loginattempts by a user during a[Assignment: organization-defined time period]; and b)Automatically [Selection:locks the account/node foran [Assignment:organization-defined timeperiod]; locks theaccount/node until releasedby an administrator; delaysnext login promptaccording to [Assignment:organization-defined delayalgorithm]] when themaximum number ofunsuccessful attempts isexceeded. The controlapplies regardless ofwhether the login occursvia a local or networkconnection.
AC-7(1)Unsuccessful Login
AttemptsX X X X Yes Yes PO
The information systemautomatically locks theaccount/node until releasedby an administrator whenthe maximum number ofunsuccessful attempts isexceeded.
AC-7(2)Unsuccessful Login
Attempts
The information systemprovides additionalprotection for mobiledevices accessed via loginby purging informationfrom the device after[Assignment: organization-defined number]consecutive, unsuccessfullogin attempts to thedevice.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
129 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-8System UseNotification
X X X X X X X X X Yes Yes P1
The information system: a)Displays an approvedsystem use notificationmessage or banner beforegranting access to thesystem that providesprivacy and security noticesconsistent with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance and states that: (i)users are accessing a U.S.Government informationsystem; (ii) system usagemay be monitored,recorded, and subject toaudit; (iii) unauthorized useof the system is prohibitedand subject to criminal andcivil penalties; and (iv) useof the system indicatesconsent to monitoring andrecording; b) Retains thenotification message orbanner on the screen untilusers take explicit actionsto log on to or furtheraccess the informationsystem; and c) For publiclyaccessible systems: (i)displays the system useinformation whenappropriate, before grantingfurther access; (ii) displaysreferences, if any, tomonitoring, recording, orauditing that are consistentwith privacyaccommodations for suchsystems that generallyprohibit those activities;and (iii) includes in thenotice given to public usersof the information system, adescription of theauthorized uses of thesystem.
AC-9Previous Logon
(Access)Notification
X X No No P0
The information systemnotifies the user, uponsuccessful logon (access),of the date and time of thelast logon (access).
AC-10Concurrent Session
ControlX X X X X Yes Yes P2
The information systemlimits the number ofconcurrent sessions foreach system account to[Assignment: organization-defined number].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
130 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-11 Session Lock X X X X X X X X Yes Yes P3
The information system: a)Prevents further access tothe system by initiating asession lock after[Assignment: organization-defined time period] ofinactivity or upon receivinga request from a user; andb) Retains the session lockuntil the user reestablishesaccess using establishedidentification andauthentication procedures.
AC-11(1) Session Lock X X X Yes Yes PO
The information systemsession lock mechanism,when activated on a devicewith a display screen,places a publicly viewablepattern onto the associateddisplay, hiding what waspreviously visible on thescreen.
AC-14
Permitted ActionsWithout
Identification OrAuthentication
X X X X X X X X X Yes Yes P1
The organization: a)Identifies specific useractions that can beperformed on theinformation system withoutidentification orauthentication; and b)Documents and providessupporting rationale in thesecurity plan for theinformation system, useractions not requiringidentification andauthentication.
AC-14(1)
Permitted ActionsWithout
Identification OrAuthentication
X X X X X X Yes Yes P1
The organization permitsactions to be performedwithout identification andauthentication only to theextent necessary toaccomplishmission/businessobjectives.
AC-17 Remote Access X X X X X X X X X Yes Yes P1
The organization: a)Documents allowedmethods of remote accessto the information system;b) Establishes usagerestrictions andimplementation guidancefor each allowed remoteaccess method; c) Monitorsfor unauthorized remoteaccess to the informationsystem; d) Authorizesremote access to theinformation system prior toconnection; and e) Enforcesrequirements for remoteconnections to theinformation system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
131 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-17(1) Remote Access X X X X X X X X Yes Yes P1
The organization employsautomated mechanisms tofacilitate the monitoringand control of remoteaccess methods.
AC-17(2) Remote Access X X X X X X X X Yes Yes P1
The organization usescryptography to protect theconfidentiality and integrityof remote access sessions.
AC-17(3) Remote Access X X X X X X X X Yes Yes P1
The information systemroutes all remote accessesthrough a limited numberof managed access controlpoints.
AC-17(4) Remote Access X X X X X X X X Yes Yes P1
The organization authorizesthe execution of privilegedcommands and access tosecurity-relevantinformation via remoteaccess only for compellingoperational needs anddocuments the rationale forsuch access in the securityplan for the informationsystem.
AC-17(5) Remote Access X X X X X X X X Yes Yes P1
The organization monitorsfor unauthorized remoteconnections to theinformation system[Assignment: organization-defined frequency], andtakes appropriate action ifan unauthorized connectionis discovered.
AC-17(6) Remote Access X X X Yes Yes PO
The organization ensuresthat users protectinformation about remoteaccess mechanisms fromunauthorized use anddisclosure.
AC-17(7) Remote Access X X X X X X X X Yes Yes P1
The organization ensuresthat remote sessions foraccessing [Assignment:organization-defined list ofsecurity functions andsecurity-relevantinformation] employ[Assignment: organization-defined additional securitymeasures] and are audited.
AC-17(8) Remote Access X X X X X X X X Yes Yes P1
The organization disables[Assignment: organization-defined networkingprotocols within theinformation system deemedto be nonsecure] except forexplicitly identifiedcomponents in support ofspecific operationalrequirements.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
132 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-18Wireless Access
RestrictionsX X X X X X X X X No No P1
The organization: a)Establishes usagerestrictions andimplementation guidancefor wireless access; b)Monitors for unauthorizedwireless access to theinformation system; c)Authorizes wireless accessto the information systemprior to connection; and e)Enforces requirements forwireless connections to theinformation system.
AC-18(1)Wireless Access
RestrictionsX X X X X X X X No No P1
The information systemprotects wireless access tothe system usingauthentication andencryption.
AC-18(2)Wireless Access
RestrictionsX X X X X X X No No PO
The organization monitorsfor unauthorized wirelessconnections to theinformation system,including scanning forunauthorized wirelessaccess points [Assignment:organization-definedfrequency], and takesappropriate action if anunauthorized connection isdiscovered.
AC-18(3)Wireless Access
RestrictionsX X X X X X No No PO
The organization disables,when not intended for use,wireless networkingcapabilities internallyembedded withininformation systemcomponents prior toissuance and deployment.
AC-18(4)Wireless Access
RestrictionsX X X X X X X No No PO
The organization does notallow users toindependently configurewireless networkingcapabilities.
AC-18(5)Wireless Access
RestrictionsX X X X X X X No No PO
The organization confineswireless communications toorganization-controlledboundaries.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
133 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-19Access Control For
Mobile DevicesX X X X X X X X X Yes Yes P1
The organization: a)Establishes usagerestrictions andimplementation guidancefor organization-controlledmobile devices; b)Authorizes connection ofmobile devices meetingorganizational usagerestrictions andimplementation guidance toorganizational informationsystems; c) Monitors forunauthorized connectionsof mobile devices toorganizational informationsystems; d) Enforcesrequirements for theconnection of mobiledevices to organizationalinformation systems; e)Disables informationsystem functionality thatprovides the capability forautomatic execution ofcode on mobile deviceswithout user direction; f)Issues specially configuredmobile devices toindividuals traveling tolocations that theorganization deems to be ofsignificant risk inaccordance withorganizational policies andprocedures; and g) Applies[Assignment: organization-defined inspection andpreventative measures] tomobile devices returningfrom locations that theorganization deems to be ofsignificant risk inaccordance withorganizational policies andprocedures.
AC-19(1)Access Control For
Mobile DevicesX X X X X Yes Yes P1
The organization restrictsthe use of writable,removable media inorganizational informationsystems.
AC-19(2)Access Control For
Mobile DevicesX X X X X X X X Yes Yes P1
The organization prohibitsthe use of personallyowned, removable media inorganizational informationsystems.
AC-19(3)Access Control For
Mobile DevicesX X X X X X X X Yes Yes P1
The organization prohibitsthe use of removable mediain organizationalinformation systems whenthe media has noidentifiable owner.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
134 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-19(4)Access Control For
Mobile DevicesX X X Yes Yes PO
The organization: a)Prohibits the use ofunclassified mobile devicesin facilities containinginformation systemsprocessing, storing, ortransmitting classifiedinformation unlessspecifically permitted bythe appropriate authorizingofficial(s); and b) Enforcesthe following restrictionson individuals permitted touse mobile devices infacilities containinginformation systemsprocessing, storing, ortransmitting classifiedinformation: 1) -Connection of unclassifiedmobile devices to classifiedinformation systems isprohibited; 2) - Connectionof unclassified mobiledevices to unclassifiedinformation systemsrequires approval from theappropriate authorizingofficial(s); 3) - Use ofinternal or external modemsor wireless interfaceswithin the mobile devices isprohibited; and 4) - Mobiledevices and the informationstored on those devices aresubject to randomreviews/inspections by[Assignment: organization-defined security officials],and if classifiedinformation is found, theincident handling policy isfollowed.
AC-20Use Of External
Information SystemsX X X X X X X X X No Yes P1
The organizationestablishes terms andconditions, consistent withany trust relationshipsestablished with otherorganizations owning,operating, and/ormaintaining externalinformation systems,allowing authorizedindividuals to: a) Accessthe information systemfrom the externalinformation systems; and b)Process, store, and/ortransmit organization-controlled informationusing the externalinformation systems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
135 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AC-20(1)Use Of External
Information SystemsX X X X X X X X No No P1
The organization permitsauthorized individuals touse an external informationsystem to access theinformation system or toprocess, store, or transmitorganization-controlledinformation only when theorganization: a) Can verifythe implementation ofrequired security controlson the external system asspecified in theorganization’s informationsecurity policy and securityplan; or b) Has approvedinformation systemconnection or processingagreements with theorganizational entityhosting the externalinformation system.
AC-20(2)Use Of External
Information SystemsX X X X X No No P1
The organization limits theuse of organization-controlled portable storagemedia by authorizedindividuals on externalinformation systems.
AC-22Publicly Accessible
ContentX X X X X X No No P2
The organization: a)Designates individualsauthorized to postinformation onto anorganizational informationsystem that is publiclyaccessible; b) Trainsauthorized individuals toensure that publiclyaccessible information doesnot contain nonpublicinformation; c) Reviews theproposed content ofpublicly accessibleinformation for nonpublicinformation prior to postingonto the organizationalinformation system; d)Reviews the content on thepublicly accessibleorganizational informationsystem for nonpublicinformation [Assignment:organization-definedfrequency]; and e) Removesnonpublic information fromthe publicly accessibleorganizational informationsystem, if discovered.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
136 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AT-1Security AwarenessAnd Training Policy
And ProceduresX X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedsecurity awareness andtraining policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thesecurity awareness andtraining policy andassociated securityawareness and trainingcontrols.
AT-2 Security Awareness X X X X X X X X X X X X Yes Yes P1
The organization providesbasic security awarenesstraining to all informationsystem users (includingmanagers, seniorexecutives, and contractors)as part of initial training fornew users, when requiredby system changes, and[Assignment: organization-defined frequency]thereafter.
AT-3 Security Training X X X X X X X X X X X X Yes Yes P1
The organization providesrole-based security-relatedtraining: (i) beforeauthorizing access to thesystem or performingassigned duties; (ii) whenrequired by systemchanges; and (iii)[Assignment: organization-defined frequency]thereafter.
AT-3(2) Security Training X X X X X X X X X Yes Yes PO
The organization providesemployees with initial and[Assignment: organization-defined frequency] trainingin the employment andoperation of physicalsecurity controls.
AT-4Security Training
RecordsX X X X X X X X X X X X Yes Yes P3
The organization: a)Documents and monitorsindividual informationsystem security trainingactivities including basicsecurity awareness trainingand specific informationsystem security training;and b) Retains individualtraining records for[Assignment: organization-defined time period].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
137 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AT-5Contacts With
Security GroupsAnd Associations
X X X X X X X X X Yes Yes P0
The organizationestablishes andinstitutionalizes contactwith selected groups andassociations within thesecurity community: a) - Tofacilitate ongoing securityeducation and training fororganizational personnel; b)- To stay up to date with thelatest recommendedsecurity practices,techniques, andtechnologies; and c) - Toshare current security-related informationincluding threats,vulnerabilities, andincidents.
AU-1
Audit AndAccountability
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented auditand accountability policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of the auditand accountability policyand associated audit andaccountability controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
138 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AU-2 Auditable Events X X X X X X X X X Yes Yes P1
The organization: a)Determines, based on a riskassessment andmission/business needs,that the information systemmust be capable of auditingthe following events:[Assignment: organization-defined list of auditableevents]; b) Coordinates thesecurity audit function withother organizational entitiesrequiring audit-relatedinformation to enhancemutual support and to helpguide the selection ofauditable events; c)Provides a rationale forwhy the list of auditableevents are deemed to beadequate to support after-the-fact investigations ofsecurity incidents; and d)Determines, based oncurrent threat informationand ongoing assessment ofrisk, that the followingevents are to be auditedwithin the informationsystem: [Assignment:organization-defined subsetof the auditable eventsdefined in AU-2 a. to beaudited along with thefrequency of (or situationrequiring) auditing for eachidentified event].
AU-2(3) Auditable Events X X X X X X X X Yes Yes P1
The organization reviewsand updates the list ofauditable events[Assignment: organization-defined frequency].
AU-2(4) Auditable Events X X X X X X X X Yes Yes P1
The organization includesexecution of privilegedfunctions in the list ofevents to be audited by theinformation system.
AU-3Content Of Audit
RecordsX X X X X X X X X Yes Yes P1
The information systemproduces audit records thatcontain sufficientinformation to, at aminimum, establish whattype of event occurred,when (date and time) theevent occurred, where theevent occurred, the sourceof the event, the outcome(success or failure) of theevent, and the identity ofany user/subject associatedwith the event.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
139 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AU-3(1)Content Of Audit
RecordsX X X X X X X X Yes Yes P1
The information systemincludes [Assignment:organization-definedadditional, more detailedinformation] in the auditrecords for audit eventsidentified by type, location,or subject.
AU-3(2)Content Of Audit
RecordsX X X X X X X Yes Yes PO
The organization centrallymanages the content ofaudit records generated by[Assignment: organization-defined information systemcomponents].
AU-4Audit Storage
CapacityX X X X X X Yes Yes P1
The organization allocatesaudit record storagecapacity and configuresauditing to reduce thelikelihood of such capacitybeing exceeded.
AU-5Response To AuditProcessing Failures
X X X X X X No Yes P1
The information system: a)Alerts designatedorganizational officials inthe event of an auditprocessing failure; and b)Takes the followingadditional actions:[Assignment: organization-defined actions to be taken(e.g., shut downinformation system,overwrite oldest auditrecords, stop generatingaudit records)].
AU-5(1)Response To AuditProcessing Failures
X X X X No Yes P1
The information systemprovides a warning whenallocated audit recordstorage volume reaches[Assignment: organization-defined percentage] ofmaximum audit recordstorage capacity.
AU-5(2)Response To AuditProcessing Failures
X X X No Yes P1
The information systemprovides a real-time alertwhen the following auditfailure events occur:[Assignment: organization-defined audit failure eventsrequiring real-time alerts].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
140 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AU-6Audit Review,Analysis, And
ReportingX X X X X X X X X Yes Yes P1
The organization: a)Reviews and analyzesinformation system auditrecords [Assignment:organization-definedfrequency] for indicationsof inappropriate or unusualactivity, and report'sfindings to designatedorganizational officials; andb) Adjusts the level of auditreview, analysis, andreporting within theinformation system whenthere is a change in risk toorganizational operations,organizational assets,individuals, otherorganizations, or the Nationbased on law enforcementinformation, intelligenceinformation, or othercredible sources ofinformation.
AU-6(1)Audit Review,Analysis, And
ReportingX X X X X No No P1
The information systemintegrates audit review,analysis, and reportingprocesses to supportorganizational processes forinvestigation and responseto suspicious activities.
AU 6(2)Audit Review,Analysis, And
Reporting- - - - - - - - -
[Withdrawn: Incorporatedinto SI-4].
AU-6(3)Audit Review,Analysis, And
ReportingX X X X X X No Yes P1
The organization analyzesand correlates audit recordsacross different repositoriesto gain organization-widesituational awareness.
AU-7Audit Reduction
And ReportGeneration
X X X X X X No No P2
The information systemprovides an audit reductionand report generationcapability
AU-7(1)Audit Reduction
And ReportGeneration
X X X X X X No No P2
The information systemprovides the capability toautomatically process auditrecords for events ofinterest based on selectableevent criteria.
AU-8 Time Stamps X X X X X X Yes Yes P1
The information systemuses internal system clocksto generate time stamps foraudit records.
AU-8(1) Time Stamps X X X X X No No P1
The information systemsynchronizes internalinformation system clocks[Assignment: organization-defined frequency] with[Assignment: organization-defined authoritative timesource].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
141 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AU-9Protection Of Audit
InformationX X X X X X X X X No Yes P1
The information systemprotects audit informationand audit tools fromunauthorized access,modification, and deletion.
AU-9(1)Protection Of Audit
Information
The information systemproduces audit records onhardware-enforced, write-once media.
AU-9(2)Protection Of Audit
InformationX X No Yes PO
The information systembacks up audit records[Assignment: organization-defined frequency] onto adifferent system or mediathan the system beingaudited.
AU-9(3)Protection Of Audit
InformationX No Yes P1
The information systemuses cryptographicmechanisms to protect theintegrity of auditinformation and audit tools.
AU-9(4)Protection Of Audit
InformationX X X No Yes PO
The organization: a)Authorizes access tomanagement of auditfunctionality to only alimited subset of privilegedusers; and b) Protects theaudit records of non-localaccesses to privilegedaccounts and the executionof privileged functions.
AU-10 Non-Repudiation X X X No Yes P1
The information systemprotects against anindividual falsely denyinghaving performed aparticular action.
AU-10(5) Non-Repudiation X X No No P1
The organization employs[Selection: FIPS-validated;NSA-approved]cryptography to implementdigital signatures.
AU-11Audit Record
RetentionX X X X X X Yes Yes P3
The organization retainsaudit records for[Assignment: organization-defined time periodconsistent with recordsretention policy] to providesupport for after-the-factinvestigations of securityincidents and to meetregulatory andorganizational informationretention requirements.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
142 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
AU-12 Audit Generation X X X X X X X X X X X X Yes Yes P1
The information system: a)Provides audit recordgeneration capability forthe list of auditable eventsdefined in AU-2 at[Assignment: organization-defined information systemcomponents]; b) Allowsdesignated organizationalpersonnel to select whichauditable events are to beaudited by specificcomponents of the system;and c) Generates auditrecords for the list ofaudited events defined inAU-2 with the content asdefined in AU-3.
AU-12(1) Audit Generation X X Yes Yes P1
The information systemcompiles audit records from[Assignment: organization-defined information systemcomponents] into a system-wide (logical or physical)audit trail that is time-correlated to within[Assignment: organization-defined level of tolerancefor relationship betweentime stamps of individualrecords in the audit trail].
AU-13Monitoring For
InformationDisclosure
The organization monitorsopen source information forevidence of unauthorizedexfiltration or disclosure oforganizational information[Assignment: organization-defined frequency].
CA-1
Security AssessmentAnd Authorization
Policies AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a)Formal, documentedsecurity assessment andauthorization policies thataddress purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thesecurity assessment andauthorization policies andassociated securityassessment andauthorization controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
143 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CA-2Security
AssessmentsX X X X X X X X X X X X Yes Yes P2
The organization: a)Develops a securityassessment plan thatdescribes the scope of theassessment including: 1)Security controls andcontrol enhancements underassessment; 2) Assessmentprocedures to be used todetermine security controleffectiveness; and 3)Assessment environment,assessment team, andassessment roles andresponsibilities; b) Assessesthe security controls in theinformation system[Assignment: organization-defined frequency] todetermine the extent towhich the controls areimplemented correctly,operating as intended, andproducing the desiredoutcome with respect tomeeting the securityrequirements for thesystem; c) Produces asecurity assessment reportthat documents the resultsof the assessment; and d)Provides the results of thesecurity control assessment,in writing, to theauthorizing official orauthorizing officialdesignated representative.
CA-2(1)Security
AssessmentsX X X X X X X X X X X Yes Yes P2
The organization employsan independent assessor orassessment team to conductan assessment of thesecurity controls in theinformation system.
CA-2(2)Security
AssessmentsX X X X Yes Yes P2
The organization includesas part of security controlassessments, [Assignment:organization-definedfrequency], [Selection:announced; unannounced],[Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises;[Assignment: organization-defined other forms ofsecurity testing]].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
144 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CA-3Information System
ConnectionsX X X X X X X X X No Yes P1
The organization: a)Authorizes connectionsfrom the informationsystem to other informationsystems outside of theauthorization boundarythrough the use ofInterconnection SecurityAgreements; b) Documents,for each connection, theinterface characteristics,security requirements, andthe nature of theinformation communicated;and c) Monitors theinformation systemconnections on an ongoingbasis verifying enforcementof security requirements.
CA-3(1)Information System
ConnectionsX X X No Yes P1
The organization prohibitsthe direct connection of anunclassified, nationalsecurity system to anexternal network.
CA-3(2)Information System
ConnectionsX X No Yes P1
The organization prohibitsthe direct connection of aclassified, national securitysystem to an externalnetwork.
CA-5Plan Of Action And
MilestonesX X X X X X X X X X X X Yes Yes P3
The organization: a)Develops a plan of actionand milestones for theinformation system todocument theorganization’s plannedremedial actions to correctweaknesses or deficienciesnoted during the assessmentof the security controls andto reduce or eliminateknown vulnerabilities in thesystem; and b) Updatesexisting plan of action andmilestones [Assignment:organization-definedfrequency] based on thefindings from securitycontrols assessments,security impact analyses,and continuous monitoringactivities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
145 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CA-6Security
AuthorizationX X X X X X X X X X X X Yes Yes P3
The organization: a)Assigns a senior-levelexecutive or manager to therole of authorizing officialfor the information system;b) Ensures that theauthorizing officialauthorizes the informationsystem for processingbefore commencingoperations; and c) Updatesthe security authorization[Assignment: organization-defined frequency].
CA-7ContinuousMonitoring
X X X X X X X X X X X X Yes Yes P3
The organizationestablishes a continuousmonitoring strategy andimplements a continuousmonitoring program thatincludes: a) A configurationmanagement process for theinformation system and itsconstituent components; b)A determination of thesecurity impact of changesto the information systemand environment ofoperation; c) Ongoingsecurity controlassessments in accordancewith the organizationalcontinuous monitoringstrategy; and d) Reportingthe security state of theinformation system toappropriate organizationalofficials [Assignment:organization-definedfrequency].
CA-7(1)ContinuousMonitoring
X X X X X X X X X Yes Yes P3
The organization employsan independent assessor orassessment team to monitorthe security controls in theinformation system on anongoing basis.
CA-7(2)ContinuousMonitoring
X X X X X X X X X Yes Yes P3
The organization plans,schedules, and conductsassessments [Assignment:organization-definedfrequency], [Selection:announced; unannounced],[Selection: in-depthmonitoring; malicious usertesting; penetration testing;red team exercises;[Assignment: organization-defined other forms ofsecurity assessment]] toensure compliance with allvulnerability mitigationprocedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
146 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-1Configuration
Management PolicyAnd Procedures
X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedconfiguration managementpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of theconfiguration managementpolicy and associatedconfiguration managementcontrols.
CM-2Baseline
ConfigurationX X X X X X Yes Yes P1
The organization develops,documents, and maintainsunder configuration control,a current baselineconfiguration of theinformation system.
CM-2(1)Baseline
ConfigurationX X X X X Yes Yes P1
The organization reviewsand updates the baselineconfiguration of theinformation system: a)[Assignment: organization-defined frequency]; b)When required due to[Assignment organization-defined circumstances]; andc) As an integral part ofinformation systemcomponent installations andupgrades.
CM-2(2)Baseline
ConfigurationX X Yes no P1
The organization employsautomated mechanisms tomaintain an up-to-date,complete, accurate, andreadily available baselineconfiguration of theinformation system.
CM-2(3)Baseline
ConfigurationX X X X Yes Yes P1
The organization retainsolder versions of baselineconfigurations as deemednecessary to supportrollback.
CM-2(4)Baseline
ConfigurationX X
The organization: a)Develops and maintains[Assignment: organization-defined list of softwareprograms not authorized toexecute on the informationsystem]; and b) Employs anallow-all, deny-by-exception authorizationpolicy to identify softwareallowed to execute on theinformation system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
147 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-2(5)Baseline
ConfigurationX X X X Yes Yes P1
The organization: a)Develops and maintains[Assignment: organization-defined list of softwareprograms authorized toexecute on the informationsystem]; and b) Employs adeny-all, permit-by-exception authorizationpolicy to identify softwareallowed to execute on theinformation system.
CM-2(6)Baseline
ConfigurationX Yes Yes P1
The organization maintainsa baseline configuration fordevelopment and testenvironments that ismanaged separately fromthe operational baselineconfiguration.
CM-3Configuration
Change ControlX X X X X Yes Yes P1
The organization: a)Determines the types ofchanges to the informationsystem that areconfiguration controlled; b)Approves configuration-controlled changes to thesystem with explicitconsideration for securityimpact analyses; c)Documents approvedconfiguration-controlledchanges to the system; d)Retains and reviews recordsof configuration-controlledchanges to the system; e)Audits activities associatedwith configuration-controlled changes to thesystem; and f) Coordinatesand provides oversight forconfiguration changecontrol activities through[Assignment: organization-defined configurationchange control element(e.g., committee, board]that convenes [Selection:(one or more):[Assignment: organization-defined frequency];[Assignment: organization-defined configurationchange conditions]].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
148 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-3(1)Configuration
Change ControlX X No No P1
The organization employsautomated mechanisms to:a) Document proposedchanges to the informationsystem; b) Notifydesignated approvalauthorities; c) Highlightapprovals that have notbeen received by[Assignment: organization-defined time period]; d)Inhibit change untildesignated approvals arereceived; and e) Documentcompleted changes to theinformation system.
CM-3(2)Configuration
Change ControlX X X X Yes Yes P1
The organization tests,validates, and documentschanges to the informationsystem beforeimplementing the changeson the operational system.
CM-3(3)Configuration
Change Control
The organization employsautomated mechanisms toimplement changes to thecurrent information systembaseline and deploys theupdated baseline across theinstalled base.
CM-3(4)Configuration
Change ControlX X X Yes Yes P1
The organization requiresan information securityrepresentative to be amember of the[Assignment: organization-defined configurationchange control element(e.g., committee, board)].
CM-4Security Impact
AnalysisX X X X X X Yes Yes P2
The organization analyzeschanges to the informationsystem to determinepotential security impactsprior to changeimplementation.
CM-4(1)Security Impact
AnalysisX X X Yes Yes P2
The organization analyzesnew software in a separatetest environment beforeinstallation in anoperational environment,looking for security impactsdue to flaws, weaknesses,incompatibility, orintentional malice.
CM-4(2)Security Impact
AnalysisX X X Yes Yes P2
The organization, after theinformation system ischanged, checks thesecurity functions to verifythat the functions areimplemented correctly,operating as intended, andproducing the desiredoutcome with regard tomeeting the securityrequirements for thesystem.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
149 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-5Access Restrictions
For ChangeX X X X X Yes Yes P1
The organization defines,documents, approves, andenforces physical andlogical access restrictionsassociated with changes tothe information system.
CM-5(1)Access Restrictions
For ChangeX Yes Yes P1
The organization employsautomated mechanisms toenforce access restrictionsand support auditing of theenforcement actions.
CM-5(2)Access Restrictions
For ChangeX X X X Yes Yes P1
The organization conductsaudits of informationsystem changes[Assignment: organization-defined frequency] andwhen indications so warrantto determine whetherunauthorized changes haveoccurred.
CM-5(3)Access Restrictions
For ChangeX X No No P1
The information systemprevents the installation of[Assignment: organization-defined critical softwareprograms] that are notsigned with a certificatethat is recognized andapproved by theorganization.
CM-5(5)Access Restrictions
For ChangeX X X No Yes P1
The organization: a) Limitsinformation systemdeveloper/integratorprivileges to changehardware, software, andfirmware components andsystem information directlywithin a productionenvironment; and b)Reviews and reevaluatesinformation systemdeveloper/integratorprivileges [Assignment:organization-definedfrequency].
CM-5(6)Access Restrictions
For ChangeX X X Yes Yes P1
The organization limitsprivileges to changesoftware resident withinsoftware libraries(including privilegedprograms).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
150 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-6Configuration
SettingsX X X X X X Yes Yes P1
The organization: a)Establishes and documentsmandatory configurationsettings for informationtechnology productsemployed within theinformation system using[Assignment: organization-defined securityconfiguration checklists]that reflect the mostrestrictive mode consistentwith operationalrequirements; b)Implements theconfiguration settings; c)Identifies, documents, andapproves exceptions fromthe mandatoryconfiguration settings forindividual componentswithin the informationsystem based on explicitoperational requirements;and d) Monitors andcontrols changes to theconfiguration settings inaccordance withorganizational policies andprocedures.
CM-6(1)Configuration
SettingsX X X No Yes P1
The organization employsautomated mechanisms tocentrally manage, apply,and verify configurationsettings.
CM-6(2)Configuration
SettingsX X No Yes P1
The organization employsautomated mechanisms torespond to unauthorizedchanges to [Assignment:organization-definedconfiguration settings].
CM-6(3)Configuration
SettingsX X X X X Yes Yes P1
The organizationincorporates detection ofunauthorized, security-relevant configurationchanges into theorganization’s incidentresponse capability toensure that such detectedevents are tracked,monitored, corrected, andavailable for historicalpurposes.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
151 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-7 Least Functionality X X X X X X X X X Yes Yes P1
The organization configuresthe information system toprovide only essentialcapabilities and specificallyprohibits or restricts the useof the following functions,ports, protocols, and/orservices: [Assignment:organization-defined list ofprohibited or restrictedfunctions, ports, protocols,and/or services].
CM-7(1) Least Functionality X X X X X X X X Yes Yes P1
The organization reviewsthe information system[Assignment: organization-defined frequency] toidentify and eliminateunnecessary functions,ports, protocols, and/orservices.
CM-7(2) Least Functionality X X X X X Yes Yes P1
The organization employsautomated mechanisms toprevent program executionin accordance with[Selection (one or more):list of authorized softwareprograms; list ofunauthorized softwareprograms; rulesauthorizing the terms andconditions of softwareprogram usage].
CM-7(3) Least Functionality X X X X X X Yes Yes P1
The organization ensurescompliance with[Assignment: organization-defined registrationrequirements for ports,protocols, and services].
CM-8Information System
ComponentInventory
X X X X X X Yes Yes P1
The organization develops,documents, and maintainsan inventory of informationsystem components that: a)Accurately reflects thecurrent information system;b) Is consistent with theauthorization boundary ofthe information system; c)Is at the level of granularitydeemed necessary fortracking and reporting; d)Includes [Assignment:organization-definedinformation deemednecessary to achieveeffective propertyaccountability]; and e) Isavailable for review andaudit by designatedorganizational officials.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
152 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-8(1)Information System
ComponentInventory
X X X X X Yes Yes P1
The organization updatesthe inventory ofinformation systemcomponents as an integralpart of componentinstallations, removals, andinformation systemupdates.
CM-8(2)Information System
ComponentInventory
X X Yes Yes P1
The organization employsautomated mechanisms tohelp maintain an up-to-date,complete, accurate, andreadily available inventoryof information systemcomponents.
CM-8(3)Information System
ComponentInventory
X X Yes Yes P1
The organization: a)Employs automatedmechanisms [Assignment:organization-definedfrequency] to detect theaddition of unauthorizedcomponents/devices intothe information system; andb) Disables network accessby suchcomponents/devices ornotifies designatedorganizational officials.
CM-8(4)Information System
ComponentInventory
X X X X Yes Yes P1
The organization includesin property accountabilityinformation for informationsystem components, ameans for identifying by[Selection (one or more):name; position; role]individuals responsible foradministering thosecomponents.
CM-8(5)Information System
ComponentInventory
X X X X X Yes Yes P1
The organization verifiesthat all components withinthe authorization boundaryof the information systemare either inventoried as apart of the system orrecognized by anothersystem as a componentwithin that system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
153 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CM-9Configuration
Management PlanX X X X X Yes Yes P1
The organization develops,documents, and implementsa configurationmanagement plan for theinformation system that: a)Addresses roles,responsibilities, andconfiguration managementprocesses and procedures;b) Defines theconfiguration items for theinformation system andwhen in the systemdevelopment life cycle theconfiguration items areplaced under configurationmanagement; and c)Establishes the means foridentifying configurationitems throughout thesystem development lifecycle and a process formanaging the configurationof the configuration items.
CP-1Contingency
Planning Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedcontingency planningpolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thecontingency planningpolicy and associatedcontingency planningcontrols.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
154 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-2 Contingency Plan X X X X X X Yes Yes P1
The organization: a)Develops a contingencyplan for the informationsystem that: 1) - Identifiesessential missions andbusiness functions andassociated contingencyrequirements; 2) - Providesrecovery objectives,restoration priorities, andmetrics; 3) - Addressescontingency roles,responsibilities, assignedindividuals with contactinformation; 4) - Addressesmaintaining essentialmissions and businessfunctions despite aninformation systemdisruption, compromise, orfailure; 5) - Addresseseventual, full informationsystem restoration withoutdeterioration of the securitymeasures originally plannedand implemented; and 6) -Is reviewed and approvedby designated officialswithin the organization; b)Distributes copies of thecontingency plan to[Assignment: organization-defined list of keycontingency personnel(identified by name and/orby role) and organizationalelements]; c) Coordinatescontingency planningactivities with incidenthandling activities; d)Reviews the contingencyplan for the informationsystem [Assignment:organization-definedfrequency]; e) Revises thecontingency plan to addresschanges to the organization,information system, orenvironment of operationand problems encounteredduring contingency planimplementation, execution,or testing; and f)Communicates contingencyplan changes to[Assignment: organization-defined list of keycontingency personnel(identified by name and/orby role) and organizationalelements].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
155 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-2(1) Contingency Plan X X X X No Yes P1
The organizationcoordinates contingencyplan development withorganizational elementsresponsible for relatedplans.
CP-2(2) Contingency Plan X X X No Yes P1
The organization conductscapacity planning so thatnecessary capacity forinformation processing,telecommunications, andenvironmental supportexists during contingencyoperations.
CP-2(3) Contingency Plan X X X No Yes P1
The organization plans forthe resumption of essentialmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency planactivation.
CP-2(4) Contingency Plan X X No Yes P1
The organization plans forthe full resumption ofmissions and businessfunctions within[Assignment: organization-defined time period] ofcontingency planactivation.
CP-2(5) Contingency Plan X No Yes P1
The organization plans forthe continuance of essentialmissions and businessfunctions with little or noloss of operationalcontinuity and sustains thatcontinuity until fullinformation systemrestoration at primaryprocessing and/or storagesites.
CP-2(6) Contingency Plan X No Yes P1
The organization providesfor the transfer of allessential missions andbusiness functions toalternate processing and/orstorage sites with little orno loss of operationalcontinuity and sustains thatcontinuity throughrestoration to primaryprocessing and/or storagesites.
CP-3Contingency
TrainingX X X X X X Yes Yes P2
The organization trainspersonnel in theircontingency roles andresponsibilities with respectto the information systemand provides refreshertraining [Assignment:organization-definedfrequency].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
156 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-3(1)Contingency
TrainingX X No No P2
The organizationincorporates simulatedevents into contingencytraining to facilitateeffective response bypersonnel in crisissituations.
CP-4Contingency Plan
Testing AndExercises
X X X X X X Yes Yes P2
The organization: a) Testsand/or exercises thecontingency plan for theinformation system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine theplan’s effectiveness and theorganization’s readiness toexecute the plan; and b)Reviews the contingencyplan test/exercise resultsand initiates correctiveactions.
CP-4(1)Contingency Plan
Testing AndExercises
X X X X Yes Yes P2
The organizationcoordinates contingencyplan testing and/orexercises withorganizational elementsresponsible for relatedplans.
CP-4(2)Contingency Plan
Testing AndExercises
X X No No P2
The organizationtests/exercises thecontingency plan at thealternate processing site tofamiliarize contingencypersonnel with the facilityand available resources andto evaluate the site’scapabilities to supportcontingency operations.
CP-4(4)Contingency Plan
Testing AndExercises
X Yes Yes P2
The organization includes afull recovery andreconstitution of theinformation system to aknown state as part ofcontingency plan testing.
CP-6Alternate Storage
SiteX X X X No No P1
The organizationestablishes an alternatestorage site includingnecessary agreements topermit the storage andrecovery of informationsystem backup information.
CP-6(1)Alternate Storage
SiteX X X X No No P1
The organization identifiesan alternate storage site thatis separated from theprimary storage site so asnot to be susceptible to thesame hazards.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
157 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-6(2)Alternate Storage
SiteX X No No P1
The organization configuresthe alternate storage site tofacilitate recoveryoperations in accordancewith recovery time andrecovery point objectives.
CP-6(3)Alternate Storage
SiteX X X X No No P1
The organization identifiespotential accessibilityproblems to the alternatestorage site in the event ofan area-wide disruption ordisaster and outlinesexplicit mitigation actions.
CP-7Alternate Processing
SiteX X X X No No P1
The organization: a)Establishes an alternateprocessing site includingnecessary agreements topermit the resumption ofinformation systemoperations for essentialmissions and businessfunctions within[Assignment: organization-defined time periodconsistent with recoverytime objectives] when theprimary processingcapabilities are unavailable;and b) Ensures thatequipment and suppliesrequired to resumeoperations are available atthe alternate site orcontracts are in place tosupport delivery to the sitein time to support theorganization-defined timeperiod for resumption.
CP-7(1)Alternate Processing
SiteX X X X No No P1
The organization identifiesan alternate processing sitethat is separated from theprimary processing site soas not to be susceptible tothe same hazards.
CP-7(2)Alternate Processing
SiteX X X X No No P1
The organization identifiespotential accessibilityproblems to the alternateprocessing site in the eventof an area-wide disruptionor disaster and outlinesexplicit mitigation actions.
CP-7(3)Alternate Processing
SiteX X X X No No P1
The organization developsalternate processing siteagreements that containpriority-of-serviceprovisions in accordancewith the organization’savailability requirements.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
158 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-7(4)Alternate Processing
SiteX X X No No P1
The organization configuresthe alternate processing siteso that it is ready to be usedas the operational sitesupporting essentialmissions and businessfunctions.
CP-7(5)Alternate Processing
SiteX X X X X X X X No No P1
The organization ensuresthat the alternate processingsite provides informationsecurity measuresequivalent to that of theprimary site.
CP-8Telecommunications
ServicesX X X X No No P1
The organizationestablishes alternatetelecommunicationsservices includingnecessary agreements topermit the resumption ofinformation systemoperations for essentialmissions and businessfunctions within[Assignment: organization-defined time period] whenthe primarytelecommunicationscapabilities are unavailable.
CP-8(1)Telecommunications
ServicesX X X X No No P1
The organization: a)Develops primary andalternatetelecommunications serviceagreements that containpriority of-serviceprovisions in accordancewith the organization’savailability requirements;and b) RequestsTelecommunicationsService Priority for alltelecommunicationsservices used for nationalsecurity emergencypreparedness in the eventthat the primary and/oralternatetelecommunicationsservices are provided by acommon carrier.
CP-8(2)Telecommunications
ServicesX X X X No No P1
The organization obtainsalternatetelecommunicationsservices with considerationfor reducing the likelihoodof sharing a single point offailure with primarytelecommunicationsservices.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
159 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-8(3)Telecommunications
ServicesX X No No P1
The organization obtainsalternatetelecommunications serviceproviders that are separatedfrom primary serviceproviders so as not to besusceptible to the samehazards.
CP-8(4)Telecommunications
ServicesX X No No P1
The organization requiresprimary and alternatetelecommunications serviceproviders to havecontingency plans.
CP-9Information System
BackupX X X X X X X X X X X X Yes Yes P1
The organization: a)Conducts backups of user-level information containedin the information system[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; b) Conductsbackups of system-levelinformation contained inthe information system[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; c) Conductsbackups of informationsystem documentationincluding security-relateddocumentation[Assignment: organization-defined frequencyconsistent with recoverytime and recovery pointobjectives]; and d) Protectsthe confidentiality andintegrity of backupinformation at the storagelocation.
CP-9(1)Information System
BackupX X X X X X X X No Yes P1
The organization testsbackup information[Assignment: organization-defined frequency] to verifymedia reliability andinformation integrity.
CP-9(2)Information System
BackupX X X No Yes P1
The organization uses asample of backupinformation in therestoration of selectedinformation systemfunctions as part ofcontingency plan testing.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
160 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
CP-9(3)Information System
BackupX X No Yes P1
The organization storesbackup copies of theoperating system and othercritical information systemsoftware, as well as copiesof the information systeminventory (includinghardware, software, andfirmware components) in aseparate facility or in a fire-rated container that is notcollocated with theoperational system.
CP 9(4)Information System
Backup- - - - - - - - -
[Withdrawn: Incorporatedinto CP-9].
CP-9(5)Information System
BackupX X No Yes P1
The organization transfersinformation system backupinformation to the alternatestorage site [Assignment:organization-defined timeperiod and transfer rateconsistent with the recoverytime and recovery pointobjectives].
CP-10Information System
Recovery AndReconstitution
X X X X X X Yes Yes P1
The organization providesfor the recovery andreconstitution of theinformation system to aknown state after adisruption, compromise, orfailure.
CP-10(1)Information System
Recovery AndReconstitution
- - - - - - - - -[Withdrawn: Incorporatedinto CP-4].
CP-10(2)Information System
Recovery AndReconstitution
X X X X X X X X No No P1
The information systemimplements transactionrecovery for systems thatare transaction-based.
CP-10(3)Information System
Recovery AndReconstitution
X X
The organization providescompensating securitycontrols for [Assignment:organization-definedcircumstances that caninhibit recovery andreconstitution to a knownstate].
CP-10(4)Information System
Recovery AndReconstitution
X No yes
The organization providesthe capability to reimageinformation systemcomponents within[Assignment: organization-defined restoration time-periods] fromconfiguration-controlledand integrity-protected diskimages representing asecure, operational state forthe components.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
161 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IA-1
Identification AndAuthentication
Policy AndProcedures
X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedidentification andauthentication policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of theidentification andauthentication policy andassociated identificationand authentication controls.
IA-2
Identification AndAuthentication(Organizational
Users)
X X X X X X X X X Yes Yes P1
The information systemuniquely identifies andauthenticates organizationalusers (or processes actingon behalf of organizationalusers).
IA-2(1)
Identification AndAuthentication(Organizational
Users)
X X X X X X X X X No Yes P1
The information systemuses multifactorauthentication for networkaccess to privilegedaccounts.
IA-2(2)
Identification AndAuthentication(Organizational
Users)
X X X X X X No Yes P1
The information systemuses multifactorauthentication for networkaccess to non-privilegedaccounts.
IA-2(3)
Identification AndAuthentication(Organizational
Users)
X X X X X X No No P1
The information systemuses multifactorauthentication for localaccess to privilegedaccounts.
IA-2(4)
Identification AndAuthentication(Organizational
Users)
X X X X X No No P1
The information systemuses multifactorauthentication for localaccess to non-privilegedaccounts.
IA-2(5)
Identification AndAuthentication(Organizational
Users)
X X X X X X Yes Yes P1
The organization: a) Allowsthe use of groupauthenticators only whenused in conjunction with anindividual/uniqueauthenticator; and b)Requires individuals to beauthenticated with anindividual authenticatorprior to using a groupauthenticator.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
162 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IA-2(8)
Identification AndAuthentication(Organizational
Users)
X X X X X X X X No No P1
The information systemuses [Assignment:organization-definedreplay-resistantauthentication mechanisms]for network access toprivileged accounts.
IA-2(9)
Identification AndAuthentication(Organizational
Users)
X X X X X No No P1
The information systemuses [Assignment:organization-definedreplay-resistantauthentication mechanisms]for network access to non-privileged accounts.
IA-3Device
Identification AndAuthentication
X X X X X X X X No No P1
The information systemuniquely identifies andauthenticates [Assignment:organization-defined list ofspecific and/or types ofdevices] before establishinga connection.
IA-3(1)Device
Identification AndAuthentication
X X X X X X No Yes P1
The information systemauthenticates devices beforeestablishing remote andwireless networkconnections usingbidirectional authenticationbetween devices that iscryptographically based.
IA-3(2)Device
Identification AndAuthentication
X X X X X X No Yes P1
The information systemauthenticates devices beforeestablishing networkconnections usingbidirectional authenticationbetween devices that iscryptographically based.
IA-3(3)Device
Identification AndAuthentication
X X X X X X No Yes P1
The organizationstandardizes, with regard todynamic address allocation,Dynamic Host ControlProtocol (DHCP) leaseinformation and the timeassigned to devices, andaudits lease informationwhen assigned to a device.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
163 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IA-4Identifier
ManagementX X X X X X X X X Yes Yes P1
The organization managesinformation systemidentifiers for users anddevices by: a) Receivingauthorization from adesignated organizationalofficial to assign a user ordevice identifier; b)Selecting an identifier thatuniquely identifies anindividual or device; c)Assigning the useridentifier to the intendedparty or the deviceidentifier to the intendeddevice; d) Preventing reuseof user or device identifiersfor [Assignment:organization-defined timeperiod]; and e) Disablingthe user identifier after[Assignment: organization-defined time period ofinactivity].
IA-4(4)Identifier
ManagementX X X X X X Yes Yes P1
The organization managesuser identifiers by uniquelyidentifying the user as[Assignment: organization-defined characteristicidentifying user status].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
164 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IA-5AuthenticatorManagement
X X X X X X X X X Yes Yes P1
The organization managesinformation systemauthenticators for users anddevices by: a) Verifying, aspart of the initialauthenticator distribution,the identity of theindividual and/or devicereceiving the authenticator;b) Establishing initialauthenticator content forauthenticators defined bythe organization; c)Ensuring that authenticatorshave sufficient strength ofmechanism for theirintended use; d)Establishing andimplementingadministrative proceduresfor initial authenticatordistribution, forlost/compromised ordamaged authenticators,and for revokingauthenticators; e) Changingdefault content ofauthenticators uponinformation systeminstallation; f) Establishingminimum and maximumlifetime restrictions andreuse conditions forauthenticators (ifappropriate); g)Changing/refreshingauthenticators [Assignment:organization-defined timeperiod by authenticatortype]; h) Protectingauthenticator content fromunauthorized disclosure andmodification; andi)Requiring users to take,and having devicesimplement, specificmeasures to safeguardauthenticators.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
165 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IA-5(1)AuthenticatorManagement
X X X X X X X X X Yes Yes P1
The information system, forpassword-basedauthentication: a) Enforcesminimum passwordcomplexity of [Assignment:organization-definedrequirements for casesensitivity, number ofcharacters, mix of upper-case letters, lower-caseletters, numbers, andspecial characters,including minimumrequirements for eachtype]; b) Enforces at least a[Assignment: organization-defined number of changedcharacters] when newpasswords are created; c)Encrypts passwords instorage and in transmission;d) Enforces passwordminimum and maximumlifetime restrictions of[Assignment: organization-defined numbers forlifetime minimum, lifetimemaximum]; and e) Prohibitspassword reuse for[Assignment: organization-defined number]generations.
IA-5(2)AuthenticatorManagement
X X X X X No Yes P1
The information system, forPKI-based authentication:a) Validates certificates byconstructing a certificationpath with status informationto an accepted trust anchor;b) Enforces authorizedaccess to the correspondingprivate key; and c) Mapsthe authenticated identity tothe user account.
IA-5(3)AuthenticatorManagement
X X X X X Yes Yes P1
The organization requiresthat the registration processto receive [Assignment:organization-defined typesof and/or specificauthenticators] be carriedout in person before adesignated registrationauthority with authorizationby a designatedorganizational official (e.g.,a supervisor).
IA-5(4)AuthenticatorManagement
X X X X X X No Yes P1
The organization employsautomated tools todetermine if authenticatorsare sufficiently strong toresist attacks intended todiscover or otherwisecompromise theauthenticators.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
166 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IA-5(6)AuthenticatorManagement
X X X X X X
The organization protectsauthenticatorscommensurate with theclassification or sensitivityof the information accessed.
IA-5(7)AuthenticatorManagement
X X X No Yes P2
The organization ensuresthat unencrypted staticauthenticators are notembedded in applicationsor access scripts or storedon function keys.
IA-5(8)AuthenticatorManagement
X X X X X X Yes Yes P2
The organization takes[Assignment: organization-defined measures] tomanage the risk ofcompromise due toindividuals having accountson multiple informationsystems.
IA-6Authenticator
FeedbackX X X X X X Yes Yes P1
The information systemobscures feedback ofauthentication informationduring the authenticationprocess to protect theinformation from possibleexploitation/use byunauthorized individuals.
IA-7Cryptographic
ModuleAuthentication
X X X X X X X X X No No P1
The information systemuses mechanisms forauthentication to acryptographic module thatmeet the requirements ofapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance for suchauthentication.
IA-8
Identification AndAuthentication
(Non-Organizational
Users)
X X X X X X X X X No No P1
The information systemuniquely identifies andauthenticates non-organizational users (orprocesses acting on behalfof non-organizationalusers).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
167 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IR-1Incident Response
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedincident response policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of theincident response policyand associated incidentresponse controls.
IR-2Incident Response
TrainingX X X X X X X X X X X X Yes Yes P2
The organization: a) Trainspersonnel in their incidentresponse roles andresponsibilities with respectto the information system;and b) Provides refreshertraining [Assignment:organization-definedfrequency].
IR-2(1)Incident Response
TrainingX X X X Yes Yes P2
The organizationincorporates simulatedevents into incidentresponse training tofacilitate effective responseby personnel in crisissituations.
IR-2(2)Incident Response
TrainingX X X No No P2
The organization employsautomated mechanisms toprovide a more thoroughand realistic trainingenvironment.
IR-3Incident Response
Testing AndExercises
X X X X X X X X X X X Yes Yes P2
The organization testsand/or exercises theincident response capabilityfor the information system[Assignment: organization-defined frequency] using[Assignment: organization-defined tests and/orexercises] to determine theincident responseeffectiveness anddocuments the results.
IR-3(1)Incident Response
Testing AndExercises
X No No P2
The organization employsautomated mechanisms tomore thoroughly andeffectively test/exercise theincident responsecapability.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
168 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IR-4 Incident Handling X X X X X X X X X X X X Yes Yes P1
The organization: a)Implements an incidenthandling capability forsecurity incidents thatincludes preparation,detection and analysis,containment, eradication,and recovery; b)Coordinates incidenthandling activities withcontingency planningactivities; and c)Incorporates lessonslearned from ongoingincident handling activitiesinto incident responseprocedures, training, andtesting/exercises, andimplements the resultingchanges accordingly
IR-4(1) Incident Handling X X X X X X X X X X X No No P1
The organization employsautomated mechanisms tosupport the incidenthandling process.
IR-4(3) Incident Handling X X X X X X X X X Yes Yes P1
The organization identifiesclasses of incidents anddefines appropriate actionsto take in response toensure continuation oforganizational missions andbusiness functions.
IR-4(4) Incident Handling X X X X X X X X X Yes Yes P1
The organization correlatesincident information andindividual incidentresponses to achieve anorganization-wideperspective on incidentawareness and response.
IR-5 Incident Monitoring X X X X X X X X X X X X Yes Yes P1The organization tracks anddocuments informationsystem security incidents.
IR-5(1) Incident Monitoring X X X No No P1
The organization employsautomated mechanisms toassist in the tracking ofsecurity incidents and in thecollection and analysis ofincident information.
IR-6 Incident Reporting X X X X X X X X X X X X Yes Yes P1
The organization: a)Requires personnel toreport suspected securityincidents to theorganizational incidentresponse capability within[Assignment: organization-defined time-period]; and b)Reports security incidentinformation to designatedauthorities.
IR-6(1) Incident Reporting X X X X X X X X X X X Yes Yes P1
The organization employsautomated mechanisms toassist in the reporting ofsecurity incidents.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
169 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IR-6(2) Incident Reporting X X X X X X X X X Yes Yes P1
The organization reportsinformation systemweaknesses, deficiencies,and/or vulnerabilitiesassociated with reportedsecurity incidents toappropriate organizationalofficials.
IR-7Incident Response
AssistanceX X X X X X X X X X X X Yes Yes P3
The organization providesan incident responsesupport resource, integral tothe organizational incidentresponse capability thatoffers advice and assistanceto users of the informationsystem for the handling andreporting of securityincidents.
IR-7(1)Incident Response
AssistanceX X X X X X X X X X X No No P3
The organization employsautomated mechanisms toincrease the availability ofincident response-relatedinformation and support.
IR-7(2)Incident Response
AssistanceX X X X X X X X X Yes Yes P3
The organization: a)Establishes a direct,cooperative relationshipbetween its incidentresponse capability andexternal providers ofinformation systemprotection capability; andb) Identifies organizationalincident response teammembers to the externalproviders.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
170 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
IR-8Incident Response
PlanX X X X X X X X X X X X Yes Yes P1
The organization: a)Develops an incidentresponse plan that:1) -Provides the organizationwith a roadmap forimplementing its incidentresponse capability; 2) -Describes the structure andorganization of the incidentresponse capability; 3)Provides a high-levelapproach for how theincident response capabilityfits into the overallorganization; 4) - Meets theunique requirements of theorganization, which relateto mission, size, structure,and functions; 5) - Definesreportable incidents; 6) -Provides metrics formeasuring the incidentresponse capability withinthe organization. 7) -Defines the resources andmanagement supportneeded to effectivelymaintain and mature anincident responsecapability; and 9) - Isreviewed and approved bydesignated officials withinthe organization; b)Distributes copies of theincident response plan to[Assignment: organization-defined list of incidentresponse personnel(identified by name and/orby role) and organizationalelements]; c) Reviews theincident response plan[Assignment: organization-defined frequency]; d)Revises the incidentresponse plan to addresssystem/organizationalchanges or problemsencountered during planimplementation, execution,or testing; and e)Communicates incidentresponse plan changes to[Assignment: organization-defined list of incidentresponse personnel(identified by name and/orby role) and organizationalelements].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
171 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MA-1System Maintenance
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedinformation systemmaintenance policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of theinformation systemmaintenance policy andassociated systemmaintenance controls
MA-2Controlled
MaintenanceX X X X X X X X X X X X Yes Yes P2
The organization: a)Schedules, performs,documents, and reviewsrecords of maintenance andrepairs on informationsystem components inaccordance withmanufacturer or vendorspecifications and/ororganizationalrequirements; b) Controlsall maintenance activities,whether performed on siteor remotely and whether theequipment is serviced onsite or removed to anotherlocation; c) Requires that adesignated officialexplicitly approve theremoval of the informationsystem or systemcomponents fromorganizational facilities foroff-site maintenance orrepairs; d) Sanitizesequipment to remove allinformation from associatedmedia prior to removalfrom organizationalfacilities for off-sitemaintenance or repairs; ande) Checks all potentiallyimpacted security controlsto verify that the controlsare still functioningproperly followingmaintenance or repairactions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
172 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MA-2(1)Controlled
MaintenanceX X X X X X X X X X X Yes Yes P2
The organization maintainsmaintenance records for theinformation system thatinclude: a) Date and time ofmaintenance; b) Name ofthe individual performingthe maintenance; c) Nameof escort, if necessary; d) Adescription of themaintenance performed;and e) A list of equipmentremoved or replaced(including identificationnumbers, if applicable).
MA-2(2)Controlled
MaintenanceX X X No No P2
The organization employsautomated mechanisms toschedule, conduct, anddocument maintenance andrepairs as required,producing up-to date,accurate, complete, andavailable records of allmaintenance and repairactions, needed, in process,and completed.
MA-3 Maintenance Tools X X X X X X X X Yes Yes P2
The organization approves,controls, monitors the useof, and maintains on anongoing basis, informationsystem maintenance tools.
MA-3(1) Maintenance Tools X X X X X X Yes Yes P2
The organization inspectsall maintenance toolscarried into a facility bymaintenance personnel forobvious impropermodifications.
MA-3(2) Maintenance Tools X X X X X X X X Yes Yes P2
The organization checks allmedia containing diagnosticand test programs formalicious code before themedia are used in theinformation system.
MA-3(3) Maintenance Tools X X X X Yes Yes P2
The organization preventsthe unauthorized removalof maintenance equipmentby one of the following: (i)verifying that there is noorganizational informationcontained on theequipment; (ii) sanitizing ordestroying the equipment;(iii) retaining the equipmentwithin the facility; or (iv)obtaining an exemptionfrom a designatedorganization officialexplicitly authorizingremoval of the equipmentfrom the facility.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
173 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MA-4Non-Local
MaintenanceX X X X X X No No P1
The organization: a)Authorizes, monitors, andcontrols non-localmaintenance and diagnosticactivities; b) Allows the useof non-local maintenanceand diagnostic tools only asconsistent withorganizational policy anddocumented in the securityplan for the informationsystem; c) Employs strongidentification andauthentication techniques inthe establishment of non-local maintenance anddiagnostic sessions; d)Maintains records for non-local maintenance anddiagnostic activities; and e)Terminates all sessions andnetwork connections whennon-local maintenance iscompleted.
MA-4(1)Non-Local
MaintenanceX X
The organization auditsnon-local maintenance anddiagnostic sessions anddesignated organizationalpersonnel review themaintenance records of thesessions.
MA-4(2)Non-Local
MaintenanceX X X X X No No P1
The organizationdocuments, in the securityplan for the informationsystem, the installation anduse of non-localmaintenance and diagnosticconnections.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
174 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MA-4(3)Non-Local
MaintenanceX X X X X X X X X X No No P1
The organization: a)Requires that non-localmaintenance and diagnosticservices be performed froman information system thatimplements a level ofsecurity at least as high asthat implemented on thesystem being serviced; or b)Removes the component tobe serviced from theinformation system andprior to non-localmaintenance or diagnosticservices, sanitizes thecomponent (with regard toorganizational information)before removal fromorganizational facilities,and after the service isperformed, inspects andsanitizes the component(with regard to potentiallymalicious software andsurreptitious implants)before reconnecting thecomponent to theinformation system.
MA-4(5)Non-Local
MaintenanceX X X No No P1
The organization requiresthat: a) Maintenancepersonnel notify[Assignment: organization-defined personnel] whennon-local maintenance isplanned (i.e., date/time);and b) A designatedorganizational official withspecific informationsecurity/information systemknowledge approves thenon-local maintenance.
MA-4(6)Non-Local
MaintenanceX X X X X X No No P1
The organization employscryptographic mechanismsto protect the integrity andconfidentiality of non-localmaintenance and diagnosticcommunications.
MA-4(7)Non-Local
MaintenanceX X X No No P1
The organization employsremote disconnectverification at thetermination of non-localmaintenance and diagnosticsessions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
175 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MA-5Maintenance
PersonnelX X X X X X X X X X X X Yes Yes P1
The organization a)Establishes a process formaintenance personnelauthorization and maintainsa current list of authorizedmaintenance organizationsor personnel; and b)Ensures that personnelperforming maintenance onthe information systemhave required accessauthorizations or designatesorganizational personnelwith required accessauthorizations and technicalcompetence deemednecessary to superviseinformation systemmaintenance whenmaintenance personnel donot possess the requiredaccess authorizations.
MA-5(1)Maintenance
PersonnelX X X X X X X X X Yes Yes P1
The organization maintainsprocedures for the use ofmaintenance personnel thatlack appropriate securityclearances or are not U.S.citizens, that include thefollowing requirements: a)Maintenance personnel whodo not have needed accessauthorizations, clearances,or formal access approvalsare escorted and supervisedduring the performance ofmaintenance and diagnosticactivities on theinformation system byapproved organizationalpersonnel who are fullycleared, have appropriateaccess authorizations, andare technically qualified; b)Prior to initiatingmaintenance or diagnosticactivities by personnel whodo not have needed accessauthorizations, clearancesor formal access approvals,all volatile informationstorage components withinthe information system aresanitized and all nonvolatilestorage media are removedor physically disconnectedfrom the system andsecured; and c) In the eventan information systemcomponent cannot besanitized, the procedurescontained in the securityplan for the system areenforced.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
176 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MA-5(2)Maintenance
PersonnelYes Yes
The organization ensuresthat personnel performingmaintenance and diagnosticactivities on an informationsystem processing, storing,or transmitting classifiedinformation are cleared(i.e., possess appropriatesecurity clearances) for thehighest level of informationon the system.
MA-5(3)Maintenance
PersonnelYes Yes
The organization ensuresthat personnel performingmaintenance and diagnosticactivities on an informationsystem processing, storing,or transmitting classifiedinformation are U.S.citizens.
MA-6 Timely Maintenance X X X X Yes Yes P1
The organization obtainsmaintenance support and/orspare parts for [Assignment:organization-defined list ofsecurity-criticalinformation systemcomponents and/or keyinformation technologycomponents] within[Assignment: organization-defined time period] offailure.
MP-1Media Protection
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented mediaprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of themedia protection policy andassociated media protectioncontrols.
MP-2 Media Access X X X X X X Yes Yes P1
The organization restrictsaccess to [Assignment:organization-defined typesof digital and non-digitalmedia] to [Assignment:organization-defined list ofauthorized individuals]using [Assignment:organization-definedsecurity measures].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
177 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MP-2(1) Media Access X X Yes Yes
The organization employsautomated mechanisms torestrict access to mediastorage areas and to auditaccess attempts and accessgranted.
MP-2(2) Media Access X X X X Yes Yes P1
The information systemuses cryptographicmechanisms to protect andrestrict access toinformation on portabledigital media
MP-3 Media Marking X X X X X Yes Yes P1
The organization: a) Marks,in accordance withorganizational policies andprocedures, removableinformation system mediaand information systemoutput indicating thedistribution limitations,handling caveats, andapplicable securitymarkings (if any) of theinformation; and b)Exempts [Assignment:organization-defined list ofremovable media types]from marking as long as theexempted items remainwithin [Assignment:organization-definedcontrolled areas].
MP-4 Media Storage X X X X X Yes Yes P1
The organization: a)Physically controls andsecurely stores[Assignment: organization-defined types of digital andnon-digital media] within[Assignment: organization-defined controlled areas]using [Assignment:organization-definedsecurity measures]; b)Protects information systemmedia until the media aredestroyed or sanitized usingapproved equipment,techniques, and procedures.
MP-4(1) Media Storage X No No P1
The organization employscryptographic mechanismsto protect information instorage.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
178 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MP-5 Media Transport X X X X X X X X Yes Yes P1
The organization: a)Protects and controls[Assignment: organization-defined types of digital andnon-digital media] duringtransport outside ofcontrolled areas using[Assignment: organization-defined security measures];b) Maintains accountabilityfor information systemmedia during transportoutside of controlled areas;and c) Restricts theactivities associated withtransport of such media toauthorized personnel.
MP-5(2) Media Transport X X X X X X X X Yes Yes P1
The organizationdocuments activitiesassociated with thetransport of informationsystem media.
MP-5(3) Media Transport X Yes Yes P1
The organization employsan identified custodianthroughout the transport ofinformation system media.
MP-5(4) Media Transport X X X X X X yes Yes P1
The organization employscryptographic mechanismsto protect theconfidentiality and integrityof information stored ondigital media duringtransport outside ofcontrolled areas.
MP-6 Media Sanitization X X X X X X Yes Yes P1
The organization: a)Sanitizes informationsystem media, both digitaland non-digital, prior todisposal, release out oforganizational control, orrelease for reuse; and b)Employs sanitizationmechanisms with strengthand integrity commensuratewith the classification orsensitivity of theinformation.
MP-6(1) Media Sanitization X X X Yes Yes P1
The organization tracks,documents, and verifiesmedia sanitization anddisposal actions.
MP-6(2) Media Sanitization X X X X Yes Yes P1
The organization testssanitization equipment andprocedures to verify correctperformance [Assignment:organization-definedfrequency].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
179 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
MP-6(3) Media Sanitization X X X X Yes Yes P1
The organization sanitizesportable, removable storagedevices prior to connectingsuch devices to theinformation system underthe followingcircumstances:[Assignment: organization-defined list ofcircumstances requiringsanitization of portable,removable storage devices].
MP-6(4) Media Sanitization X X X Yes Yes P1
The organization sanitizesinformation system mediacontaining ControlledUnclassified Information(CUI) or other sensitiveinformation in accordancewith applicableorganizational and/orfederal standards andpolicies.
MP-6(5) Media Sanitization X X X Yes Yes P1
The organization sanitizesinformation system mediacontaining classifiedinformation in accordancewith NSA standards andpolicies.
MP-6(6) Media Sanitization X X X Yes Yes P1The organization destroysinformation system mediathat cannot be sanitized.
PE-1
Physical AndEnvironmental
Protection PolicyAnd Procedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedphysical and environmentalprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thephysical and environmentalprotection policy andassociated physical andenvironmental protectioncontrols.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
180 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-2Physical AccessAuthorizations
X X X X X X X X X X X X Yes Yes P1
The organization: a)Develops and keeps currenta list of personnel withauthorized access to thefacility where theinformation system resides(except for those areaswithin the facility officiallydesignated as publiclyaccessible); b) Issuesauthorization credentials; c)Reviews and approves theaccess list and authorizationcredentials [Assignment:organization-definedfrequency], removing fromthe access list personnel nolonger requiring access.
PE-2(1)Physical AccessAuthorizations
X X X X X X X X X Yes Yes P1
The organization authorizesphysical access to thefacility where theinformation system residesbased on position or role.
PE-2(3)Physical AccessAuthorizations
X X X Yes Yes P1
The organization restrictsphysical access to thefacility containing aninformation system thatprocesses classifiedinformation to authorizedpersonnel with appropriateclearances and accessauthorizations.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
181 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-3Physical Access
ControlX X X X X X X X X X X X Yes Yes P1
The organization: a)Enforces physical accessauthorizations for allphysical access points(including designatedentry/exit points) to thefacility where theinformation system resides(excluding those areaswithin the facility officiallydesignated as publiclyaccessible); b) Verifiesindividual accessauthorizations beforegranting access to thefacility; c) Controls entry tothe facility containing theinformation system usingphysical access devicesand/or guards; d) Controlsaccess to areas officiallydesignated as publiclyaccessible in accordancewith the organization’sassessment of risk; e)Secures keys,combinations, and otherphysical access devices; f)Inventories physical accessdevices [Assignment:organization-definedfrequency]; and g) Changescombinations and keys[Assignment: organization-defined frequency] andwhen keys are lost,combinations arecompromised, orindividuals are transferredor terminated.
PE-3(1)Physical Access
ControlX X X Yes Yes P1
The organization enforcesphysical accessauthorizations to theinformation systemindependent of the physicalaccess controls for thefacility.
PE-3(2)Physical Access
ControlX X X Yes Yes P1
The organization performssecurity checks at thephysical boundary of thefacility or informationsystem for unauthorizedexfiltration of informationor information systemcomponents.
PE-3(3)Physical Access
ControlX X X X X X Yes Yes P1
The organization guards,alarms, and monitors everyphysical access point to thefacility where theinformation system resides24 hours per day, 7 daysper week.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
182 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-3(4)Physical Access
ControlX X Yes Yes P1
The organization useslockable physical casings toprotect [Assignment:organization-definedinformation systemcomponents] fromunauthorized physicalaccess.
PE-3(6)Physical Access
ControlX Yes Yes P1
The organization employs apenetration testing processthat includes [Assignment:organization-definedfrequency], unannouncedattempts to bypass orcircumvent securitycontrols associated withphysical access points tothe facility.
PE-4Access Control For
TransmissionMedium
X X X X X X No No P1
The organization controlsphysical access toinformation systemdistribution andtransmission lines withinorganizational facilities.
PE-5Access Control For
Output DevicesX X X X X Yes Yes P1
The organization controlsphysical access toinformation system outputdevices to preventunauthorized individualsfrom obtaining the output.
PE-6Monitoring Physical
AccessX X X X X X X X X X X X Yes Yes P1
The organization: a)Monitors physical access tothe information system todetect and respond tophysical security incidents;b) Reviews physical accesslogs [Assignment:organization-definedfrequency]; and c)Coordinates results ofreviews and investigationswith the organization’sincident responsecapability.
PE-6(1)Monitoring Physical
AccessX X X X Yes Yes P1
The organization monitorsreal-time physical intrusionalarms and surveillanceequipment.
PE-6(2)Monitoring Physical
AccessX No No P1
The organization employsautomated mechanisms torecognize potentialintrusions and initiatedesignated responseactions.
PE-7 Visitor Control X X X X X X X X X Yes Yes P1
The organization controlsphysical access to theinformation system byauthenticating visitorsbefore authorizing access tothe facility where theinformation system residesother than areas designatedas publicly accessible.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
183 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-7(1) Visitor Control X X X X X X X X Yes Yes P1The organization escortsvisitors and monitors visitoractivity, when required.
PE-8 Access Records X X X X X X X X X Yes Yes P3
The organization: a)Maintains visitor accessrecords to the facility wherethe information systemresides (except for thoseareas within the facilityofficially designated aspublicly accessible); and b)Reviews visitor accessrecords [Assignment:organization-definedfrequency].
PE-8(1) Access Records X No No P3
The organization employsautomated mechanisms tofacilitate the maintenanceand review of accessrecords.
PE-8(2) Access Records X X Yes Yes P3
The organization maintainsa record of all physicalaccess, both visitor andauthorized individuals.
PE-9Power Equipment
And Power CablingX X X X X No No P1
The organization protectspower equipment andpower cabling for theinformation system fromdamage and destruction.
PE-9(2)Power Equipment
And Power CablingX X No Yes P1
The organization employsautomatic voltage controlsfor [Assignment:organization-defined list ofcritical information systemcomponents].
PE-10 Emergency Shutoff X X X X X No No P1
The organization: a)Provides the capability ofshutting off power to theinformation system orindividual systemcomponents in emergencysituations; b) Placesemergency shutoff switchesor devices in [Assignment:organization-definedlocation by informationsystem or systemcomponent] to facilitatesafe and easy access forpersonnel; and c) Protectsemergency power shutoffcapability fromunauthorized activation.
PE-11 Emergency Power X X X X No No P1
The organization provides ashort-term uninterruptiblepower supply to facilitatean orderly shutdown of theinformation system in theevent of a primary powersource loss.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
184 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-11(1) Emergency Power X X No No P1
The organization provides along-term alternate powersupply for the informationsystem that is capable ofmaintaining minimallyrequired operationalcapability in the event of anextended loss of theprimary power source.
PE-11(2) Emergency Power X No Yes P1
The organization provides along-term alternate powersupply for the informationsystem that is self-contained and not reliant onexternal power generation.
PE-12 Emergency Lighting X X X X X X No No P1
The organization employsand maintains automaticemergency lighting for theinformation system thatactivates in the event of apower outage or disruptionand that covers emergencyexits and evacuation routeswithin the facility.
PE-12(1) Emergency Lighting X X No No P1
The organization providesemergency lighting for allareas within the facilitysupporting essentialmissions and businessfunctions.
PE-13 Fire Protection X X X X X X No No P1
The organization employsand maintains firesuppression and detectiondevices/systems for theinformation system that aresupported by anindependent energy source.
PE-13(1) Fire Protection X X X No No P1
The organization employsfire detectiondevices/systems for theinformation system thatactivate automatically andnotify the organization andemergency responders inthe event of a fire.
PE-13(2) Fire Protection X X X No No P1
The organization employsfire suppressiondevices/systems for theinformation system thatprovide automaticnotification of anyactivation to theorganization andemergency responders.
PE-13(3) Fire Protection X X X No No P1
The organization employsan automatic firesuppression capability forthe information systemwhen the facility is notstaffed on a continuousbasis.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
185 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-13(4) Fire Protection X No Yes P1
The organization ensuresthat the facility undergoes[Assignment: organization-defined frequency] firemarshal inspections andpromptly resolvesidentified deficiencies.
PE-14Temperature AndHumidity Controls
X X X X X X No No P1
The organization: a)Maintains temperature andhumidity levels within thefacility where theinformation system residesat [Assignment:organization-definedacceptable levels]; and b)Monitors temperature andhumidity levels[Assignment: organization-defined frequency].
PE-14(1)Temperature AndHumidity Controls
X X No Yes P1
The organization employsautomatic temperature andhumidity controls in thefacility to preventfluctuations potentiallyharmful to the informationsystem.
PE-14(2)Temperature AndHumidity Controls
X X No Yes P1
The organization employstemperature and humiditymonitoring that provides analarm or notification ofchanges potentially harmfulto personnel or equipment.
PE-15Water Damage
ProtectionX X X X X X No No P1
The organization protectsthe information systemfrom damage resulting fromwater leakage by providingmaster shutoff valves thatare accessible, workingproperly, and known to keypersonnel.
PE-15(1)Water Damage
ProtectionX No No P1
The organization employsmechanisms that, withoutthe need for manualintervention, protect theinformation system fromwater damage in the eventof a water leak.
PE-16Delivery And
RemovalX X X X X X X X X No No P1
The organizationauthorizes, monitors, andcontrols [Assignment:organization-defined typesof information systemcomponents] entering andexiting the facility andmaintains records of thoseitems.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
186 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PE-17 Alternate Work Site X X X X X X X X No No P1
The organization: a)Employs [Assignment:organization-definedmanagement, operational,and technical informationsystem security controls] atalternate work sites; b)Assesses as feasible, theeffectiveness of securitycontrols at alternate worksites; and c) Provides ameans for employees tocommunicate withinformation securitypersonnel in case ofsecurity incidents orproblems.
PE-18Location Of
Information SystemComponents
X X
The organization positionsinformation systemcomponents within thefacility to minimizepotential damage fromphysical and environmentalhazards and to minimize theopportunity forunauthorized access.
PE-18(1)Location Of
Information SystemComponents
X
The organization plans thelocation or site of thefacility where theinformation system resideswith regard to physical andenvironmental hazards andfor existing facilities,considers the physical andenvironmental hazards inits risk mitigation strategy.
PE-19Information
LeakageX X X X Yes Yes PO
The organization protectsthe information systemfrom information leakagedue to electromagneticsignals emanations.
PE-19(1)Information
LeakageX X X X Yes Yes PO
The organization ensuresthat information systemcomponents, associateddata communications, andnetworks are protected inaccordance with: (i)national emissions andTEMPEST policies andprocedures; and (ii) thesensitivity of theinformation beingtransmitted.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
187 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PL-1Security Planning
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedsecurity planning policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thesecurity planning policyand associated securityplanning controls.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
188 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PL-2System Security
PlanX X X X X X X X X X X X Yes Yes P1
The organization: a)Develops a security plan forthe information system that:1) - Is consistent with theorganization’s enterprisearchitecture; 2) - Explicitlydefines the authorizationboundary for the system; 3)- Describes the operationalcontext of the informationsystem in terms of missionsand business processes; 4) -Provides the securitycategorization of theinformation systemincluding supportingrationale; 5) - Describes theoperational environment forthe information system; 6) -Describes relationshipswith or connections to otherinformation systems; 7)Provides an overview of thesecurity requirements forthe system; 8) - Describesthe security controls inplace or planned formeeting those requirementsincluding a rationale for thetailoring andsupplementation decisions;and 9) - Is reviewed andapproved by the authorizingofficial or designatedrepresentative prior to planimplementation; b)Reviews the security planfor the information system[Assignment: organization-defined frequency]; and c)Updates the plan to addresschanges to the informationsystem/environment ofoperation or problemsidentified during planimplementation or securitycontrol assessments.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
189 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PL-2(1)System Security
PlanX X X X X X X X X Yes Yes P1
The organization: a)Develops a securityConcept of Operations(CONOPS) for theinformation systemcontaining, at a minimum:(i) the purpose of thesystem; (ii) a description ofthe system architecture; (iii)the security authorizationschedule; and (iv) thesecurity categorization andassociated factorsconsidered in determiningthe categorization; and b)Reviews and updates theCONOPS [Assignment:organization-definedfrequency].
PL-2(2)System Security
PlanX X X X X X X X X Yes Yes P1
The organization developsa functional architecture forthe information system thatidentifies and maintains: a)External interfaces, theinformation beingexchanged across theinterfaces, and theprotection mechanismsassociated with eachinterface; b) User roles andthe access privilegesassigned to each role; c)Unique securityrequirements; d) Types ofinformation processed,stored, or transmitted by theinformation system and anyspecific protection needs inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,regulations, standards, andguidance; and e)Restoration priority ofinformation or informationsystem services.
PL-4 Rules Of Behavior X X X X X X X X X X X X Yes Yes P1
The organization: a)Establishes and makesreadily available to allinformation system users,the rules that describe theirresponsibilities andexpected behavior withregard to information andinformation system usage;and b) Receives signedacknowledgment fromusers indicating that theyhave read, understand, andagree to abide by the rulesof behavior, beforeauthorizing access toinformation and theinformation system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
190 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PL-5Privacy Impact
AssessmentX X X X X X No No P1
The organization conductsa privacy impactassessment on theinformation system inaccordance with OMBpolicy.
PL-6Security-RelatedActivity Planning
X X X X X X X X X X X No No P3
The organization plans andcoordinates security-relatedactivities affecting theinformation system beforeconducting such activitiesin order to reduce theimpact on organizationaloperations (i.e., mission,functions, image, andreputation), organizationalassets, and individuals.
PS-1Personnel Security
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documentedpersonnel security policythat addresses purpose,scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thepersonnel security policyand associated personnelsecurity controls.
PS-2Position
CategorizationX X X X X X X X X X X X Yes Yes P1
The organization: a)Assigns a risk designationto all positions; b)Establishes screeningcriteria for individualsfilling those positions; andc) Reviews and revisesposition risk designations[Assignment: organization-defined frequency].
PS-3 Personnel Screening X X X X X X X X X Yes Yes P1
The organization: a)Screens individuals prior toauthorizing access to theinformation system; and b)Rescreens individualsaccording to [Assignment:organization-defined list ofconditions requiringrescreening and, where re-screening is so indicated,the frequency of suchrescreening].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
191 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PS-3(1) Personnel Screening X X X Yes Yes P1
The organization ensuresthat every user accessing aninformation systemprocessing, storing, ortransmitting classifiedinformation is cleared andindoctrinated to the highestclassification level of theinformation on the system.
PS-3(2) Personnel Screening X X X Yes Yes P1
The organization ensuresthat every user accessing aninformation systemprocessing, storing, ortransmitting types ofclassified informationwhich require formalindoctrination, is formallyindoctrinated for all of therelevant types ofinformation on the system.
PS-4Personnel
TerminationX X X X X X X X X X X X Yes Yes P2
The organization, upontermination of individualemployment: a) Terminatesinformation system access;b) Conducts exitinterviews; c) Retrieves allsecurity-relatedorganizational informationsystem-related property;and d) Retains access toorganizational informationand information systemsformerly controlled byterminated individual.
PS-5 Personnel Transfer X X X X X X X X X X X X Yes Yes P2
The organization reviewslogical and physical accessauthorizations toinformationsystems/facilities whenpersonnel are reassigned ortransferred to otherpositions within theorganization and initiates[Assignment: organization-defined transfer orreassignment actions]within [Assignment:organization-defined timeperiod following the formaltransfer action].
PS-6 Access Agreements X X X X X X X X X Yes Yes P3
The organization: a)Ensures that individualsrequiring access toorganizational informationand information systemssign appropriate accessagreements prior to beinggranted access; and b)Reviews/updates the accessagreements [Assignment:organization-definedfrequency].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
192 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
PS-6(1) Access Agreements X X X X X X Yes Yes P3
The organization ensuresthat access to informationwith special protectionmeasures is granted only toindividuals who: a) Have avalid access authorizationthat is demonstrated byassigned officialgovernment duties; and b)Satisfy associated personnelsecurity criteria.
PS-6(2) Access Agreements X X X Yes Yes P3
The organization ensuresthat access to classifiedinformation with specialprotection measures isgranted only to individualswho: a) Have a valid accessauthorization that isdemonstrated by assignedofficial government duties;b) Satisfy associatedpersonnel security criteria;and c) Have read,understand, and signed anondisclosure agreement.
PS-7Third-Party
Personnel SecurityX X X X X X X X X Yes Yes P1
The organization: a)Establishes personnelsecurity requirementsincluding security roles andresponsibilities for third-party providers; b)Documents personnelsecurity requirements; andc) Monitors providercompliance.
PS-8 Personnel Sanctions X X X X X X X X X X X X Yes Yes P3
The organization employs aformal sanctions processfor personnel failing tocomply with establishedinformation securitypolicies and procedures.
RA-1Risk Assessment
Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented riskassessment policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of the riskassessment policy andassociated risk assessmentcontrols.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
193 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
RA-2Security
CategorizationX X X X X X X X X X X X Yes Yes P1
The organization: a)Categorizes informationand the information systemin accordance withapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance; b) Documents thesecurity categorizationresults (includingsupporting rationale) in thesecurity plan for theinformation system; and c)Ensures the securitycategorization decision isreviewed and approved bythe authorizing official orauthorizing officialdesignated representative.
RA-3 Risk Assessment X X X X X X X X X X X X Yes Yes P1
The organization: a)Conducts an assessment ofrisk, including thelikelihood and magnitudeof harm, from theunauthorized access, use,disclosure, disruption,modification, or destructionof the information systemand the information itprocesses, stores, ortransmits; b) Documentsrisk assessment results in[Selection: security plan;risk assessment report;[Assignment: organization-defined document]]; c)Reviews risk assessmentresults [Assignment:organization-definedfrequency]; and d) Updatesthe risk assessment[Assignment: organization-defined frequency] orwhenever there aresignificant changes to theinformation system orenvironment of operation(including the identificationof new threats andvulnerabilities), or otherconditions that may impactthe security state of thesystem.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
194 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
RA-5Vulnerability
ScanningX X X X X X X X X X X X No No P1
The organization: a) Scansfor vulnerabilities in theinformation system andhosted applications[Assignment: organization-defined frequency and/orrandomly in accordancewith organization-definedprocess] and when newvulnerabilities potentiallyaffecting thesystem/applications areidentified and reported; b)Employs vulnerabilityscanning tools andtechniques that promoteinteroperability amongtools and automate parts ofthe vulnerabilitymanagement process byusing standards for: 1)Enumerating platforms,software flaws, andimproper configurations; 2)Formatting and makingtransparent, checklists andtest procedures; and 3)Measuring vulnerabilityimpact; c) Analyzesvulnerability scan reportsand results from securitycontrol assessments; d)Remediates legitimatevulnerabilities [Assignment:organization-definedresponse times] inaccordance with anorganizational assessmentof risk; and e) Sharesinformation obtained fromthe vulnerability scanningprocess and security controlassessments withdesignated personnelthroughout the organizationto help eliminate similarvulnerabilities in otherinformation systems (i.e.,systemic weaknesses ordeficiencies).
RA-5(1)Vulnerability
ScanningX X X X X X X X X X X No No P1
The organization employsvulnerability scanning toolsthat include the capabilityto readily update the list ofinformation systemvulnerabilities scanned.
RA-5(2)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization updatesthe list of informationsystem vulnerabilitiesscanned [Assignment:organization-definedfrequency] or when newvulnerabilities are identifiedand reported.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
195 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
RA-5(3)Vulnerability
ScanningX
The organization employsvulnerability scanningprocedures that candemonstrate the breadthand depth of coverage (i.e.,information systemcomponents scanned andvulnerabilities checked).
RA-5(4)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization attemptsto discern what informationabout the informationsystem is discoverable byadversaries.
RA-5(5)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization includesprivileged accessauthorization to[Assignment: organization-identified informationsystem components] forselected vulnerabilityscanning activities tofacilitate more thoroughscanning.
RA-5(7)Vulnerability
ScanningX X X X X X X X X X No No P1
The organization employsautomated mechanisms[Assignment: organization-defined frequency] to detectthe presence ofunauthorized software onorganizational informationsystems and notifydesignated organizationalofficials.
RA-5(9)Vulnerability
ScanningX No No P1
The organization employsan independent penetrationagent or penetration teamto: a) Conduct avulnerability analysis onthe information system; andb) Perform penetrationtesting on the informationsystem based on thevulnerability analysis todetermine the exploitabilityof identified vulnerabilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
196 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-1
System AndServices Acquisition
Policy AndProcedures
X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand services acquisitionpolicy that includesinformation securityconsiderations and thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thesystem and servicesacquisition policy andassociated system andservices acquisitioncontrols.
SA-2Allocation Of
ResourcesX X X X X X No No P1
The organization: a)Includes a determination ofinformation securityrequirements for theinformation system inmission/business processplanning; b) Determines,documents, and allocatesthe resources required toprotect the informationsystem as part of its capitalplanning and investmentcontrol process; and c)Establishes a discrete lineitem for informationsecurity in organizationalprogramming andbudgeting documentation.
SA-3 Life Cycle Support X X X X X X Yes Yes P1
The organization: a)Manages the informationsystem using a systemdevelopment life cyclemethodology that includesinformation securityconsiderations; b) Definesand documents informationsystem security roles andresponsibilities throughoutthe system development lifecycle; and c) Identifiesindividuals havinginformation system securityroles and responsibilities.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
197 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-4 Acquisitions X X X X X X No No P1
The organization includesthe following requirementsand/or specifications,explicitly or by reference,in information systemacquisition contracts basedon an assessment of riskand in accordance withapplicable federal laws,Executive Orders,directives, policies,regulations, and standards:a) Security functionalrequirements/specifications;b) Security-relateddocumentationrequirements; and c)Developmental andevaluation-relatedassurance requirements.
SA-4(1) Acquisitions X X X X No No P1
The organization requiresin acquisition documentsthat vendors/contractorsprovide informationdescribing the functionalproperties of the securitycontrols to be employedwithin the informationsystem, information systemcomponents, or informationsystem services insufficient detail to permitanalysis and testing of thecontrols.
SA-4(2) Acquisitions X X No No P1
The organization requiresin acquisition documentsthat vendors/contractorsprovide informationdescribing the design andimplementation details ofthe security controls to beemployed within theinformation system,information systemcomponents, or informationsystem services (includingfunctional interfaces amongcontrol components) insufficient detail to permitanalysis and testing of thecontrols.
SA-4(3) Acquisitions X
The organization requiressoftwarevendors/manufacturers todemonstrate that theirsoftware developmentprocesses employ state-of-the-practice software andsecurity engineeringmethods, quality controlprocesses, and validationtechniques to minimizeflawed or malformedsoftware.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
198 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-4(4) Acquisitions X X No No P1
The organization ensuresthat each informationsystem component acquiredis explicitly assigned to aninformation system, andthat the owner of thesystem acknowledges thisassignment.
SA-4(5) Acquisitions X No No P1
The organization requiresin acquisition documents,that information systemcomponents are deliveredin a secure, documentedconfiguration, and that thesecure configuration is thedefault configuration forany software reinstalls orupgrades.
SA-4(6) Acquisitions X X X No No P1
The organization: a)Employs only governmentoff-the-shelf (GOTS) orcommercial off-the-shelf(COTS) informationassurance (IA) and IA-enabled informationtechnology products thatcomposes an NSA-approved solution to protectclassified information whenthe networks used totransmit the information areat a lower classificationlevel than the informationbeing transmitted; and b)Ensures that these productshave been evaluated and/orvalidated by the NSA or inaccordance with NSA-approved procedures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
199 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-5Information System
DocumentationX X X X X X No No P2
The organization: a)Obtains, protects asrequired, and makesavailable to authorizedpersonnel, administratordocumentation for theinformation system thatdescribes: 1) Secureconfiguration, installation,and operation of theinformation system; 2) -Effective use andmaintenance of securityfeatures/functions; and 3) -Known vulnerabilitiesregarding configuration anduse of administrative (i.e.,privileged) functions; andb) Obtains, protects asrequired, and makesavailable to authorizedpersonnel, userdocumentation for theinformation system thatdescribes: 1) - User-accessible securityfeatures/functions and howto effectively use thosesecurity features/functions;2) - Methods for userinteraction with theinformation system, whichenables individuals to usethe system in a more securemanner; and 3) - Userresponsibilities inmaintaining the security ofthe information andinformation system; and c)Documents attempts toobtain information systemdocumentation when suchdocumentation is eitherunavailable or nonexistent.
SA-5(1)Information System
DocumentationX X X X X No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the functionalproperties of the securitycontrols employed withinthe information system withsufficient detail to permitanalysis and testing.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
200 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-5(2)Information System
DocumentationX X X X No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the security-relevant external interfacesto the information systemwith sufficient detail topermit analysis and testing.
SA-5(3)Information System
DocumentationX X X X No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the high-leveldesign of the informationsystem in terms ofsubsystems andimplementation details ofthe security controlsemployed within the systemwith sufficient detail topermit analysis and testing.
SA-5(4)Information System
DocumentationX No No P2
The organization obtains,protects as required, andmakes available toauthorized personnel,vendor/manufacturerdocumentation thatdescribes the low-leveldesign of the informationsystem in terms of modulesand implementation detailsof the security controlsemployed within the systemwith sufficient detail topermit analysis and testing.
SA-6Software Usage
RestrictionsX X X X X X X X X No No P1
The organization: a) Usessoftware and associateddocumentation inaccordance with contractagreements and copyrightlaws; b) Employs trackingsystems for software andassociated documentationprotected by quantitylicenses to control copyingand distribution; and c)Controls and documents theuse of peer-to-peer filesharing technology toensure that this capability isnot used for theunauthorized distribution,display, performance, orreproduction of copyrightedwork.
SA-7User Installed
SoftwareX X X X X X Yes Yes P1
The organization enforcesexplicit rules governing theinstallation of software byusers.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
201 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-8Security
EngineeringPrinciples
X X X X X Yes Yes P1
The organization appliesinformation system securityengineering principles inthe specification, design,development,implementation, andmodification of theinformation system.
SA-9External
Information SystemServices
X X X X X X No No P1
The organization: a)Requires that providers ofexternal information systemservices comply withorganizational informationsecurity requirements andemploy appropriate securitycontrols in accordance withapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance; b) Defines anddocuments governmentoversight and user roles andresponsibilities with regardto external informationsystem services; and c)Monitors security controlcompliance by externalservice providers.
SA-9(1)External
Information SystemServices
X X X No No P1
The organization: a)Conducts an organizationalassessment of risk prior tothe acquisition oroutsourcing of dedicatedinformation securityservices; and b) Ensuresthat the acquisition oroutsourcing of dedicatedinformation securityservices is approved by[Assignment: organization-defined seniororganizational official].
SA-10Developer
ConfigurationManagement
X X X X X No Yes P1
The organization requiresthat information systemdevelopers/integrators: a)Perform configurationmanagement duringinformation system design,development,implementation, andoperation; b) Manage andcontrol changes to theinformation system; c)Implement onlyorganization-approvedchanges; d) Documentapproved changes to theinformation system; and e)Track security flaws andflaw resolution.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
202 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-10(1)Developer
ConfigurationManagement
X X X No Yes P1
The organization requiresthat information systemdevelopers/integratorsprovide an integrity checkof software to facilitateorganizational verificationof software integrity afterdelivery
SA-11Developer Security
TestingX X X X X No Yes P2
The organization requiresthat information systemdevelopers/integrators, inconsultation withassociated securitypersonnel (includingsecurity engineers): a)Create and implement asecurity test and evaluationplan; b) Implement averifiable flaw remediationprocess to correctweaknesses anddeficiencies identifiedduring the security testingand evaluation process; andc) Document the results ofthe securitytesting/evaluation and flawremediation processes.
SA-11(1)Developer Security
TestingX No Yes P2
The organization requiresthat information systemdevelopers/integratorsemploy code analysis toolsto examine software forcommon flaws anddocument the results of theanalysis.
SA-11(2)Developer Security
TestingX No Yes P2
The organization requiresthat information systemdevelopers/integratorsperform a vulnerabilityanalysis to documentvulnerabilities, exploitationpotential, and riskmitigations.
SA-12Supply Chain
ProtectionX X X X X X X X X X Yes Yes P1
The organization protectsagainst supply chain threatsby employing:[Assignment: organization-defined list of measures toprotect against supplychain threats] as part of acomprehensive, defense-in-breadth informationsecurity strategy.
SA-12(2)Supply Chain
ProtectionX X X X X X X X X Yes Yes P1
The organization conductsa due diligence review ofsuppliers prior to enteringinto contractual agreementsto acquire informationsystem hardware, software,firmware, or services.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
203 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SA-13 Trustworthiness X
The organization requiresthat the information systemmeets [Assignment:organization-defined levelof trustworthiness].
SC-1
System AndCommunicationsProtection PolicyAnd Procedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand communicationsprotection policy thataddresses purpose, scope,roles, responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thesystem andcommunications protectionpolicy and associatedsystem andcommunications protectioncontrols.
SC-2ApplicationPartitioning
X X X X X X X X Yes Yes P1
The information systemseparates user functionality(including user interfaceservices) from informationsystem managementfunctionality.
SC-2(1)ApplicationPartitioning
X X X X X X
The information systemprevents the presentation ofinformation systemmanagement-relatedfunctionality at an interfacefor general (i.e., non-privileged) users.
SC-3Security Function
IsolationX X Yes Yes P1
The information systemisolates security functionsfrom nonsecurity functions.
SC-4Information In
Shared ResourcesX X X X X No No P1
The information systemprevents unauthorized andunintended informationtransfer via shared systemresources.
SC-5Denial Of Service
ProtectionX X X X X X No Yes P1
The information systemprotects against or limitsthe effects of the followingtypes of denial of serviceattacks: [Assignment:organization-defined list oftypes of denial of serviceattacks or reference tosource for current list].
SC-5(1)Denial Of Service
ProtectionX X X No Yes P1
The information systemrestricts the ability of usersto launch denial of serviceattacks against otherinformation systems ornetworks.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
204 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-5(2)Denial Of Service
ProtectionX X No Yes P1
The information systemmanages excess capacity,bandwidth, or otherredundancy to limit theeffects of informationflooding types of denial ofservice attacks.
SC-6 Resource Priority X No No P0The information systemlimits the use of resourcesby priority.
SC-7 Boundary Protection X X X X X X X X X No No P1
The information system: a)Monitors and controlscommunications at theexternal boundary of thesystem and at key internalboundaries within thesystem; and b) Connects toexternal networks orinformation systems onlythrough managed interfacesconsisting of boundaryprotection devices arrangedin accordance with anorganizational securityarchitecture.
SC-7(1) Boundary Protection X X X X X X X X No No P1
The organization physicallyallocates publiclyaccessible informationsystem components toseparate sub networks withseparate physical networkinterfaces.
SC-7(2) Boundary Protection X X X X X X X X No No P1
The information systemprevents public access intothe organization’s internalnetworks except asappropriately mediated bymanaged interfacesemploying boundaryprotection devices.
SC-7(3) Boundary Protection X X X X X X X X No No P1
The organization limits thenumber of access points tothe information system toallow for morecomprehensive monitoringof inbound and outboundcommunications andnetwork traffic.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
205 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-7(4) Boundary Protection X X X X X X X X No No P1
The organization: a)Implements a managedinterface for each externaltelecommunication service;b) Establishes a traffic flowpolicy for each managedinterface; c) Employssecurity controls as neededto protect theconfidentiality and integrityof the information beingtransmitted; d) Documentseach exception to the trafficflow policy with asupportingmission/business need andduration of that need; e)Reviews exceptions to thetraffic flow policy[Assignment: organization-defined frequency]; and f)Removes traffic flow policyexceptions that are nolonger supported by anexplicit mission/businessneed.
SC-7(5) Boundary Protection X X X X X X X X No No P1
The information system atmanaged interfaces, deniesnetwork traffic by defaultand allows network trafficby exception (i.e., deny all,permit by exception).
SC-7(6) Boundary Protection X
The organization preventsthe unauthorized release ofinformation outside of theinformation systemboundary or anyunauthorizedcommunication through theinformation systemboundary when there is anoperational failure of theboundary protectionmechanisms.
SC-7(7) Boundary Protection X X X X X X X X No No P1
The information systemprevents remote devicesthat have established a non-remote connection with thesystem fromcommunicating outside ofthat communications pathwith resources in externalnetworks.
SC-7(8) Boundary Protection X X X X X X X No No P1
The information systemroutes [Assignment:organization-definedinternal communicationstraffic] to [Assignment:organization-definedexternal networks] throughauthenticated proxy serverswithin the managedinterfaces of boundaryprotection devices.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
206 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-7(11) Boundary Protection X X X No No P1
The information systemchecks incomingcommunications to ensurethat the communicationsare coming from anauthorized source androuted to an authorizeddestination.
SC-7(12) Boundary Protection X X X X X X X X X No No P1
The information systemimplements host-basedboundary protectionmechanisms for servers,workstations, and mobiledevices.
SC-7(13) Boundary Protection X X X X X X No No P1
The organization isolates[Assignment: organizationdefined key informationsecurity tools, mechanisms,and support components]from other internalinformation systemcomponents via physicallyseparate subnets withmanaged interfaces to otherportions of the system.
SC-7(14) Boundary Protection X X X X X X No No P1
The organization protectsagainst unauthorizedphysical connections acrossthe boundary protectionsimplemented at[Assignment: organization-defined list of managedinterfaces].
SC-7(18) Boundary Protection X X X X X X X X X No No P1
The information systemfails securely in the eventof an operational failure ofa boundary protectiondevice.
SC-8Transmission
IntegrityX X X X X No No P1
The information systemprotects the integrity oftransmitted information.
SC-8(1)Transmission
IntegrityX X X X No No P1
The organization employscryptographic mechanismsto recognize changes toinformation duringtransmission unlessotherwise protected byalternative physicalmeasures.
SC-8(2)Transmission
IntegrityX No No P1
The information systemmaintains the integrity ofinformation duringaggregation, packaging, andtransformation inpreparation fortransmission.
SC-9Transmission
ConfidentialityX X X X X No No P1
The information systemprotects the confidentialityof transmitted information.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
207 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-9(1)Transmission
ConfidentialityX X X X X No No P1
The organization employscryptographic mechanismsto prevent unauthorizeddisclosure of informationduring transmission unlessotherwise protected by[Assignment: organization-defined alternative physicalmeasures].
SC-9(2)Transmission
ConfidentialityX X No No P1
The information systemmaintains theconfidentiality ofinformation duringaggregation, packaging, andtransformation inpreparation fortransmission.
SC-10 Network Disconnect X X X X X X X X No Yes P2
The information systemterminates the networkconnection associated witha communications sessionat the end of the session orafter [Assignment:organization-defined timeperiod] of inactivity.
SC-11 Trusted Path X X X No Yes P0
The information systemestablishes a trustedcommunications pathbetween the user and theFollowing securityfunctions of the system:[Assignment: organization-defined security functionsto include at a minimum,information systemauthentication andreauthentication].
SC-12Cryptographic KeyEstablishment And
ManagementX X X X X X X X X No No P1
The organizationestablishes and managescryptographic keys forrequired cryptographyemployed within theinformation system.
SC-12(1)Cryptographic KeyEstablishment And
ManagementX X X X No No P1
The organization maintainsavailability of informationin the event of the loss ofcryptographic keys byusers.
SC-13Use Of
CryptographyX X X X X X X X X Yes Yes P1
The information systemimplements requiredcryptographic protectionsusing cryptographicmodules that comply withapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andguidance.
SC-13(4)Use Of
CryptographyX X Yes Yes P1
The organization employs[Selection: FIPS-validated;NSA-approved]cryptography to implementdigital signatures.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
208 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-14Public Access
ProtectionsX X X X X X X X X No No P1
The information systemprotects the integrity andavailability of publiclyavailable information andapplications.
SC-15Collaborative
Computing DevicesX X X X X X No Yes P1
The information system: a)Prohibits remote activationof collaborative computingdevices with the followingexceptions: [Assignment:organization-definedexceptions where remoteactivation is to be allowed];and b) Provides an explicitindication of use to usersphysically present at thedevices.
SC-15(1)Collaborative
Computing DevicesX X X No Yes P1
The information systemprovides physicaldisconnect of collaborativecomputing devices in amanner that supports easeof use.
SC-15(2)Collaborative
Computing DevicesX X X X X X No Yes P1
The information system orsupporting environmentblocks both inbound andoutbound traffic betweeninstant messaging clientsthat are independentlyconfigured by end users andexternal service providers.
SC-15(3)Collaborative
Computing DevicesX X X X X X No Yes P1
The organization disablesor removes collaborativecomputing devices frominformation systems in[Assignment: organization-defined secure work areas].
SC-17Public Key
InfrastructureCertificates
X X X X X X X X No No P1
The organization issuespublic key certificatesunder an [Assignment:organization-definedcertificate policy] orobtains public keycertificates under anappropriate certificatepolicy from an approvedservice provider.
SC-18 Mobile Code X X X X X No Yes P1
The organization: a)Defines acceptable andunacceptable mobile codeand mobile codetechnologies; b) Establishesusage restrictions andimplementation guidancefor acceptable mobile codeand mobile codetechnologies; and c)Authorizes, monitors, andcontrols the use of mobilecode within the informationsystem.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
209 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-18(1) Mobile Code X X X No Yes P1
The information systemimplements detection andinspection mechanisms toidentify unauthorizedmobile code and takescorrective actions, whennecessary.
SC-18(2) Mobile Code X X X No Yes P1
The organization ensuresthe acquisition,development, and/or use ofmobile code to be deployedin information systemsmeets [Assignment:organization-definedmobile code requirements].
SC-18(3) Mobile Code X X X No Yes P1
The information systemprevents the download andexecution of prohibitedmobile code.
SC-18(4) Mobile Code X X X No Yes P1
The information systemprevents the automaticexecution of mobile code in[Assignment: organization-defined softwareapplications] and requires[Assignment: organization-defined actions] prior toexecuting the code.
SC-19Voice Over Internet
ProtocolX X X X X X X X No No P1
The organization: a)Establishes usagerestrictions andimplementation guidancefor Voice over InternetProtocol (VoIP)technologies based on thepotential to cause damageto the information system ifused maliciously; and b)Authorizes, monitors, andcontrols the use of VoIPwithin the informationsystem.
SC-20
SecureName/Address
Resolution Service(Authoritative
Source)
X X X X X X No Yes P1
The information systemprovides additional dataorigin and integrity artifactsalong with the authoritativedata the system returns inresponse to name/addressresolution queries.
SC-20(1)
SecureName/Address
Resolution Service(Authoritative
Source)
X X X X X X No No P1
The information system,when operating as part of adistributed, hierarchicalnamespace, provides themeans to indicate thesecurity status of childsubspaces and (if the childsupports secure resolutionservices) enable verificationof a chain of trust amongparent and child domains.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
210 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-21
SecureName/Address
Resolution Service(Recursive Or
Caching Resolver)
X X X X No Yes P1
The information systemperforms data originauthentication and dataintegrity verification on thename/address resolutionresponses the systemreceives from authoritativesources when requested byclient systems.
SC-21(1)
SecureName/Address
Resolution Service(Recursive Or
Caching Resolver)
X X X No Yes P1
The information systemperforms data originauthentication and dataintegrity verification on allresolution responseswhether or not local clientsexplicitly request thisservice.
SC-22
Architecture AndProvisioning ForName/Address
Resolution Service
X X X X X X X X X X X No Yes P1
The information systemsthat collectively providename/address resolutionservice for an organizationare fault-tolerant andimplement internal/externalrole separation.
SC-23 Session Authenticity X X X X X No Yes P1
The information systemprovides mechanisms toprotect the authenticity ofcommunications sessions.
SC-23(1) Session Authenticity X X X No Yes P1
The information systeminvalidates sessionidentifiers upon user logoutor other sessiontermination.
SC-23(2) Session Authenticity X X X No Yes P1
The information systemprovides a readilyobservable logoutcapability wheneverauthentication is used togain access to web pages.
SC-23(3) Session Authenticity X X X No Yes P1
The information systemgenerates a unique sessionidentifier for each sessionand recognizes only sessionidentifiers that are system-generated.
SC-23(4) Session Authenticity X X X No Yes P1
The information systemgenerates unique sessionidentifiers with[Assignment: organization-defined randomnessrequirements].
SC-24 Fail In Known State X X X X X X X yes Yes P1
The information systemfails to a [Assignment:organization-definedknown-state] for[Assignment: organization-defined types of failures]preserving [Assignment:organization-definedsystem state information] infailure.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
211 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SC-28Protection Of
Information At RestX X X X X X X X Yes Yes P1
The information systemprotects the confidentialityand integrity of informationat rest.
SC-28(1)Protection Of
Information At RestX X Yes Yes P1
The organization employscryptographic mechanismsto prevent unauthorizeddisclosure and modificationof information at rest unlessotherwise protected byalternative physicalmeasures.
SC-32Information System
PartitioningX X X X X X No No PO
The organization partitionsthe information system intocomponents residing inseparate physical domains(or environments) asdeemed necessary.
SC-33Transmission
Preparation IntegrityX No Yes PO
The information systemprotects the integrity ofinformation during theprocesses of dataaggregation, packaging, andtransformation inpreparation fortransmission.
SI-1
System AndInformation
Integrity Policy AndProcedures
X X X X X X X X X X X X Yes Yes P1
The organization develops,disseminates, andreviews/updates[Assignment: organization-defined frequency]: a) Aformal, documented systemand information integritypolicy that addressespurpose, scope, roles,responsibilities,management commitment,coordination amongorganizational entities, andcompliance; and b) Formal,documented procedures tofacilitate theimplementation of thesystem and informationintegrity policy andassociated system andinformation integritycontrols.
SI-2 Flaw Remediation X X X X X X Yes Yes P1
The organization: a)Identifies, reports, andcorrects information systemflaws; b) Tests softwareupdates related to flawremediation foreffectiveness and potentialside effects onorganizational informationsystems before installation;and c) Incorporates flawremediation into theorganizationalconfiguration managementprocess.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
212 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-2(1) Flaw Remediation X
The organization centrallymanages the flawremediation process andinstalls software updatesautomatically.
SI-2(2) Flaw Remediation X X X X No No P1
The organization employsautomated mechanisms[Assignment: organization-defined frequency] todetermine the state ofinformation systemcomponents with regard toflaw remediation.
SI-2(3) Flaw Remediation X X X No Yes P1
The organization measuresthe time between flawidentification and flawremediation, comparingwith [Assignment:organization-definedbenchmarks].
SI-2(4) Flaw Remediation X X X No Yes P1
The organization employsautomated patchmanagement tools tofacilitate flaw remediationto [Assignment:organization-definedinformation systemcomponents].
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
213 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-3Malicious Code
ProtectionX X X X X X No No P1
The organization: a)Employs malicious codeprotection mechanisms atinformation system entryand exit points and atworkstations, servers, ormobile computing deviceson the network to detectand eradicate maliciouscode: 1) Transported byelectronic mail, electronicmail attachments, webaccesses, removable media,or other common means; or2) Inserted through theexploitation of informationsystem vulnerabilities; b)Updates malicious codeprotection mechanisms(including signaturedefinitions) whenever newreleases are available inaccordance withorganizationalconfiguration managementpolicy and procedures; c)Configures malicious codeprotection mechanisms to:1) - Perform periodic scansof the information system[Assignment: organization-defined frequency] and real-time scans of files fromexternal sources as the filesare downloaded, opened, orexecuted in accordancewith organizational securitypolicy; and 2) [Selection(one or more): blockmalicious code; quarantinemalicious code; send alertto administrator;[Assignment: organization-defined action]] in responseto malicious code detection;and d) Addresses thereceipt of false positivesduring malicious codedetection and eradicationand the resulting potentialimpact on the availability ofthe information system.
SI-3(1)Malicious Code
ProtectionX X X X X No No P1
The organization centrallymanages malicious codeprotection mechanisms.
SI-3(2)Malicious Code
ProtectionX X X X X No No P1
The information systemautomatically updatesmalicious code protectionmechanisms (includingsignature definitions).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
214 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-3(3)Malicious Code
ProtectionX X X X X No No P1
The information systemprevents non-privilegedusers from circumventingmalicious code protectioncapabilities.
SI-4Information System
MonitoringX X X X X No Yes P1
The organization: a)Monitors events on theinformation system inaccordance with[Assignment: organization-defined monitoringobjectives] and detectsinformation system attacks;b) Identifies unauthorizeduse of the informationsystem; c) Deploysmonitoring devices: (i)strategically within theinformation system tocollect organization-determined essentialinformation; and (ii) at adhoc locations within thesystem to track specifictypes of transactions ofinterest to the organization;d) Heightens the level ofinformation systemmonitoring activitywhenever there is anindication of increased riskto organizational operationsand assets, individuals,other organizations, or theNation based on lawenforcement information,intelligence information, orother credible sources ofinformation; and e) Obtainslegal opinion with regard toinformation systemmonitoring activities inaccordance with applicablefederal laws, ExecutiveOrders, directives, policies,or regulations.
SI-4(1)Information System
MonitoringX X X No No P1
The organizationinterconnects andconfigures individualintrusion detection toolsinto a system wideintrusion detection systemusing common protocols.
SI-4(2)Information System
MonitoringX X X X X No No P1
The organization employsautomated tools to supportnear real-time analysis ofevents.
SI-4(4)Information System
MonitoringX X X X X X X X No No P1
The information systemmonitors inbound andoutbound communicationsfor unusual or unauthorizedactivities or conditions.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
215 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-4(5)Information System
MonitoringX X X X X No No P1
The information systemprovides near real-timealerts when the followingindications of compromiseor potential compromiseoccur: [Assignment:organization-defined list ofcompromise indicators].
SI-4(6)Information System
MonitoringX X X X X No No P1
The information systemprevents non-privilegedusers from circumventingintrusion detection andprevention capabilities.
SI-4(7)Information System
MonitoringX X X X X X No Yes P1
The information systemnotifies [Assignment:organization-defined list ofincident response personnel(identified by name and/orby role)] of suspiciousevents and takes[Assignment: organization-defined list of least-disruptive actions toterminate suspiciousevents].
SI-4(8)Information System
MonitoringX X X X X X X X X No No P1
The organization protectsinformation obtained fromintrusion-monitoring toolsfrom unauthorized access,modification, and deletion.
SI-4(9)Information System
MonitoringX X X No Yes P1
The organizationtests/exercises intrusion-monitoring tools[Assignment: organization-defined time-period].
SI-4(11)Information System
MonitoringX X X No No P1
The organization analyzesoutbound communicationstraffic at the externalboundary of the system(i.e., system perimeter) and,as deemed necessary, atselected interior pointswithin the system (e.g.,subnets, subsystems) todiscover anomalies.
SI-4(12)Information System
MonitoringX X X X X X No Yes P1
The organization employsautomated mechanisms toalert security personnel ofthe following inappropriateor unusual activities withsecurity implications:[Assignment: organization-defined list of inappropriateor unusual activities thattrigger alerts].
SI-4(14)Information System
MonitoringX X X X X X No No P1
The organization employs awireless intrusion detectionsystem to identify roguewireless devices and todetect attack attempts andpotentialcompromises/breaches tothe information system.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
216 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-4(15)Information System
MonitoringX X X X X X No No P1
The organization employsan intrusion detectionsystem to monitor wirelesscommunications traffic asthe traffic passes fromwireless to wire linenetworks.
SI-4(16)Information System
MonitoringX X X No Yes P1
The organization correlatesinformation frommonitoring tools employedthroughout the informationsystem to achieveorganization-widesituational awareness.
SI-4(17)Information System
MonitoringX X X X X X No Yes P1
The organization correlatesresults from monitoringphysical, cyber, and supplychain activities to achieveintegrated situationalawareness.
SI-5Security Alerts,Advisories, And
DirectivesX X X X X X No No P1
The organization: a)Receives informationsystem security alerts,advisories, and directivesfrom designated externalorganizations on anongoing basis; b) Generatesinternal security alerts,advisories, and directives asdeemed necessary; c)Disseminates securityalerts, advisories, anddirectives to [Assignment:organization-defined list ofpersonnel (identified byname and/or by role)]; andd) Implements securitydirectives in accordancewith established timeframes, or notifies theissuing organization of thedegree of noncompliance.
SI-5(1)Security Alerts,Advisories, And
DirectivesX X X X No No P1
The organization employsautomated mechanisms tomake security alert andadvisory informationavailable throughout theorganization as needed.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
217 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-6Security
FunctionalityVerification
X X X X No Yes P1
The information systemverifies the correctoperation of securityfunctions [Selection (one ormore): [Assignment:organization-definedsystem transitional states];upon command by userwith appropriate privilege;periodically every[Assignment: organization-defined time-period]] and[Selection (one or more):notifies systemadministrator; shuts thesystem down; restarts thesystem; [Assignment:organization-definedalternative action(s)]] whenanomalies are discovered.
SI-6(1)Security
FunctionalityVerification
X X X No Yes P1
The information systemprovides notification offailed automated securitytests.
SI-6(3)Security
FunctionalityVerification
X X X No Yes P1
The organization reportsthe result of securityfunction verification todesignated organizationalofficials with informationsecurity responsibilities.
SI-7Software AndInformation
IntegrityX X X No No P1
The information systemdetects unauthorizedchanges to software andinformation.
SI-7(1)Software AndInformation
IntegrityX X X No No P1
The organization reassessesthe integrity of softwareand information byperforming [Assignment:organization-definedfrequency] integrity scansof the information system.
SI-7(2)Software AndInformation
IntegrityX X No No P1
The organization employsautomated tools thatprovide notification todesignated individuals upondiscovering discrepanciesduring integrityverification.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
218 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-8 Spam Protection X X X X X X X X No No P1
The organization: a)Employs spam protectionmechanisms at informationsystem entry and exit pointsand at workstations,servers, or mobilecomputing devices on thenetwork to detect and takeaction on unsolicitedmessages transported byelectronic mail, electronicmail attachments, webaccesses, or other commonmeans; and b) Updatesspam protectionmechanisms (includingsignature definitions) whennew releases are availablein accordance withorganizationalconfiguration managementpolicy and procedures.
SI-8(1) Spam Protection X X X X X X X No No P1The organization centrallymanages spam protectionmechanisms.
SI-8(2) Spam Protection X X X X X X No No P1
The information systemautomatically updates spamprotection mechanisms(including signaturedefinitions).
SI-9Information Input
RestrictionsX X X X X Yes Yes P2
The organization restrictsthe capability to inputinformation to theinformation system toauthorized personnel.
SI-10Information Input
ValidationX X X X No No P1
The information systemchecks the validity ofinformation inputs.
SI-11 Error Handling X X X X X No No P2
The information system: a)Identifies potentiallysecurity-relevant errorconditions; b) Generateserror messages that provideinformation necessary forcorrective actions withoutrevealing [Assignment:organization-definedsensitive or potentiallyharmful information] inerror logs andadministrative messagesthat could be exploited byadversaries; and c) Revealserror messages only toauthorized personnel.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
219 of 243
C C C I I I A A A N N N
Cntl # Control Name L M H L M H L M H L M HNSS
StandAlone
NSSNetwork
PriorityNIST ControlRequirement
SI-12Information Output
Handling AndRetention
X X X X X X X X X Yes Yes P2
The organization handlesand retains bothinformation within andoutput from the informationsystem in accordance withapplicable federal laws,Executive Orders,directives, policies,regulations, standards, andoperational requirements.
SI-13Predictable Failure
PreventionX No Yes P0
The organization: a)Protects the informationsystem from harm byconsidering mean time tofailure for [Assignment:organization-defined list ofinformation systemcomponents] in specificenvironments of operation;and b) Provides substituteinformation systemcomponents, when needed,and a mechanism toexchange active andstandby roles of thecomponents.
Appendix C – NIST SP 800-53 Rev 4 Control Family Policies
EM sites may adopt the policies listed in this section or create their own policies toaddress the control policy requirements in NIST SP 800-53.
AC-1 Account Management
Purpose: The purpose of the AC control family is to ensure that only those that havebeen granted formal access to an IT system are able to access the system or information.Access controls also allow the sites to detect; record and block would be intruders.
Scope: The access control family must be implemented and monitored on DOE andcontractor systems. These security controls provide protection of data through the use ofaccess restrictions to local and remote systems, least privilege functionality, encryptionfor data in transit and data at rest, separation of duties, restrictions on the use of mobiledevices and session termination.
Roles: The Information System Security Officer (ISSO) and the System Administrators(SA) are key to the implementation of this control family and are tasked to ensure thatproper access controls are implemented based on the NIST categorization level.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
220 of 243
Responsibilities: The ISSO is to ensure that the controls are implemented by the SAs,work as expected, and provide adequate protection for DOE EM and contractor systemsand data. (Refer to roles and responsibilities section of the RMAIP).
These controls are to be tested upon initial system authorization and then once everythree years by an independent assessor as part of a continuous monitoring program. Thecontrols should also be tested when any significant access procedures or changes aremade to the system.
Management Commitment: The site management must ensure that sufficient accesscontrols are in place to protect the system and information based on the categorizationlevel, potential of harm, and acceptable level of residual risk. The site management mustprovide the resources to implement and must actively support the implementation ofHSPD-12 compliant logical access by 2012.
Coordination: The ISSO and SAs must coordinate to ensure that the proper level ofaccess controls are in use throughout the site and are tested as part of the initialauthorization and continuous monitoring program.
Compliance: The sites must comply with DOE orders, this RMAIP, and NIST SpecialPublications (SP) 800-46, 800-77, 800-113, 800-114, 800-121, 800-94, 800-97, 800-114,and 800-124 (as modified).
AT-1 Awareness and Training
Purpose: This family of controls ensures that all personnel (users, administrators,security, and those with elevated privileges) are trained for security policies andprocedures of their relevant position. This control also means that no one should haveaccess to a DOE network prior to having attended security awareness training. Similarly,individuals with elevated privileges must have additional training sufficient for them tocarry out their security functions.
Scope: Training needs to extend from site management to user personnel within anorganization. Training must be done annually to educate all personnel on emergingsystem and user exploits, risky behaviors (web and phishing), reportingincidents/suspicious procedures, and coordination with other groups that can benefit bylessons learned.
Roles: Training must be accomplished by DOE EM and contractor sites and cover threelevels: (1) users, (2) SAs (system, database, and web), and (3) personnel with elevatedaccess privileges. The ISSM is responsible for making sure all personnel are sufficientlytrained. If the ISSO determines that training was not accomplished for the current year,the individual will be removed from access to DOE networks.
Responsibilities: The ISSO/ISSM must ensure that all individuals receive securitytraining as required by the site, annually. The ISSO must make sure that all individuals
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
221 of 243
utilizing DOE EM and contractor network or systems processing EM data will receiveuser awareness training prior to being granted access to the network.
Management Commitment: The site management must provide sufficient direction andemphasis to ensure that all site personnel are trained at least annually. Management mustalso make certain that records are maintained on training and are kept current.
Coordination: The individual DOE EM sites must coordinate with the EM CyberSecurity Program Manager (CSPM) for review and guidance on their security AwarenessTraining depth and scope. In addition, the EM CSPM must be consulted on elevatedprivileged training.
Compliance: All sites must meet appropriate DOE policy and RMAIP guidance toensure sufficient and effective training of all personnel at all levels.
AU-1 Audit and Accountability
Purpose: Auditing is one of the critical methods to determine and document howeffective security controls are implemented, functioning as intended and producing theexpected results. Frequent audits ensure that security baselines are functioning correctly,being patched, have authorized CCB upgrades installed, and are sufficient to meet newand emerging security threats and vulnerabilities.
Scope: All DOE EM sites must conduct timely audits on security controls to determine ifthey meet NIST, DOE security requirements, federal laws, Executive orders, and/or localregulations or statutes.
Roles: The ISSO/ISSM are responsible for setting up, monitoring performance, andproviding guidance for corrective actions of audit findings. The ISSO/ISSM must keepthe AO/AODR informed on audits findings, the potential impact of the findings, and theoptions for addressing them.
Responsibilities: The ISSO is the principal individual to formulate, implement, andmonitor auditing reports. The ISSO is also the primary individual to establish the plan ofaction and milestones (POA&Ms) associated with corrective actions.
The ISSO and ISSM must define what is an auditable event, what information is to berecorded, how the events will be monitored and analyzed, where the information of theevents will be stored and for how long, what is the response/process to address auditfailures and how failures will be addressed.
The ISSO must ensure that policies, procedures and documents are updated annually toreflect audit weakness findings and corrective POA&Ms are put in place and followed.
Management Commitment: Site management must address any findings that could alterthe level of residual risk accepted by the AO during the authorization process.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
222 of 243
Management must provide the personnel, resources and funding to address the POA&Msproduced by audits.
Coordination: The ISSO and ISSM must coordinate with the AO/AODR on findings,potential security impacts, and recommended solutions.
Compliance: The sites auditing policies and procedures must meet NIST, DOE andRMAIP security requirements, and or local regulations or statutes.
CA-1 Security Assessment and Authorization
Purpose: Authorization is the process of evaluating the security policies and proceduresto protect an information system and the resulting level of acceptable risk (aftersafeguards have been applied to vulnerabilities). Authorization is an ongoing process tocontinually defend against emerging threats, system changes and inside personnelactions. This control addresses the state of a system at a defined time and configuration.
This set of security controls is used by the AO to determine the acceptable level ofresidual risk and if a system should have authority to operate (ATO).
Scope: Authorization is to be performed on all accreditation boundaries (systems orgroups of systems) providing services to DOE EM or contractor sites that process, store,or communicate DOE EM data. Authorizations can be performed on a three-year cycleprovided continuous monitoring is performed each year to cover all the NIST/DOEsecurity controls/requirements over the three-year period. The AO may elect to re-authorize each individual accreditation boundary after a yearly continuous monitoringassessment provided there is no significant increase in the acceptable level of risk.
Roles: Security authorization is the official management decision conveyed through theauthorization decision document, given by a senior organizational official or executive(i.e., authorizing official) to authorize operation of an information system and toexplicitly accept the risk to organizational operations and assets, individuals, otherorganizations, and the Nation based on the implementation of an agreed-upon set ofsecurity controls.
The ISSO/ISSM must provide the resources to prepare, assist in, and document the initialauthorization process, continuous monitoring assessments and re-authorizations.
Responsibilities: Only the AO can sign/authorize a system for operation. The AODR isresponsible for advising the AO on technical matters, providing recommendations andpreparing for assessments. The ISSO/ISSM must provide the resources to prepare,personnel to assist in assessments and document continuous monitoring assessments orre-authorizations.
Management Commitment: The AO must ensure that sufficient resources andmanagement guidance is provided to prepare, conduct, document, and remediate system
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
223 of 243
flaws throughout the system development life-cycle (SDLC). The AO must follow theDOE and NIST security requirements to provide protection commensurate with risk. TheAO must ensure that all systems have ATO prior to being connected to the network. TheAO must ensure that the Risk Management Framework (RMF) and Risk ManagementApproach (RMA) are followed and systems are in compliance with its provisions.
Coordination: The AO, AODR, ISSO, and ISSM must coordinate all authorizationprocesses and Continuous Monitoring activities with site personnel.
Compliance: The AO must ensure that the RMF and RMA are followed and systems arein compliance with their provisions.
CM-1 Configuration Management
Purpose: This control family is used to maintain the authorized system securityconfiguration at the same level of residual risk as when it was authorized. Configurationmanagement is necessary because of inevitable hardware and software change, approvedbaseline control modification, and organizational changes that occur throughout all thephases of the SDLC.
Scope: This control applies to all DOE EM or DOE EM contractor systems
Roles: The ISSO, SAs, system owner, and CCB have the primary roles in configurationmanagement.
Responsibilities: The ISSO must create security baselines configurations forworkstations, servers, switches, routers, firewalls, databases, IDS/IPS, mobile, wireless,and web systems.
The ISSO or system owner must create, maintain, and monitor an inventory controlsystem for system components.
The site organizations must establish and use a CCB to evaluate, test, and approve allmajor changes to the secure baseline configurations prior to implementing them on asystem. The CCB must establish what is considered a major change to the securitybaseline and assess the security impact of such changes.
The ISSO/SA must build system components to the latest approved baselineconfigurations and monitor systems compliance to these configurations on a regularbasis.
The site must monitor its approved security baseline configurations to determine anychanges or improper changes by inside or outside personnel.
The baseline configurations must provide the least functionality for the site personnel toaccomplish their mission.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
224 of 243
The site must perform period risk assessments to determine if changes or emergingthreats have created vulnerabilities.
Management Commitment: The sites’ management must provide the resources forperiodic risk assessments, configuration control boards, configuration managementsoftware, and a current list of equipment, components, software, and approvedconfiguration changes to the security baselines for such equipment.
Coordination: The ISSO and ISSM must coordinate with the CCB, inventory control,procurement, and legal to ensure that security baseline specifications, federal checklists,approved CCB changes, patches and system authorization are performed prior to systemsbeing placed online or after significant changes occur within a system.
Compliance: The site must comply with federal baseline checklists, security baselinebuilds, approved CCB changes, procurement, and legal regulations.
CP-1 Contingency Planning
Purpose: The contingency planning controls are meant to establish policies andprocedures so that each site’s systems can accomplish their DOE EM mission within thetime periods specified by the business impact analysis (BIA). The organizations riskmanagement strategy is a key factor in the development of the contingency planpolicy/procedures.
Scope: The scope of this plan should address the minor to major incidents that disrupt,slow down, or halt the site’s DOE EM mission/business functions.
Roles: The Contingency Plan Manager and CP team (assessment, activation, recovery,alternate site) members are to be identified by name and position with contactinformation.
Responsibilities: The CP Manager must make the CP activation decision based oninformation from the analysis team as to the extent of the damage.
The team members must be trained and conduct bi-annual contingency exercises thatrealistically portray possible events.Management Commitment: The site’s management must provide the resources to staff,train, and conduct CP exercises. The management must, as deemed necessary, providethe resources for an alternate operating site, if deemed necessary by a BIA, that mustmeet the maximum allowable downtimes specified in the BIA.
Coordination: The site must ensure that all the sites accreditation boundaries participatein staffing, conducting CP exercises and CP training.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
225 of 243
Compliance: The sites must comply with the provisions of the RMAIP, NIST SP 800-34(as modified) and any state or local contingency requirements.
IA-1 Identification and Authentication
Purpose: This control is used to authenticate users or processes that are requesting accessto either local, networked, or remote networks. These controls must be accomplished bytwo-factor authenticators such as tokens, biometrics, or badge and pin.
Scope: These security controls are pertinent to DOE EM personnel, contractor or queststo DOE EM or contractor facilities. The sites must make provisions for HSPD-12implementation by 2012.
Roles: Site Management, Program Managers, ISSO, ISSM, and SAs must make sure thataccess by individuals or processes follow approved policies and procedure and areperiodically checked for current processing validity.
Responsibilities: The organizations’ Program Management must participate in ensuringthat individuals are assigned to the proper functional groups or have access to only thosefunctions that are required for their roles and responsibilities (least privilege). The ISSOand ISSM must be part of the process to assign, review and approve individuals or systemprocesses access levels. Guest Accounts must follow the same procedures and have alimited access and a defined termination date.
Management Commitment: Site Management must ensure that issuance of authenticatorand IDs follow approved process, and that IDs must be monitored and revoked upontermination, transfer, or organizational changes. Management is encouraged to performthese tasks by automated means.
Coordination: The Program Managers, ISSO, and SAs must coordinate their efforts toensure that authenticators are issued properly, needed, currently valid, terminated whennot required, and provide least functionality.
Compliance: The site needs to comply with NIST FIPS 201 and use the following asguidance: SP 800-63,800-73,800-76,800-78, and 800-100.
IR-1 Incident Response
Purpose: Incident Response controls are utilized to detect, analyze, prioritize, correct andrestore system functionality from unauthorized or nefarious actions by external orinternal personnel. These controls provide a process by which suspicious or actualunauthorized actions can be addressed to prevent further damage, infection of additionalsystems and centralized reporting mechanisms.
Scope: Incident Response can be by system, accreditation boundary, or site and mustaddress DOE and contractor systems. All significant incidents must be shared and
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
226 of 243
coordinated with other operating programs such as DOE JC3 and US-ComputerEmergency Response Team (CERT).
Roles: The organizations’ CIO, program managers, IT/DBMS technical support staff,SAs, ISSO, and ISSM are responsible for developing, monitoring, tracking incidents,conducting exercises and training for incidents.
Responsibilities: The appointed Computer Security Incident Response Team(s)(CSIRTs) and the ISSO/ISSM are responsible for creating policies and procedures thatwill detect, analyze, prioritize and restore system functions to normal.
Management Commitment: The organizations’ management must provide the resources,personnel, and necessary training and exercises to produce an effective incident responsecapability to meet DOE JC3 and US-CERT standards. These policies and procedureswill enable sites to meet their DOE mission parameters. They must coordinate incidentinformation to other operating groups (DOE JC3 and US-CERT) in a timely and correctlyformatted report.
Coordination: The organization must coordinate all confirmed incidents to their otheroperating groups such as DOE JC3 and US-CERT, as appropriate.
Compliance: The sites must comply with its define IR procedures, RMAIP, US-CERTand local law enforcement policies.
MA-1 Maintenance
Purpose: The purpose of this control is to prevent either the intentional or unintentionalchanges resulting from system maintenance/maintenance personnel that could open thesecure baselines, grant unauthorized access/changes, or cause damage to the systems.These controls also ensure that the systems are maintained at the current level of securitybaselines, repairs, patches, and approved CCB changes.
Scope: This control covers all DOE EM site contractor or vendor maintenance personnel.This control family also covers remote maintenance services whether DOE, sitecontractor, or vendor personnel.
Roles: The ISSO is primarily responsible for these procedures, in addition to monitoringand documenting.Responsibilities: The ISSO must create policies and procedures to perform standardhardware and software maintenance, monitor system changes, perform oversight ofsite/remote maintenance processes, and document all results. The ISSO must test allsignificant changes to ensure they haven’t changed the systems security posture. Further,the ISSO must ensure that maintenance tools do not alter the systems security.
Management Commitment: The organizations’ management must provide sufficientresources to ensure that site hardware, software, and other electronic components are
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
227 of 243
identified, catalogued, monitored, maintained, and documented. These efforts will ensurethat the latest security baselines, patches, and equipment repairs do not alter or makevulnerable the secure state of the systems or electronic components.
Coordination: The ISSO must coordinate the schedule for equipment repairs, patching,baseline builds, security testing, and monitoring security impact of any and all changes.The ISSO must determine if site maintenance or vendor tools may be used on theequipment.
Compliance: The sites must comply with the RMAIP.
MP-1 Media Protection
Purpose: This control is used to secure the handling, processing, data at rest storagerequirements, and transport of sensitive information on both electronic and hard copyitems.
Scope: This control applies to all DOE EM site personnel, on site contractors, personalcomputers, telephonic, and videoconference services and site assessors. This controlapplies to all unclassified, NSS, PII and appropriate/designated contractor material.
Roles: The ISSO, information owner, and EM CSPM all share responsibility for thiscontrol.
Responsibilities: The ISSO must develop a list of sensitive materials, their sensitivitylevels, and the system location. The ISSO must put in place access controls, leastprivilege functions, access monitoring and alerting of inappropriate or unauthorizedaccess, processing, printing, or copying of such sensitive materials. Encryptiontechniques must be used on PII and above information. The ISSO must ensure thatsensitive information removed from the facility is logged, monitored, and encrypted. Thesite will institute measures to actively monitor the transfer or copying of sensitiveinformation onto mobile devices of any kind. The ISSO must ensure that after the mediais no longer needed for its appropriate use—end-of-life—it must be securely erased,verified clean, or destroyed.
Management Commitment: The organizations’ management must ensure that securityprocesses for handling and marking for electronic, hard copy, and removable media arein-place and enforced. Management must ensure that the necessary mechanisms toinventory, track, mark, and monitor mobile or hardcopy sensitive data, including itsdestruction are in place.
Coordination: The ISSO must coordinate with the information owner to determine thesensitivity of information. The site must coordinate with all project groups to ensure themedia sensitive material safeguard policies, procedures, and notifications are followed.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
228 of 243
Compliance: All media must be appropriately identified, marked, and handled inaccordance with DOE policies, this RMAIP, and NIST SP 800-88 (as modified),Guidelines for Media Sanitization..
PE-1 Physical and Environmental
Purpose: This security control is meant to provide the policies and procedures forprotective measures employed by physical and environmental safeguards at the site. Thecontrols address access, environmental safeguards for IT equipment, alternative worksites, and delivery/removal of equipment.
Scope: These controls apply to all DOE EM or contractor run sites. All accreditationboundaries within a site must provide these physical and environmental safeguards.
Roles: Human Resources, Security and IT personnel are involved in these controls.
Responsibilities: The organizations’ HR department is responsible for the processes thatinvolve personnel procedures to verify, issue, monitor, and revoke badge access. Theorganizations’ security personnel will be responsible for access and visitor controlincluding credential verification, recording, monitoring, and escort information. The ITstaff must provide secure access to IT rooms, environmental (HVAC and water)monitoring and cabling protection.
Management Commitment: Management will be responsible for coordinating thepolicies and processes to guarantee that personnel access controls, environmentalprotections, and IT controls are in place and operating.
Coordination: The ISSO and ISSM must coordinate with HR, IT, and Security staffs tomake sure that the controls are implemented, correct, and producing the required resultsin all the physical sites and accreditation boundaries.
Compliance: The site must ensure that they meet all appropriate DOE policy, RMAIP,and local laws and requirements for physical and environmental codices.
PL-1 Planning
Purpose: Security planning addresses the adequacy of security controls to provide risk-based levels of safeguards for the confidentiality, integrity, and availability of the sitespersonnel, mission data, PII and IT equipment. These controls encompass management,operational, and technical safeguards to adequately meet the sites acceptable level of risk.This security planning information is captured in the system security plan (SSP).
Scope: Planning applies to all DOE EM sites and contractor sites. In general, anyaccreditation boundary that collects, generates, processes, stores, or communicates DOEEM data is subject to this control.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
229 of 243
Roles: The ISSO, AODR and AO all share responsibility for this control.
Responsibilities: The ISSO is responsible for the creation, implementation, and update ofthe security controls planning document (SSP). The AO or AODR needs to review andapprove the SSP based on acceptable levels of risk, mission requirements, and the NISTRisk Management Framework.
Management Commitment: The sites’ management must ensure that each accreditationboundary has the requisite SSP. Management must also ensure that it meets the intent ofNIST’s Risk Management Framework and the Systems Development Life Cycle.Management must enforce policies and procedures required for security planning.
Coordination: The ISSO must coordinate with all site personnel, AODR, and AO in thecompilation, execution, update, and documentation of the SSP.
Compliance: The site needs to comply with all applicable DOE Orders, OMBMemorandum 03-22, and NIST SP 800-18 (as modified) requirements.
PS-1 Personnel Security
Purpose: This control family applies to the position categorization, backgroundscreening, clearances, termination, transfer and access agreements, and personnelsanctions. This control family is vital to preventing unwanted insider personnelviolations. It is also essential for personnel with elevated privileges.
Scope: This control applies to all DOE EM and contractor personnel that have access toDOE EM systems, networks, and data.
Roles: The ISSO, Program Mangers and HR all share responsibility for this control.
Responsibilities: The sites’ HR must create a position categorization that includes aposition description, tasking, level of access (least privilege), background investigationlevels, clearances, termination, and transfer checklists for all personnel. The ISSO mustcoordinate with the Program Managers and HR to validate all these functions are correctand complete prior to granting access to the network and DOE EM data. Any personneltransfers or terminations must be immediately reported to the ISSO.
Management Commitment: Site management must ensure that position descriptions,level of background investigations (screening), and personnel actions (terminations,transfer, and sanctions) are in compliance with the sites personnel security requirements.
Coordination: The sites’ HR, Program Managers, and the ISSO must coordinate to makesure that all these requirements are in place and met prior to granting access to anyindividual to DOE EM networks or data.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
230 of 243
Compliance: The ISSO and ISSM must make sure that all the sites’ personnel proceduresare adhered to prior to granting access to DOE EM data or networks.
RA-1 Risk Assessment
Purpose: The purpose of a risk assessment is to ensure that in place security controls areimplemented correctly, operating as intended and producing the correct output to protectthe system, data and personnel. The risk assessments family of controls evaluatesvulnerabilities, threat sources, and security controls planned or in place to determine thelevel of residual risk (acceptable risk) posed to organizational operations and assets,individuals, and other organizations based on the operation of the information system.The in place controls selected must be commensurate with the risk, likelihood, andimpact of potential harm.
Scope: Risk assessments (either formal and informal) are to be conducted by all DOEEM sites or contractor-operated sites by using the DOE RMA and NISTT RMFincluding: information system categorization, security control selection, security controlimplementation, security control assessment, information system authorization, andsecurity control monitoring.
Roles: The AO, AODR, ISSO, ISSM, system owner, and information steward all shareresponsibility for this control.
Responsibilities: The ISSO and system owner must create a risk assessment strategy thattakes into consideration the magnitude of harm resulting from unauthorized access, use,disclosure, disruption, modification, or destruction of the information system and theinformation it processes, stores, or transmits. The ISSO must perform periodic riskassessments and scans to determine if components (hardware or software),organizational, environmental changes, or emerging threats have created newvulnerabilities.
The AO/AODR must review and approve the risk assessment strategy, testingmethodology, and risk assessment results (acceptable level of risk).
Management Commitment: The organizations’ management must make sure that riskassessments are conducted.
Coordination: The ISSO must coordinate with the system owner and information stewardon the sensitivity of data and the level of protection required.
Further, the ISSO must coordinate the risk strategy with all interconnected siteboundaries and sub-boundaries.
Compliance: The sites must comply with the provisions of appropriate DOE policy,RMAIP, and NIST 800-30 (as modified).
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
231 of 243
SA-1 System and Services Acquisition
Purpose: The purpose of this family of controls is to ensure that sufficient resources areallocated for the site to follow the SDLC (initiation through termination) systemcomponents, including: ensuring that security requirements are defined in procurementterms and conditions, that software licenses are not exceeded, that software developersincorporate security practices in developing programs, and that users are not alloweddesktop installation privileges.
Scope: This family applies to all DOE procurements for site or contractor purchases.
Roles: This is a collaborative effort between purchasing, contracts, and the ISSO.
Responsibilities: The ISSO and ISSM must ensure that any specific securityrequirements, enterprise architecture needs, checklist conformance certificates,documentation, and license conditions are incorporated in system componentprocurements.
Contracts and purchasing must create, document, and maintain the minimum terms andconditions for procurement of system components. These groups must coordinate withthe ISSO for review prior to issuing any system components.
Management Commitment: The site manager must ensure that sufficient funding isavailable to support the system accreditation boundary from initiation to shut down. Thisincludes a line item in the yearly budget for security operations. Site management mustensure that all operating groups follow the same procurement and security rules.
Coordination: The ISSO, contracts, and purchasing groups must coordinate on all systemcomponent purchases to make sure they meet the security specifications, terms andconditions, and conformance clauses.
Compliance: The site and individual operating groups must comply with all procurementand legal terms and conditions when procuring system or network components.
SC-1 System and Communication Protection
Purpose: This control family is meant to address system and network policies andprocedures. Its intent is to provide “defense in depth” for both systems and networks.This approach provides safeguards within safeguards to make unauthorized access, use ormodification of system or network operations more difficult.
Scope: The SC family of controls applies to all DOE EM and contractor systems thatcontain or have access to DOE EM networks or data.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
232 of 243
Roles: The ISSO and SAs share responsibility for this control
Responsibilities: The ISSO and SAs must implement, monitor, and periodically test thecontrols for system protection (application partitioning, security function isolation, DOS,mobile code, public access protection, DNS protection, data at rest protection) andnetwork security protection (boundary protection, transmission confidentiality,cryptographic functions, collaborative computing devices and VoIP).
Management Commitment: The organizations’ management must ensure thatprocedures, resources, and personnel are available to implement both system and networksecurity protection mechanisms.
Coordination: The ISSO must coordinate with all accreditation boundaries to ensure thesystem and network controls are in place, functioning and meeting the requirements.
Compliance: The sites must comply with appropriate DOE policy, RMAIP, and NISTFIPS 199 and 200 and guidance in NIST SP 800-52, 800-58, 800-77, and 800-81(asmodified).
SI-1 System and Information Integrity
Purpose: This family of controls is about discovering, preventing, repairing, monitoring,and correcting vulnerabilities and threats within the sites systems and networks.
Scope: The SC family of controls applies to all DOE EM and contractor systems andtheir associated accreditation boundaries.
Roles: ISSO and SAs
Responsibilities: The ISSO and SAs must design, implement, and monitor procedures toprotect against malicious code monitoring, flaw remediation, security alerting, SPAMprotection, error handling, and input verification and validation.
Management Commitment: The site management must implement the system andinformation integrity protections stated in the SSP.
Coordination: The ISSO must coordinate with all SAs to ensure that all accreditationboundaries follow the necessary procedures for system and information integrity.
Compliance: All DOE EM and contractor systems must comply with appropriate DOEpolicy, RMAIP, and NIST SP 800-40 (as modified).
PM-1 Program Management
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
233 of 243
FISMA requires organizations to develop and implement an organization-wideinformation security program to address information security for the systems andinformation that supports the operations and assets of the organization, including thoseprovided or managed by another organization, contractor, or other source.
Purpose: The PM family of controls focuses on the organization-wide informationsecurity requirements that are independent of any particular information system and yetare essential for managing information security programs. These security controls areimplemented, monitored, and tested at the division or agency level. Some portion ofthese controls will require the subordinate groups to provide “roll up” information. Thesubordinate groups must be responsible for providing the requisite information.
Scope: The organization must document program management controls in theinformation security program plan (or similar document). The organization-wideinformation security program plan supplements the individual security plans developedfor each organizational information system. Together, the security plans for theindividual information systems and the information security program cover the totality ofsecurity controls employed by the organization.
In addition to documenting the information security program management controls, thesecurity program plan provides a vehicle for the organization, in a central repository(eGov RPM) to document all security controls implementation, testing, authorization, andcompliance. The reporting organization must be responsible for supplying and updatinginformation in the eGov RPM system.
Roles: Organizations specify the individuals within the organization responsible for thedevelopment, implementation, assessment, authorization, and monitoring of theinformation security program management controls. At a minimum, these must be thesenior agency information security officer, risk executive, AO (may be designated), andeach divisional level CSPM.
Responsibilities: The information security program management controls and programmanagement common controls contained in the information security program plan areimplemented, assessed for effectiveness, and authorized by a senior agency ororganizational official with the same or similar authority and responsibility for managingrisk as the authorization officials for information systems. This individual will havemission, monetary, and resource control. Further, this person will be responsible forsetting acceptable levels of risk.POA&Ms must be developed and maintained for the program management and commoncontrols that are deemed through assessment to be less than effective. Informationsecurity program management and common controls are also subject to the samecontinuous monitoring requirements as security controls employed in individualorganizational information systems.
Management Commitment: The organization management must appoint a senior agencyinformation security officer, provide information resources and documentation (Exhibits
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
234 of 243
300 and 53), maintain a POA&M database, establish and maintain inventory control,develop and maintain security performance metrics, establish a mission criticalinfrastructure plan, and provide a risk management strategy, a defined securityauthorization process, and a mission/business process definition.
Coordination: The organization will be responsible for the coordination of programmanagement by distributing the necessary program management documentation, trainingas appropriate and monitoring agreed upon security controls and procedures forcompliance and effectiveness. The program management group must coordinate withsubordinate groups to ensure they are aware of, have implemented, are compliant, andprovide the required “roll up” information to program management requirements.
Compliance: The agency and associated divisions must comply with NIST FIPS 199 and200 as well as NIST SP 800-53 (as modified), Appendix G, Information SecurityPrograms.
Appendix D – EM Contractor Requirements
EM contractors are required to comply with requirements set forth in DOE O 205.1B,Chg.2, Department of Energy Cyber Security Program, Attachment 1, ContractorRequirements Document (CRD). A Contractor-developed, Risk Management Approachmust be consistent with the requirements of this RMAIP.
Suggested Metrics for Fee Determination
Contracting Officers should work with site IT/cyber security personnel to developmetrics for fee determination consistent with DOE’s fee policies and the terms of asubject contract. This table is not mandatory but could be used to help develop andinclude any additional metrics based on site specific requirements.
Requirements Below ExpectationsMeets
ExpectationsExceeds Expectations
Unless otherwise noted, thefollowing incentives or
disincentives must be applied.The contracting officer has the
flexibility to adjust the rates/feeson a contract by contract basis.
Reduce fee by 1-2% No change to fee Increase fee by 0.25%
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
235 of 243
Requirements Below ExpectationsMeets
ExpectationsExceeds Expectations
Unless otherwise noted, thefollowing incentives or
disincentives must be applied.The contracting officer has the
flexibility to adjust the rates/feeson a contract by contract basis.
Reduce fee by 1-2% No change to fee Increase fee by 0.25%
Type I
Incidents are notreported uponoccurrence.
Reduce fee by 10-15%.
Incidents arereported asrequired.
No change to fee.
A reported incident isproven to prevent a
similar incident at anotherDOE site. Increase fee by
0.5%.
Type IIIncidents are not
reported uponoccurrence.
Incidents arereported asrequired.
A reported incident isproven to prevent a
similar incident at anotherDOE site.
Increase fee by 0.25%.
Protected PII
Incident is not reportedupon occurrence as
required.Reduce fee by 2-3%.
Incidents arereported asrequired.
Protected PII is detectedand prevented from
leaving the site.Increase fee by 0.5%.
Overdue POA&Ms Reduce fee by 1-2%. No change to fee. N/A
User Awareness Training 1:Less than 90% of users
trained annually.100% of users
trained annually.
100% of users trainedsemi-annually
Increase fee by .5% up to$50K max/year.
User Access
Users are providedaccess to the network
before completingtraining.
Users are providedaccess to thenetwork after
completing usertraining.
Users are provided accessto the network after
completing user training.Completion of the training
requires users tosuccessfully pass a
contractor-developed test.Increase fee by .5% up to
$50K max/year.
Privileged Users AwarenessTraining
100% of privilegedusers are trained
annually. At least 25%hold a current industry
recognizedcertification.
100% of privilegedusers are trained
annually and 33%hold a current
industry recognizedcertification.
100% of privileged usersare trained annually and
66% hold a currentindustry recognized
certification.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
236 of 243
Requirements Below ExpectationsMeets
ExpectationsExceeds Expectations
Unless otherwise noted, thefollowing incentives or
disincentives must be applied.The contracting officer has the
flexibility to adjust the rates/feeson a contract by contract basis.
Reduce fee by 1-2% No change to fee Increase fee by 0.25%
Maintaining eGov RPM
Documents notuploaded into the
system or not updatedat least bi-annually.Updates should be
noted in the record ofchanges. Modified
documents should bere-uploaded into the
system.
Documents areuploaded at least
bi-annually into thesystem.
No change in fee.
PatchingPatches are older than
30 days fromrelease/notice.
Patches areinstalled between11 and 30 days
from release/notice.
Patches are installed lessthan 10 days from
release/notice.
Maintaining BaselineConfigurations – OS(FDCC for Windows
XP/VISTA/Win7)
Less than 85% of allsystems use the
standard baselineconfiguration without
deviation.
85% of all systemsuse the standard
baselineconfiguration
without deviation.
100% of applicationsoperate without deviation
to any baselineconfiguration settings.
Maintaining BaselineConfigurations - Apps
Less than 85% of allapplications use the
recommended securitybaseline configuration
settings.
85% of allapplications use the
recommendedsecurity baseline
configurationsettings.
100% of all applicationsuse the recommended
security baselineconfiguration settings.
Maintaining a System InventoryNo inventory of major
IT hardware andsoftware exists.
An up-to-dateinventory of majorIT hardware andsoftware exists.
A real-time or near real-time automated inventoryof major IT hardware and
software exists.Government Provided
Enterprise Solutions & SiteAssessments – The contractor isto cooperate in the deployment ofGovernment provided enterprise
solutions for the purposes ofprotecting IT resources and all
Site Assessments
Contractor does notcooperate with the
deployment.Reduce fee accordingly
or take otherappropriate actions
Full cooperation. No change in fee.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
237 of 243
Requirements Below ExpectationsMeets
ExpectationsExceeds Expectations
Unless otherwise noted, thefollowing incentives or
disincentives must be applied.The contracting officer has the
flexibility to adjust the rates/feeson a contract by contract basis.
Reduce fee by 1-2% No change to fee Increase fee by 0.25%
Sharing of infrastructure and ITsolutions – the contractor is to
cooperate with other EM supportcontractors in the development
and deployment of IT solutions inorder to save energy and funding.
Contractor does notcooperate.
Reduce fee by 5%.Full cooperation.
Increase fee as determinedby the contracting officer.
Definitions:
Below expectations – The rating assigned to a contractor that has failed to meet any ofthe defined requirements as deemed by the Certification Agent, the Contracting Officer,or the Federal Task Manager
Meets expectations – The rating assigned to a contractor that has met the definedrequirements as deemed by the Certification Agent, the Contracting Officer, or theFederal Task Manager
Exceeds expectations – The rating assigned to a contractor that has exceeded the definedrequirements as deemed by the Certification Agent, the Contracting Officer, or theFederal Task Manager and has not had a below expectations within the last two years.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
238 of 243
Appendix E – NIST 800-27 Rev A Engineering Principles
This appendix is guidance to enable sites to comply with NIST 800-53 Rev 4, controlSA-8, Engineering Principles. One check “” signifies the principle can be used to supportthe life-cycle phase, and two checks “” signifies the principle is key to successfulcompletion of the life-cycle phase.
Principle Initiation Devel/Acquis Implement Oper/Maint DisposalDoes your organization perform any of thefollowing principle activities during any of partof the system development life cycle listed to theright? If yes, highlight the appropriate box forthe corresponding phase yellow, otherwise leaveblank.1 Establish a sound security policy as the
“foundation” for design
2 Treat security as an integral part of the overallsystem design
3 Clearly delineate the physical and logical securityboundaries governed by associated securitypolicies
4 (formerly 33) Ensure that developers are trainedin how to develop secure software
5 (formerly 4) Reduce risk to an acceptable level 6 (formerly 5) Assume that external systems are
insecure
7 (formerly 6) Identify potential trade-offs betweenreducing risk and increased costs and decrease inother aspects of operational effectiveness.
8 Implement tailored system security measures tomeet organizational security goals.
9 (formerly 26) Protect information while beingprocessed, in transit, and in storage
10 (formerly 29) Consider custom products toachieve adequate security
11 (formerly 31) Protect against all likely classes of“attacks”
12 (formerly 18) Where possible, base security onopen standards for portability and interoperability
13 (formerly 19) Use common language indeveloping security requirements
14 (formerly 21) Design security to allow for regularadoption of new technology, including a secureand logical technology upgrade process
15 (formerly 27) Strive for operational ease of use 16 (formerly 7) Implement layered security (Ensure
no single point of vulnerability)
17 (formerly 10) Design and operate an IT system tolimit damage and to be resilient in response
18 (formerly 13) Provide assurance that the systemis, and continues to be, resilient in the face ofexpected threats
19 (formerly 14) Limit or contain vulnerabilities
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
239 of 243
Principle Initiation Devel/Acquis Implement Oper/Maint DisposalDoes your organization perform any of thefollowing principle activities during any of partof the system development life cycle listed to theright? If yes, highlight the appropriate box forthe corresponding phase yellow, otherwise leaveblank.20 (formerly 16) Isolate public access systems from
mission critical resources (e.g., data, processes,etc.)
21 (formerly 17) Use boundary mechanisms toseparate computing systems and networkinfrastructures
22 (formerly 20) Design and implement auditmechanisms to detect unauthorized useand to support incident investigations
23 (formerly 28) Develop and exercise contingencyor disaster recovery procedures to ensureappropriate availability
24 (formerly 9) Strive for simplicity 25 (formerly 11) Minimize the system elements to be
trusted
26 (formerly 24) Implement least privilege. 27 (formerly 25) Do not implement unnecessary
security mechanisms
28 (formerly 30) Ensure proper security in theshutdown or disposal of a system
29 (formerly 32) Identify and prevent common errorsand vulnerabilities
30 (formerly 12) Implement security through acombination of measures distributed physicallyand logically
31 (formerly 15) Formulate security measures toaddress multiple overlapping informationdomains
32 (formerly 22) Authenticate users and processes toensure appropriate access control decisions bothwithin and across domains
33 (formerly 23) Use unique identities to ensureaccountability
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
240 of 243
Appendix F – Sanitization and Disposal of Media and MobileDevices
Sanitization
Unclassified Removable Media
Removable media requires sanitization prior to removal from an EM site and thegovernment relinquishing title to the media when the media will be used again in otherenvironments (e.g., donations to schools or other charitable organizations, returningequipment to vendors after a trial)
If the media contained classified information then the media must be destroyed inaccordance with this RMAIP and applicable law and/or DOE policy, directive orguidance. The Committee on National Security Systems Policy No. 26 (CNSSP No. 26)requires that removable media be marked or labeled with the highest securityclassification of any system into which the media has been inserted. The threat ofobfuscation on electronic media makes prohibitive the capability of transferring filesfrom an NSS system thought to be unclassified to removable media and declassifying themedia based on the viewable contents of the files transferred. All media that has beeninserted in the NSS for any reason must be marked and handled at the same classificationof the NSS.
Approved methods of sanitization: Degaussing magnetic media Running a wipe program such as BCWipe at least three times
Approved methods of destruction: Shredding Grinding the surface Degaussing magnetic media and then breaking the media into small pieces
Mobile Devices
Mobile devices that do not contain magnetic storage (e.g., BlackBerries, cell phones) maybe wiped with a site-approved product designed for this purpose and then be excessed ordonated by the site. Testing of electronic storage has proven that wiping is an effectivemeans to ensure data can’t be obtained from the device once the process has beenperformed.
Laptops, if utilizing an approved full disk encryption solution, may also be wiped andexcessed or donated by the site. If the laptop has been known to have had classifiedinformation then the disk must be destroyed prior to the laptop being excessed ordonated.
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
241 of 243
Classified Media
Clear all storage media that will be reused on a different system for the same or morerestrictive Information Group or a potential user that has a different Need-to-Know.
Use only overwriting software and hardware that are compatible with media to beoverwritten.
Protect cleared storage media that has been used in classified processing commensuratewith the highest Information Group (i.e., classification level and category of information)it has ever contained. The media must be handled in accordance with applicable DOEClassified Matter Protection and Control processes.
Purge classified storage media that will be reused in a less restrictive Information Group.
Destroy classified storage media that cannot be purged.
Identify the reuse of classified storage media in the SSP of the system where the media isused and track/control the media until it is purged or destroyed.
Individuals performing purging of classified storage media planned for reuse must certifythat the process has been successfully completed by affixing a label to the storage media.At a minimum, the label must document:
a. Storage media serial number, make and modelb. Most restrictive Information Group hosted prior to purgingc. Purpose of purgingd. A statement that the storage media contains no classified informatione. The procedure usedf. The date, printed name and signature of the certifier
Destruction
All media used in the classified program or that has been known to contain sensitiveinformation in significant quantity must be destroyed before leaving an EM site when atits end of life. The preferred method is to wipe and destroy if possible.
Approved methods of destruction:
Degaussing of drives Sanding the surfaces Shredding Grinding into fine particulate Burning
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
242 of 243
Acronym List
AA Application AdministratorAO Authorizing OfficialAODR Authorizing Official Designated RepresentativeATO Authority to OperateBIA Business Impact AssessmentC&A Certification and AccreditationCA Certification AgentCAO Continuous Authorization to OperateCCB Change Control BoardCI Counter-IntelligenceCIA Confidentiality (C), Integrity (I), and Availability (A)CIO Chief Information OfficerCM Continuous MonitoringCNSS Committee on National Security SystemsCNSSP No.26 The Committee on National Security Systems Policy No. 26CO Contracting OfficerCPU Central Processing UnitCSIRTs Computer Security Incident Response Team(s)CY Calendar YearDBA Database AdministratorDHS Department of Homeland SecurityDNS Domain Name SystemDNSSEC Domain Name System Security ExtensionsDOE Department of EnergyeGov RPM eGov Risk Portfolio Manager™EM Office of Environmental ManagementEMCSPM EM Cyber Security Program ManagerFedRAMP Federal Risk and Authorization Management ProgramFIPS Federal Information Processing StandardsFISMA Federal Information Security Management ActFRD Formerly Restricted DataFY Fiscal YearHQ HeadquartersHQSS Headquarters Security SystemHSPD Homeland Security Presidential DirectiveICS Industrial Control SystemsIEEE Institute of Electrical and Electronics EngineersIMC Information Management ConferenceIP Implementation PlanIPv6 Internet Protocol Version 6ISM industrial, Scientific, and MedicalISP Internet Service ProviderISSM Information System Security ManagerISSO Information System Security Officer
________________________________________________________________________
________________________________________________________________________DOE EM RMAIP Version 5.1
243 of 243
IT Information TechnologyJC3 DOE Joint Cybersecurity CenterLMH Low (L), Moderate (M), and High (H)MIPP Mission Information Protection ProgramMTD Maximum Tolerable DowntimeNDA Network Device AdministratorNIST National Institute of Standards and TechnologyNSS National Security SystemsOMB Office of Management and BudgetPII Personally Identifiable InformationPIV Personal Identity VerificationPM Program ManagementPOA&M Plan of Action and MilestonesPSO Project Security OfficerPSP Program Security PlanRA Risk AssessmentRD Restricted DataRE Risk ExecutiveRMA Risk Management ApproachRMAIP Risk Management Approach Implementation PlanRPO Recovery Point ObjectiveRTO Recovery Time ObjectiveSAR Security Assessment ReportSDM Senior DOE ManagementSP Special PublicationsST&E Security Test and EvaluationSSP System Security PlanCUI Controlled Unclassified InformationTFNI Transclassified Foreign Nuclear InformationUCNI Unclassified Controlled Nuclear InformationUS-CERT US-Computer Emergency Response TeamVPN Virtual Private NetworkingWAN Wide Area NetworkingWIDS Wireless Intrusion Detection System